I/O error
I/O error
This one worked, setting net.ipv6.conf.default.stable_secret with this value and rebooting... nope...
Just like before, only the tun interface has a secret.
I/O error
I/O error
This one worked, setting net.ipv6.conf.default.stable_secret with this value and rebooting... nope...
Just like before, only the tun interface has a secret.
/etc/sysctl.conf
then rebootingYou replace the xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
string with the value produced by running the head
command syntax. Since you don't have a hardware-based Random Number Generator, use the the urandom
command I posted.
@lleachii this is my sysctl.conf:
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.default.stable_secret = "whatcamefromurandom"
After rebooting, sysctl says:
sysctl: error reading key 'net.edma.default_group3_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group4_vlan_tag': Operation not permitted
sysctl: error reading key 'net.edma.default_group5_vlan_tag': Operation not permitted
sysctl: error reading key 'net.ipv6.conf.6in4-he_1_nyc.stable_secret': I/O error
net.ipv6.conf.6in4-he_1_nyc.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.all.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-guest.stable_secret': I/O error
net.ipv6.conf.br-guest.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.br-lan.stable_secret': I/O error
net.ipv6.conf.br-lan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.default.stable_secret': I/O error
net.ipv6.conf.default.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.eth0.101.stable_secret': I/O error
net.ipv6.conf.eth0.101.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth0.102.stable_secret': I/O error
net.ipv6.conf.eth0.102.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
net.ipv6.conf.eth1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
net.ipv6.conf.ifb0.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb1.use_tempaddr = 0
sysctl: error reading key 'net.ipv6.conf.ifb4eth1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.lo.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.pppoe-wan.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.sit0.use_tempaddr = -1
net.ipv6.conf.tun0.use_tempaddr = -1
sysctl: error reading key 'net.ipv6.conf.wlan0.stable_secret': I/O error
net.ipv6.conf.wlan0.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan0-1.stable_secret': I/O error
net.ipv6.conf.wlan0-1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1.stable_secret': I/O error
net.ipv6.conf.wlan1.use_tempaddr = 2
sysctl: error reading key 'net.ipv6.conf.wlan1-1.stable_secret': I/O error
net.ipv6.conf.wlan1-1.use_tempaddr = 2
Something fishy is going on here, I'd say.
I would say so. You didn't use quotes, did you?
Remove.
Aside from those 3 lines, it isn't completely empty, is it?
The tunnel broker uses a 6in4-tunnel interface.
I'm not sure it supports all the native IPv6 features.
It even requires you to configure it statically.
I assigned the string about a year ago based on this thread: Cascading routers, dhcpv6 and unwanted EUI64 w/SLAAC on wan6
I just set this up on my router, it's working on mine. My LAN has a privacy IPv6 address with a prefix from the HE tunnel.
This won't work on the tunnel, it has an assigned IP, you do this on the downstream interfaces (i.e. LAN, Guest, etc.).
Does this apply to your LAN interface or the tunnel interface?
I mean, it likely works for the former, but not the latter.
I did use them, when I tried the command live it complained without the quotes.
Trying again without.
Hold on, I added them precisely to enable PE as discussed with @silentcreek
Still, commenting them out...
/etc/sysctl.conf only had those 3 lines, the defaults live in files under /etc/sysctl.d/
/etc/sysctl.d/10-default.conf
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2
fs.protected_hardlinks=1
fs.protected_symlinks=1
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
/etc/sysctl.d/11-nf-conntrack.conf:
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings
net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180
Rebooted, still have the I/O errors, still no PE addresses BUT... the secret is now set!
Readding the "2" mode, rebooting... nope ;(
Ok, now I have to do a language test for school, then I'll read the thread @lleachii posted and get back here.
LAN and Guest networks. As you noted, the tunnel has an IP assigned from HE.
It appears my IPV6 DNS requests now use a privacy address on every interface with a random suffix applied (haven't tested disabling binding to the HE tunnel IP).
Setting a string enables them. You enabled temporary addresses.
You will have I/O errors in the log for any interfaces that doesn't have IPv6 enabled. Not sure how you know a secret is set if you don't have an IP.
Did you set on your interface:
option ip6assign '64'
option ip6ifaceid 'random'
option ip6class '<henet_interface_name> local'
In addition every restart of the interface brings it something different. I am sure you could get proper privacy extensions working but likely at a loss of network stability if a device happens to miss an RA. In a perfect world it would be marked as depreciated and continue accepting the traffic, but as its forwarding I struggle to understand the benefit to it as it won't show anywhere upstream anyways?
Hold on, now I'm lost: I understood temporary addresses were the actual result of enabling PE.
In fact, on my raspi all I had to do to get them was setting tempaddr to 2 and reboot: I just checked and I have no stable_secret key there, yet temporary addresses exist and are correctly used.
Oh, I check the output of "sysctl -a" after rebooting:
net.ipv6.conf.6in4-he_1_nyc.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.br-guest.stable_secret = xxxx
net.ipv6.conf.br-lan.stable_secret = xxxx
net.ipv6.conf.default.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.101.stable_secret = xxxx
net.ipv6.conf.eth0.102.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.tun0.stable_secret = xxxx
net.ipv6.conf.wlan0.stable_secret = xxxx
net.ipv6.conf.wlan0-1.stable_secret = xxxx
net.ipv6.conf.wlan1.stable_secret = xxxx
net.ipv6.conf.wlan1-1.stable_secret = xxxx
net.ipv6.ip6frag_secret_interval = 0
Yes for both br-lan and br-guest.
Nope, I used a specific value as suggested earlier
Nope, if I do that I get no IPV6 addresses at all. That's still an open issue for me.
Yes, according to he.net control panel and ifstatus.
I have 3 different /64 assigned to lan, guest and vpn interfaces.
If you entered a value in ip6ifaceid
, then it's impossible that it would would use the random secret, agreed?
Change to random
.
"Temporary" and "private" IPv6 addresses are actually 2 separate concepts. You can have a privacy IPs without enabling temporary ones. See: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses
The link you provided is wrong if you're editing the file manually (and not using UCI):
# add under /etc/config/network in your interface config
option ip6class 'he_1_nyc local'
Are you sure your interface name is he_1_nyc
?
I could agree but it would be almost meaningless: I'm not sure I fully appreciate the difference.
Anyhow, I did it and now I get a random address which looks just as random as a temporary address, to me.
The source of my confusion is perhaps NetworkManager... Come to think of it, also @silentcreek wrote something similar in the referenced post
Then the documentation is also wrong: the table says "list of strings" and the config sample uses "list" instead of "option" for ip6class. I changed the config, restarted the interface and now I get addresses from both ULA and he.net prefixes, with my chosen suffix.
Using just one of the names also works as expected.
Yes, it is what I use for ifup / ifdown.
Up to now,
http://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html
It seems that you did so correctly, I simply provided instructions for Privacy. If you so desire, just enable it. The result should be 1-2 rotating IPs in addition to the one that doesn't change. I've nevr tried on a router because you can miss and RA (as @SeSe1 noted - albeit he misidentified as privacy-only, instead as temporary).
Temporary addresses rotate during uptime, a privacy IP alone is per boot.
Ah-ha, so it might actually be a bad idea altogether? Wonderful
I'll rephrase: I still have no clue why I can't get a temporary address on lan and guest for addresses derived from the he.net/64 assigned to each interface. I know the tunnel is fixed, I wasn't talking about that.
OK, I added to the bottom of my sysctrl.conf:
net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2
After rebooting, I see no "temporary" IPs - only the privacy extension-based IP. I find it very hard to believe a router could rotate its IP safely anyways.
Point taken.
Couple of final (?) questions:
PEs from my experience don't have a LAN.
For CEs (or any device with a Public IPv6 address), you can assign/bind any address you desire to the interface. So yes, I have.
If you need to reference the LAN IP in a config, you'll have to assign it.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.