[solved] IPV6 temporary addresses on a router? (NOT PE)

aboaboit · August 22, 2019, 10:50am

Ok, I went with no.1 out of simplicity, rebooted, now I see this:

net.ipv6.conf.6in4-he_1_nyc.use_tempaddr = -1
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.br-guest.use_tempaddr = 2
net.ipv6.conf.br-lan.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 0
net.ipv6.conf.eth0.101.use_tempaddr = 2
net.ipv6.conf.eth0.102.use_tempaddr = 2
net.ipv6.conf.eth1.use_tempaddr = 0
net.ipv6.conf.ifb0.use_tempaddr = 0
net.ipv6.conf.ifb1.use_tempaddr = 0
net.ipv6.conf.ifb4eth1.use_tempaddr = 2
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.conf.pppoe-wan.use_tempaddr = 2
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.tun0.use_tempaddr = -1
net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.wlan0-1.use_tempaddr = 2
net.ipv6.conf.wlan1.use_tempaddr = 2
net.ipv6.conf.wlan1-1.use_tempaddr = 2

Looks ok to me, yet no temporary addresses anywhere, for example the lan interface looks like this:

19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx:xxxx:xxxx:2::beef:cafe/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fdcf:xxxx:xxxx:2::beef:cafe/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::f2b0:14ff:fef6:8203/64 scope link
       valid_lft forever preferred_lft forever

What should I check next?

vgaetera · August 22, 2019, 11:11am

Make sure you use /etc/sysctl.*.
Using /etc/rc.local may result in a race condition.

Services startup order:

sysctl - /etc/sysctl.*
network
done - /etc/rc.local

Note, that br-lan, pppoe-wan and 6in4-he_1_nyc do not exist until network startup.
So, you probably should change net.ipv6.conf.default.

aboaboit · August 22, 2019, 11:33am

I used /etc/sysctl.conf, as suggested in the comments in /etc/sysctl.d/10-default.conf
Moving them to a file under sysctl.d/ now and rebooting... nope, no changes.
Default is 2, by the way.

vgaetera · August 22, 2019, 11:39am

Try this way:

ifup wan6; sleep 10; ifstatus wan6

If that doesn't help, then netifd probably doesn't respect the setting.

aboaboit · August 22, 2019, 11:48am

wan6 in your example should be replaced by he_1_nyc which is my tunnel interface, right?
I am not using wan6, it is down and not autostarted anyway.

{
        "up": true,
        "pending": false,
        "available": true,
        "autostart": true,
        "dynamic": false,
        "uptime": 191,
        "l3_device": "6in4-he_1_nyc",
        "proto": "6in4",
        "updated": [
                "addresses",
                "routes",
                "prefixes"
        ],
        "metric": 0,
        "dns_metric": 0,
        "delegation": true,
        "ipv4-address": [

        ],
        "ipv6-address": [
                {
                        "address": "2001:470:xxxx:xxxx::2",
                        "mask": 64
                }
        ],
        "ipv6-prefix": [
                {
                        "address": "2001:470:xxxx::",
                        "mask": 48,
                        "class": "he_1_nyc",
                        "assigned": {
                                "lan": {
                                        "address": "2001:470:xxxx:2::",
                                        "mask": 64
                                },
                                "guest": {
                                        "address": "2001:470:xxxx:3::",
                                        "mask": 64
                                }
                        }
                }
        ],
        "ipv6-prefix-assignment": [

        ],
        "route": [
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "2001:470:xxxx::\/48"
                },
                {
                        "target": "::",
                        "mask": 0,
                        "nexthop": "::",
                        "source": "2001:470:xxxx:xxxx::2\/64"
                }
        ],
        "dns-server": [
                "2001:470:20::2",
                "2001:4860:4860::8888",
                "2001:4860:4860::8844"
        ],
 "dns-search": [

        ],
        "inactive": {
                "ipv4-address": [

                ],
                "ipv6-address": [

                ],
                "route": [

                ],
                "dns-server": [

                ],
                "dns-search": [

                ]
        },
        "data": {

        }
}

lleachii · August 22, 2019, 12:01pm

net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Generate a good random value:

head -c 16 /dev/urandom | hexdump -e '16/1 "%02x""\n"' | sed "s/..../:&/g; s/://"

Or if you have a hardware RNG:

head -c 16 /dev/hwrng | hexdump -e '16/1 "%02x""\n"' | sed "s/..../:&/g; s/://"

aboaboit · August 22, 2019, 1:29pm

I/O error

This one worked, setting net.ipv6.conf.default.stable_secret with this value and rebooting... nope...
Just like before, only the tun interface has a secret.

lleachii · August 22, 2019, 2:02pm

You add it as a line in /etc/sysctl.conf then rebooting

You replace the xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx string with the value produced by running the head command syntax. Since you don't have a hardware-based Random Number Generator, use the the urandom command I posted.

aboaboit · August 22, 2019, 3:40pm

@lleachii this is my sysctl.conf:

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.default.stable_secret = "whatcamefromurandom"

After rebooting, sysctl says:

sysctl: error reading key 'net.edma.default_group3_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group4_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group5_vlan_tag': Operation not permitted
sysctl: error reading key 'net.ipv6.conf.6in4-he_1_nyc.stable_secret': I/O error
net.ipv6.conf.6in4-he_1_nyc.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-guest.stable_secret': I/O error
net.ipv6.conf.br-guest.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.br-lan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.default.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.eth0.101.stable_secret': I/O error
net.ipv6.conf.eth0.101.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.102.stable_secret': I/O error
net.ipv6.conf.eth0.102.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
net.ipv6.conf.eth1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
net.ipv6.conf.ifb0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb4eth1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.lo.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.pppoe-wan.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.tun0.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.wlan0.stable_secret': I/O error
net.ipv6.conf.wlan0.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan0-1.stable_secret': I/O error
net.ipv6.conf.wlan0-1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1.stable_secret': I/O error
net.ipv6.conf.wlan1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1-1.stable_secret': I/O error
net.ipv6.conf.wlan1-1.use_tempaddr = 2

Something fishy is going on here, I'd say.

lleachii · August 22, 2019, 3:47pm

I would say so. You didn't use quotes, did you?

Remove.

Aside from those 3 lines, it isn't completely empty, is it?

vgaetera · August 22, 2019, 3:56pm

The tunnel broker uses a 6in4-tunnel interface.
I'm not sure it supports all the native IPv6 features.
It even requires you to configure it statically.

lleachii · August 22, 2019, 4:04pm

I assigned the string about a year ago based on this thread: Cascading routers, dhcpv6 and unwanted EUI64 w/SLAAC on wan6 - #39 by Frood42

I just set this up on my router, it's working on mine. My LAN has a privacy IPv6 address with a prefix from the HE tunnel.

This won't work on the tunnel, it has an assigned IP, you do this on the downstream interfaces (i.e. LAN, Guest, etc.).

vgaetera · August 22, 2019, 4:10pm

Does this apply to your LAN interface or the tunnel interface?
I mean, it likely works for the former, but not the latter.

aboaboit · August 22, 2019, 4:11pm

I did use them, when I tried the command live it complained without the quotes.
Trying again without.

Hold on, I added them precisely to enable PE as discussed with @silentcreek
Still, commenting them out...

/etc/sysctl.conf only had those 3 lines, the defaults live in files under /etc/sysctl.d/
/etc/sysctl.d/10-default.conf

# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings

kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2

fs.protected_hardlinks=1
fs.protected_symlinks=1

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

/etc/sysctl.d/11-nf-conntrack.conf:

# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

Rebooted, still have the I/O errors, still no PE addresses BUT... the secret is now set!
Readding the "2" mode, rebooting... nope ;(

Ok, now I have to do a language test for school, then I'll read the thread @lleachii posted and get back here.

lleachii · August 22, 2019, 4:30pm

LAN and Guest networks. As you noted, the tunnel has an IP assigned from HE.

It appears my IPV6 DNS requests now use a privacy address on every interface with a random suffix applied (haven't tested disabling binding to the HE tunnel IP).

Setting a string enables them. You enabled temporary addresses.

You will have I/O errors in the log for any interfaces that doesn't have IPv6 enabled. Not sure how you know a secret is set if you don't have an IP.

Did you set on your interface:

	option ip6assign '64'
	option ip6ifaceid 'random'
	option ip6class '<henet_interface_name> local'

Do you have a /48 issued from HE?

SeSe1 · August 22, 2019, 5:00pm

Yeah I am having a hard time understanding the problem, this works?

SeSe1 · August 22, 2019, 5:06pm

In addition every restart of the interface brings it something different. I am sure you could get proper privacy extensions working but likely at a loss of network stability if a device happens to miss an RA. In a perfect world it would be marked as depreciated and continue accepting the traffic, but as its forwarding I struggle to understand the benefit to it as it won't show anywhere upstream anyways?

aboaboit · August 22, 2019, 5:31pm

Hold on, now I'm lost: I understood temporary addresses were the actual result of enabling PE.
In fact, on my raspi all I had to do to get them was setting tempaddr to 2 and reboot: I just checked and I have no stable_secret key there, yet temporary addresses exist and are correctly used.

Oh, I check the output of "sysctl -a" after rebooting:

net.ipv6.conf.6in4-he_1_nyc.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.br-guest.stable_secret = xxxx
net.ipv6.conf.br-lan.stable_secret = xxxx
net.ipv6.conf.default.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.101.stable_secret = xxxx
net.ipv6.conf.eth0.102.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.tun0.stable_secret = xxxx
net.ipv6.conf.wlan0.stable_secret = xxxx
net.ipv6.conf.wlan0-1.stable_secret = xxxx
net.ipv6.conf.wlan1.stable_secret = xxxx
net.ipv6.conf.wlan1-1.stable_secret = xxxx
net.ipv6.ip6frag_secret_interval = 0

Yes for both br-lan and br-guest.

Nope, I used a specific value as suggested earlier

Nope, if I do that I get no IPV6 addresses at all. That's still an open issue for me.

Yes, according to he.net control panel and ifstatus.
I have 3 different /64 assigned to lan, guest and vpn interfaces.

lleachii · August 22, 2019, 6:10pm

If you entered a value in ip6ifaceid, then it's impossible that it would would use the random secret, agreed?

Change to random.

"Temporary" and "private" IPv6 addresses are actually 2 separate concepts. You can have a privacy IPs without enabling temporary ones. See: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses

The link you provided is wrong if you're editing the file manually (and not using UCI):

# add under /etc/config/network in your interface config
option ip6class 'he_1_nyc local'

Are you sure your interface name is he_1_nyc?

aboaboit · August 22, 2019, 7:43pm

I could agree but it would be almost meaningless: I'm not sure I fully appreciate the difference.
Anyhow, I did it and now I get a random address which looks just as random as a temporary address, to me.

The source of my confusion is perhaps NetworkManager... Come to think of it, also @silentcreek wrote something similar in the referenced post

I must have misunderstood this: I conflated PE and temporary addresses. Let me try to put it in my own words and see if I get it right: PE is a way to produce a predictable address that gives away no information about the MAC yet is stable within a prefix. Pass?

Then the documentation is also wrong: the table says "list of strings" and the config sample uses "list" instead of "option" for ip6class. I changed the config, restarted the interface and now I get addresses from both ULA and he.net prefixes, with my chosen suffix.
Using just one of the names also works as expected.

Yes, it is what I use for ifup / ifdown.

Up to now,

I've found out that I wanted temporary addresses and learnt instead how to enable PE (changed title of post)
I still have no clue why I can't get temporary addresses for the he.net prefix (for the ULA one it is pointless, of course)