[solved] IPV6 temporary addresses on a router? (NOT PE)

Does this apply to your LAN interface or the tunnel interface?
I mean, it likely works for the former, but not the latter.

1 Like

I did use them, when I tried the command live it complained without the quotes.
Trying again without.

Hold on, I added them precisely to enable PE as discussed with @silentcreek
Still, commenting them out...

/etc/sysctl.conf only had those 3 lines, the defaults live in files under /etc/sysctl.d/
/etc/sysctl.d/10-default.conf

# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings

kernel.panic=3
kernel.core_pattern=/tmp/%e.%t.%p.%s.core
fs.suid_dumpable=2

fs.protected_hardlinks=1
fs.protected_symlinks=1

net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.igmp_max_memberships=100
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

/etc/sysctl.d/11-nf-conntrack.conf:

# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings

net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_udp_timeout=60
net.netfilter.nf_conntrack_udp_timeout_stream=180

Rebooted, still have the I/O errors, still no PE addresses BUT... the secret is now set!
Readding the "2" mode, rebooting... nope ;(

Ok, now I have to do a language test for school, then I'll read the thread @lleachii posted and get back here.

LAN and Guest networks. As you noted, the tunnel has an IP assigned from HE.

It appears my IPV6 DNS requests now use a privacy address on every interface with a random suffix applied (haven't tested disabling binding to the HE tunnel IP).

Setting a string enables them. You enabled temporary addresses.

You will have I/O errors in the log for any interfaces that doesn't have IPv6 enabled. Not sure how you know a secret is set if you don't have an IP.

Did you set on your interface:

	option ip6assign '64'
	option ip6ifaceid 'random'
	option ip6class '<henet_interface_name> local'
  • Do you have a /48 issued from HE?
1 Like

Yeah I am having a hard time understanding the problem, this works?

In addition every restart of the interface brings it something different. I am sure you could get proper privacy extensions working but likely at a loss of network stability if a device happens to miss an RA. In a perfect world it would be marked as depreciated and continue accepting the traffic, but as its forwarding I struggle to understand the benefit to it as it won't show anywhere upstream anyways?

Hold on, now I'm lost: I understood temporary addresses were the actual result of enabling PE.
In fact, on my raspi all I had to do to get them was setting tempaddr to 2 and reboot: I just checked and I have no stable_secret key there, yet temporary addresses exist and are correctly used.

Oh, I check the output of "sysctl -a" after rebooting:

net.ipv6.conf.6in4-he_1_nyc.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.all.stable_secret': I/O error
net.ipv6.conf.br-guest.stable_secret = xxxx
net.ipv6.conf.br-lan.stable_secret = xxxx
net.ipv6.conf.default.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth0.stable_secret': I/O error
net.ipv6.conf.eth0.101.stable_secret = xxxx
net.ipv6.conf.eth0.102.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.eth1.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb0.stable_secret': I/O error
sysctl: error reading key 'net.ipv6.conf.ifb1.stable_secret': I/O error
net.ipv6.conf.ifb4eth1.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.lo.stable_secret': I/O error
net.ipv6.conf.pppoe-wan.stable_secret = xxxx
sysctl: error reading key 'net.ipv6.conf.sit0.stable_secret': I/O error
net.ipv6.conf.tun0.stable_secret = xxxx
net.ipv6.conf.wlan0.stable_secret = xxxx
net.ipv6.conf.wlan0-1.stable_secret = xxxx
net.ipv6.conf.wlan1.stable_secret = xxxx
net.ipv6.conf.wlan1-1.stable_secret = xxxx
net.ipv6.ip6frag_secret_interval = 0

Yes for both br-lan and br-guest.

Nope, I used a specific value as suggested earlier

Nope, if I do that I get no IPV6 addresses at all. That's still an open issue for me.

Yes, according to he.net control panel and ifstatus.
I have 3 different /64 assigned to lan, guest and vpn interfaces.

If you entered a value in ip6ifaceid, then it's impossible that it would would use the random secret, agreed?

Change to random.

"Temporary" and "private" IPv6 addresses are actually 2 separate concepts. You can have a privacy IPs without enabling temporary ones. See: https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses

The link you provided is wrong if you're editing the file manually (and not using UCI):

# add under /etc/config/network in your interface config
option ip6class 'he_1_nyc local'

Are you sure your interface name is he_1_nyc?

I could agree but it would be almost meaningless: I'm not sure I fully appreciate the difference.
Anyhow, I did it and now I get a random address which looks just as random as a temporary address, to me.

The source of my confusion is perhaps NetworkManager... Come to think of it, also @silentcreek wrote something similar in the referenced post


I must have misunderstood this: I conflated PE and temporary addresses. Let me try to put it in my own words and see if I get it right: PE is a way to produce a predictable address that gives away no information about the MAC yet is stable within a prefix. Pass?

Then the documentation is also wrong: the table says "list of strings" and the config sample uses "list" instead of "option" for ip6class. I changed the config, restarted the interface and now I get addresses from both ULA and he.net prefixes, with my chosen suffix.
Using just one of the names also works as expected.

Yes, it is what I use for ifup / ifdown.

Up to now,

  • I've found out that I wanted temporary addresses and learnt instead how to enable PE (changed title of post)
  • I still have no clue why I can't get temporary addresses :frowning: for the he.net prefix (for the ULA one it is pointless, of course)

http://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch06s05.html

It seems that you did so correctly, I simply provided instructions for Privacy. If you so desire, just enable it. The result should be 1-2 rotating IPs in addition to the one that doesn't change. I've nevr tried on a router because you can miss and RA (as @SeSe1 noted - albeit he misidentified as privacy-only, instead as temporary).

Temporary addresses rotate during uptime, a privacy IP alone is per boot.

  • Because it's a Layer 3 tunnel, it doesn't even need an address.
  • Because HE assigned an IP to your side

Ah-ha, so it might actually be a bad idea altogether? Wonderful :smiley:

I'll rephrase: I still have no clue why I can't get a temporary address on lan and guest for addresses derived from the he.net/64 assigned to each interface. I know the tunnel is fixed, I wasn't talking about that.

OK, I added to the bottom of my sysctrl.conf:

net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
net.ipv6.conf.all.use_tempaddr=2 
net.ipv6.conf.default.use_tempaddr=2

After rebooting, I see no "temporary" IPs - only the privacy extension-based IP. I find it very hard to believe a router could rotate its IP safely anyways.

1 Like

Point taken.

Couple of final (?) questions:

  • @jow could you please verify my finding regarding the documentation of ipclass?
    (EDIT: nevermind...)
  • @lleachii with your PE-setup, do you deal with cases where you need to reference the router lan IPV6 in a config?

PEs from my experience don't have a LAN.

For CEs (or any device with a Public IPv6 address), you can assign/bind any address you desire to the interface. So yes, I have.

  • I've handed out the DNS server IP of the assigned LAN IPv6 address (not the default link local). I had that config for years until configuring the above to test in this thread. When I enabled privacy extensions in the past, I had to assign an IP due to the link local rotating. I did it to explicitly state the IP in firewall configs. I edited it to a 53/udp accept input from zone x
  • I've assigned an IPv6 address so the one issued by HE wasn't used in an AAAA record. You can assign the IP to any interface with proper firewall rules/route/prefix

If you need to reference the LAN IP in a config, you'll have to assign it.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.