[solved] IPV6 temporary addresses on a router? (NOT PE)

Continuing the discussion from [IPv6] Two Global and ULA addresses for each SLAAC client?:

There is one exception here: If the system has IP forwarding enabled, Privacy Extensions are disabled even if the value is 1. To override this, you need to set it to 2.

Does it make sense to enable PE on a router? I mean, sure, there IS some traffic originating from it for things like "opkg update" but almost everybody expects the router to be at ::1 so not much point in hiding it anyway, right?

You don't have to use ::1 as IPv6 suffix on a router. You can use any suffix you like.

Hmmm, you have a point, I'll have to explore this a bit further.
Keyword ip6ifaceid ?

Indeed, something like:

option ip6ifaceid '::beef:cafe'

1 Like

Well, it obviously depends on your setup and frankly your personal stance on privacy.

First off, most people run a DNS resolver on their router. So, likely you will have some amount of regular traffic originating from the router. Now, it's up to you if you want that traffic to come from the same address all the time or from temporary addresses. Your mileage may vary depending on whether you use a stub resolver or a recursive resolver, or which upstream servers you use (in a stub setup).

In addition, it may be more interesting to enable Privacy Extension if you have some kind of proxy running on your router that handles traffic from multiple clients. Then you may have much more traffic coming (or seeming to come) from your router and you may prefer it not coming from the same source address all the time.

2 Likes

One more thing, your assumption the router has ::1 as a suffix is not always true, at least not externally. So far, I have experience with two providers offering IPv6. In both cases I get a prefix for my downstream devices using DHCPv6 PD (IA_PD). From that, the router derives addresses for it's internal interfaces (e.g. LAN) which may use ::1 as the suffix. But for it's external address the router requests a normal DHCPv6 lease (IA_NA). The address that gets configured is using a static suffix which is not ::1. So, from the web, the router looked like any other client.
With the second provider, the process is slightly different. While the prefix for downstream clients is obtained in the same manner, the router gets its own external address through SLAAC. If you use the kernel's SLAAC mechanism, you end up with a suffix derived from the routers MAC address. But you can use software clients for SLAAC that let you configure a suffix of your choice, such as ::1.

2 Likes

Yes, externally is altogether another story, that's ok.
Internally, I have just added the custom suffix and it works.

When it comes to enabling PE, which way is better?

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.<IF1>.use_tempaddr = 2
net.ipv6.conf.<IF2>.use_tempaddr = 2
net.ipv6.conf.<IF3>.use_tempaddr = 2
...

If you want to enable it only on one (e.g. the external) interface, approach two is better. If you want to enable it for all interfaces, go with approach 1.

1 Like

Ok, I went with no.1 out of simplicity, rebooted, now I see this:

net.ipv6.conf.6in4-he_1_nyc.use_tempaddr = -1
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.br-guest.use_tempaddr = 2
net.ipv6.conf.br-lan.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 0
net.ipv6.conf.eth0.101.use_tempaddr = 2
net.ipv6.conf.eth0.102.use_tempaddr = 2
net.ipv6.conf.eth1.use_tempaddr = 0
net.ipv6.conf.ifb0.use_tempaddr = 0
net.ipv6.conf.ifb1.use_tempaddr = 0
net.ipv6.conf.ifb4eth1.use_tempaddr = 2
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.conf.pppoe-wan.use_tempaddr = 2
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.tun0.use_tempaddr = -1
net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.wlan0-1.use_tempaddr = 2
net.ipv6.conf.wlan1.use_tempaddr = 2
net.ipv6.conf.wlan1-1.use_tempaddr = 2

Looks ok to me, yet no temporary addresses anywhere, for example the lan interface looks like this:

19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx:xxxx:xxxx:2::beef:cafe/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fdcf:xxxx:xxxx:2::beef:cafe/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::f2b0:14ff:fef6:8203/64 scope link
       valid_lft forever preferred_lft forever

What should I check next?

Make sure you use /etc/sysctl.*.
Using /etc/rc.local may result in a race condition.

Services startup order:

  • sysctl - /etc/sysctl.*
  • network
  • done - /etc/rc.local

Note, that br-lan, pppoe-wan and 6in4-he_1_nyc do not exist until network startup.
So, you probably should change net.ipv6.conf.default.

1 Like

I used /etc/sysctl.conf, as suggested in the comments in /etc/sysctl.d/10-default.conf
Moving them to a file under sysctl.d/ now and rebooting... nope, no changes.
Default is 2, by the way.

Try this way:

ifup wan6; sleep 10; ifstatus wan6

If that doesn't help, then netifd probably doesn't respect the setting.

wan6 in your example should be replaced by he_1_nyc which is my tunnel interface, right?
I am not using wan6, it is down and not autostarted anyway.

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 191,
        "l3_device": "6in4-he_1_nyc",
        "proto": "6in4",
        "updated": [
                "addresses",
                "routes",
                "prefixes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2001:470:xxxx:xxxx::2",
                        "mask": 64
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2001:470:xxxx::",
                        "mask": 48,
                        "class": "he_1_nyc",
                        "assigned": {
                                "lan": {
                                        "address": "2001:470:xxxx:2::",
                                        "mask": 64
                                },
                                "guest": {
                                        "address": "2001:470:xxxx:3::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "2001:470:xxxx::\/48"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "2001:470:xxxx:xxxx::2\/64"
                }
        ],
        "dns-server": [
                "2001:470:20::2",
                "2001:4860:4860::8888",
                "2001:4860:4860::8844"
        ],
 "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }
}

net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Generate a good random value:

head -c 16 /dev/urandom | hexdump -e '16/1 "%02x""\n"' | sed "s/..../:&/g; s/://"

Or if you have a hardware RNG:

head -c 16 /dev/hwrng | hexdump -e '16/1 "%02x""\n"' | sed "s/..../:&/g; s/://"

1 Like

I/O error :dizzy_face:

I/O error :dizzy_face:

This one worked, setting net.ipv6.conf.default.stable_secret with this value and rebooting... nope...
Just like before, only the tun interface has a secret.

:man_facepalming:

  • You add it as a line in /etc/sysctl.conf then rebooting

You replace the xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx string with the value produced by running the head command syntax. Since you don't have a hardware-based Random Number Generator, use the the urandom command I posted.

1 Like

@lleachii this is my sysctl.conf:

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.default.stable_secret = "whatcamefromurandom"

After rebooting, sysctl says:

sysctl: error reading key 'net.edma.default_group3_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group4_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group5_vlan_tag': Operation not permitted
sysctl: error reading key 'net.ipv6.conf.6in4-he_1_nyc.stable_secret': I/O error
net.ipv6.conf.6in4-he_1_nyc.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-guest.stable_secret': I/O error
net.ipv6.conf.br-guest.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.br-lan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.default.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.eth0.101.stable_secret': I/O error
net.ipv6.conf.eth0.101.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.102.stable_secret': I/O error
net.ipv6.conf.eth0.102.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
net.ipv6.conf.eth1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
net.ipv6.conf.ifb0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb4eth1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.lo.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.pppoe-wan.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.tun0.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.wlan0.stable_secret': I/O error
net.ipv6.conf.wlan0.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan0-1.stable_secret': I/O error
net.ipv6.conf.wlan0-1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1.stable_secret': I/O error
net.ipv6.conf.wlan1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1-1.stable_secret': I/O error
net.ipv6.conf.wlan1-1.use_tempaddr = 2

Something fishy is going on here, I'd say.

I would say so. You didn't use quotes, did you?

Remove.

Aside from those 3 lines, it isn't completely empty, is it?

The tunnel broker uses a 6in4-tunnel interface.
I'm not sure it supports all the native IPv6 features.
It even requires you to configure it statically.

I assigned the string about a year ago based on this thread: Cascading routers, dhcpv6 and unwanted EUI64 w/SLAAC on wan6

I just set this up on my router, it's working on mine. My LAN has a privacy IPv6 address with a prefix from the HE tunnel.

This won't work on the tunnel, it has an assigned IP, you do this on the downstream interfaces (i.e. LAN, Guest, etc.).

2 Likes