I/O error 
I/O error
This one worked, setting net.ipv6.conf.default.stable_secret with this value and rebooting... nope...
Just like before, only the tun interface has a secret.
- You add it as a line in
/etc/sysctl.confthen rebooting
You replace the xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx string with the value produced by running the head command syntax. Since you don't have a hardware-based Random Number Generator, use the the urandom command I posted.
1 Like
@lleachii this is my sysctl.conf:
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.default.stable_secret = "whatcamefromurandom"
After rebooting, sysctl says:
sysctl: error reading key 'net.edma.default_group3_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group4_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group5_vlan_tag': Operation not permitted
sysctl: error reading key 'net.ipv6.conf.6in4-he_1_nyc.stable_secret': I/O error
net.ipv6.conf.6in4-he_1_nyc.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-guest.stable_secret': I/O error
net.ipv6.conf.br-guest.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.br-lan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.default.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.eth0.101.stable_secret': I/O error
net.ipv6.conf.eth0.101.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.102.stable_secret': I/O error
net.ipv6.conf.eth0.102.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
net.ipv6.conf.eth1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
net.ipv6.conf.ifb0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb4eth1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.lo.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.pppoe-wan.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.tun0.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.wlan0.stable_secret': I/O error
net.ipv6.conf.wlan0.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan0-1.stable_secret': I/O error
net.ipv6.conf.wlan0-1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1.stable_secret': I/O error
net.ipv6.conf.wlan1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1-1.stable_secret': I/O error
net.ipv6.conf.wlan1-1.use_tempaddr = 2
Something fishy is going on here, I'd say.
I would say so. You didn't use quotes, did you?
Remove.
Aside from those 3 lines, it isn't completely empty, is it?
The tunnel broker uses a 6in4-tunnel interface.
I'm not sure it supports all the native IPv6 features.
It even requires you to configure it statically.
I assigned the string about a year ago based on this thread: Cascading routers, dhcpv6 and unwanted EUI64 w/SLAAC on wan6
I just set this up on my router, it's working on mine. My LAN has a privacy IPv6 address with a prefix from the HE tunnel.
This won't work on the tunnel, it has an assigned IP, you do this on the downstream interfaces (i.e. LAN, Guest, etc.).
2 Likes
Does this apply to your LAN interface or the tunnel interface?
I mean, it likely works for the former, but not the latter.
1 Like
I did use them, when I tried the command live it complained without the quotes.
Trying again without.
Hold on, I added them precisely to enable PE as discussed with @silentcreek
Still, commenting them out...
/etc/sysctl.conf only had those 3 lines, the defaults live in files under /etc/sysctl.d/
/etc/sysctl.d/10-default.conf
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2
fs.protected_hardlinks=1
fs.protected_symlinks=1
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
/etc/sysctl.d/11-nf-conntrack.conf:
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180
Rebooted, still have the I/O errors, still no PE addresses BUT... the secret is now set!
Readding the "2" mode, rebooting... nope ;(
Ok, now I have to do a language test for school, then I'll read the thread @lleachii posted and get back here.
LAN and Guest networks. As you noted, the tunnel has an IP assigned from HE.
It appears my IPV6 DNS requests now use a privacy address on every interface with a random suffix applied (haven't tested disabling binding to the HE tunnel IP).
Setting a string enables them. You enabled temporary addresses.
You will have I/O errors in the log for any interfaces that doesn't have IPv6 enabled. Not sure how you know a secret is set if you don't have an IP.
Did you set on your interface:
option ip6assign '64'
option ip6ifaceid 'random'
option ip6class '<henet_interface_name> local'
- Do you have a /48 issued from HE?
1 Like
In addition every restart of the interface brings it something different. I am sure you could get proper privacy extensions working but likely at a loss of network stability if a device happens to miss an RA. In a perfect world it would be marked as depreciated and continue accepting the traffic, but as its forwarding I struggle to understand the benefit to it as it won't show anywhere upstream anyways?
Hold on, now I'm lost: I understood temporary addresses were the actual result of enabling PE.
In fact, on my raspi all I had to do to get them was setting tempaddr to 2 and reboot: I just checked and I have no stable_secret key there, yet temporary addresses exist and are correctly used.
Oh, I check the output of "sysctl -a" after rebooting:
net.ipv6.conf.6in4-he_1_nyc.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.br-guest.stable_secret = xxxx
net.ipv6.conf.br-lan.stable_secret = xxxx
net.ipv6.conf.default.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.101.stable_secret = xxxx
net.ipv6.conf.eth0.102.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.tun0.stable_secret = xxxx
net.ipv6.conf.wlan0.stable_secret = xxxx
net.ipv6.conf.wlan0-1.stable_secret = xxxx
net.ipv6.conf.wlan1.stable_secret = xxxx
net.ipv6.conf.wlan1-1.stable_secret = xxxx
net.ipv6.ip6frag_secret_interval = 0
Yes for both br-lan and br-guest.
Nope, I used a specific value as suggested earlier
Nope, if I do that I get no IPV6 addresses at all. That's still an open issue for me.
Yes, according to he.net control panel and ifstatus.
I have 3 different /64 assigned to lan, guest and vpn interfaces.
If you entered a value in ip6ifaceid, then it's impossible that it would would use the random secret, agreed?
Change to random.
"Temporary" and "private" IPv6 addresses are actually 2 separate concepts. You can have a privacy IPs without enabling temporary ones. See: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses
The link you provided is wrong if you're editing the file manually (and not using UCI):
# add under /etc/config/network in your interface config
option ip6class 'he_1_nyc local'
Are you sure your interface name is he_1_nyc?
I could agree but it would be almost meaningless: I'm not sure I fully appreciate the difference.
Anyhow, I did it and now I get a random address which looks just as random as a temporary address, to me.
The source of my confusion is perhaps NetworkManager... Come to think of it, also @silentcreek wrote something similar in the referenced post
I must have misunderstood this: I conflated PE and temporary addresses. Let me try to put it in my own words and see if I get it right: PE is a way to produce a predictable address that gives away no information about the MAC yet is stable within a prefix. Pass?
Then the documentation is also wrong: the table says "list of strings" and the config sample uses "list" instead of "option" for ip6class. I changed the config, restarted the interface and now I get addresses from both ULA and he.net prefixes, with my chosen suffix.
Using just one of the names also works as expected.
Yes, it is what I use for ifup / ifdown.
Up to now,
- I've found out that I wanted temporary addresses and learnt instead how to enable PE (changed title of post)
- I still have no clue why I can't get temporary addresses
for the he.net prefix (for the ULA one it is pointless, of course)
http://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html
It seems that you did so correctly, I simply provided instructions for Privacy. If you so desire, just enable it. The result should be 1-2 rotating IPs in addition to the one that doesn't change. I've nevr tried on a router because you can miss and RA (as @SeSe1 noted - albeit he misidentified as privacy-only, instead as temporary).
Temporary addresses rotate during uptime, a privacy IP alone is per boot.
- Because it's a Layer 3 tunnel, it doesn't even need an address.
- Because HE assigned an IP to your side
Ah-ha, so it might actually be a bad idea altogether? Wonderful 
I'll rephrase: I still have no clue why I can't get a temporary address on lan and guest for addresses derived from the he.net/64 assigned to each interface. I know the tunnel is fixed, I wasn't talking about that.
OK, I added to the bottom of my sysctrl.conf:
net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2
After rebooting, I see no "temporary" IPs - only the privacy extension-based IP. I find it very hard to believe a router could rotate its IP safely anyways.
1 Like
Point taken.
Couple of final (?) questions:
-
@jow could you please verify my finding regarding the documentation of ipclass?
(EDIT: nevermind...) - @lleachii with your PE-setup, do you deal with cases where you need to reference the router lan IPV6 in a config?
PEs from my experience don't have a LAN.
For CEs (or any device with a Public IPv6 address), you can assign/bind any address you desire to the interface. So yes, I have.
- I've handed out the DNS server IP of the assigned LAN IPv6 address (not the default link local). I had that config for years until configuring the above to test in this thread. When I enabled privacy extensions in the past, I had to assign an IP due to the link local rotating. I did it to explicitly state the IP in firewall configs. I edited it to a 53/udp accept input from zone x
- I've assigned an IPv6 address so the one issued by HE wasn't used in an AAAA record. You can assign the IP to any interface with proper firewall rules/route/prefix
If you need to reference the LAN IP in a config, you'll have to assign it.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.