| View previous topic :: View next topic |
| Author |
Message |
curmudgeon
Veteran
Joined: 08 Aug 2003
Posts: 1744
|
 Posted: Thu Dec 05, 2019 3:46 pm Post subject: ipv6 help |
 |
|
For the past few years, I have compiled ipv6 into everything the idea that I would need or use it in "the future." The future has arrived. A recent change of internet providers has landed on one that supports (and even prefers) ipv6. Much reading over the past few days has enlightened me to several things regarding ipv6, particularly the security and tracking dangers that come with it. I first woke up about this when I realized that a portion of traffic that I expected to go through a tunnel had instead bypassed it. Even after several hours of reading various guides, I still have little idea regarding how to configure ipv6 to (eventnually do what I want).
First questions. I find the idea of exposing the MAC address beyond the local network completely intolerable. Why does Gentoo "ship" with privacy extensions disabled (I believe this represents an exception rather than the rule)? I want any outbound traffic to use a temporary address that changes every four hours. So I put into /etc/sysctl.conf:
| Code: |
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.eth0.temp_prefered_lft = 14400
|
After restarting the network, however, the ipv6 address has disappeared (but the EUI-64 based link-local address remains). Any idea why?
Next question. Suppose hypothetically that I want to use a stable privacy address (I don't - at least for now). I see how to activate that using DHCP ("slaac private" in the configuration file), but not how to obtain such an address without using DHCP. How do I do that?
Next question. How do I assign my own permanent link-local addresses (say fe80::10/64), again skipping the EUI-64 based addresses? I foresee myself able to type "ssh fe80::10" in the not too distant future, but not an entire address based on the MAC address. :)
Final question. I see that ipv6 often uses multiple addresses assigned to each interface. Suppose (hypothetically, again) that I have an ssh server that I want to access from the internet. I would like to have a permanent address for the ssh server which only ssh traffic uses, with all other outbound traffic going through the temporary address. How do I configure that?
Thank you in advance for your help. |
|
| Back to top |
|
 |
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
| Posted: Thu Dec 05, 2019 10:18 pm Post subject: Re: ipv6 help |
|
|
| curmudgeon wrote: | For the past few years, I have compiled ipv6 into everything the idea that I would need or use it in "the future." The future has arrived. A recent change of internet providers has landed on one that supports (and even prefers) ipv6. Much reading over the past few days has enlightened me to several things regarding ipv6, particularly the security and tracking dangers that come with it. I first woke up about this when I realized that a portion of traffic that I expected to go through a tunnel had instead bypassed it. Even after several hours of reading various guides, I still have little idea regarding how to configure ipv6 to (eventnually do what I want).
First questions. I find the idea of exposing the MAC address beyond the local network completely intolerable. Why does Gentoo "ship" with privacy extensions disabled (I believe this represents an exception rather than the rule)? I want any outbound traffic to use a temporary address that changes every four hours. So I put into /etc/sysctl.conf:
| Code: |
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.eth0.temp_prefered_lft = 14400
|
|
Temporary addresses don't work for long lived connections. Once the address becomes invalid, the connection drops.
Stable Private addresses are the right way as they don't put any part of the MAC address in the IP6 address
| Quote: |
After restarting the network, however, the ipv6 address has disappeared (but the EUI-64 based link-local address remains). Any idea why?
|
If you use dhcpcd and there is no fe80 address on the link, dhcpcd will create one using stable private address technique - but it will also remove it if you release or don't have persistent enabled.
If the kernel then puts one there then dhcpcd won't create one.
| Quote: |
Next question. Suppose hypothetically that I want to use a stable privacy address (I don't - at least for now). I see how to activate that using DHCP ("slaac private" in the configuration file), but not how to obtain such an address without using DHCP. How do I do that?
|
slaac private only works for addresses generated by a Router Advertisement - not DHCP at all.
dhcpcd is also a RA and DHCPv6 client you know.
| Quote: |
Next question. How do I assign my own permanent link-local addresses (say fe80::10/64), again skipping the EUI-64 based addresses? I foresee myself able to type "ssh fe80::10" in the not too distant future, but not an entire address based on the MAC address. 
|
Maybe add the stable IPv6 addresses to DNS?
I generally set my router to fe80::1 and I don't bother with anything else.
| Quote: |
Final question. I see that ipv6 often uses multiple addresses assigned to each interface. Suppose (hypothetically, again) that I have an ssh server that I want to access from the internet. I would like to have a permanent address for the ssh server which only ssh traffic uses, with all other outbound traffic going through the temporary address. How do I configure that? |
You need to configure the service to listen to specific addresses:
https://www.cyberciti.biz/tips/howto-openssh-sshd-listen-multiple-ip-address.html
I don't think using temporary addresses is a good idea, but here's how you prefer them.
https://unix.stackexchange.com/questions/499739/whats-the-purpose-of-use-tempaddr-1-kernel-parameter
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
| Back to top |
|
|
curmudgeon
Veteran
Joined: 08 Aug 2003
Posts: 1744
|
| Posted: Fri Dec 06, 2019 4:20 am Post subject: Re: ipv6 help |
|
|
| UberLord wrote: | Temporary addresses don't work for long lived connections. Once the address becomes invalid, the connection drops.
Stable Private addresses are the right way as they don't put any part of the MAC address in the IP6 address |
I understand that, but they have no protection against tracking abuse (unless say, I could regenerate a new one at will - at least every reboot).
| UberLord wrote: | | curmudgeon wrote: | After restarting the network, however, the ipv6 address has disappeared (but the EUI-64 based link-local address remains). Any idea why?
|
If you use dhcpcd and there is no fe80 address on the link, dhcpcd will create one using stable private address technique - but it will also remove it if you release or don't have persistent enabled.
If the kernel then puts one there then dhcpcd won't create one. |
I am missing something here. Without the privacy extensions enabled (before I added those two lines of code to /etc/sysctl.conf), I had an ipv6 address (based on the MAC address). Now I don't have one. The output from the command "ip address" looks like this:
| Code: |
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 01:23:45:67:89:ab brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.254 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::323:45ff:fe67:89ab/64 scope link
valid_lft forever preferred_lft forever
|
Why don't I have a regular ipv6 address now?
| UberLord wrote: | | curmudgeon wrote: | Next question. Suppose hypothetically that I want to use a stable privacy address (I don't - at least for now). I see how to activate that using DHCP ("slaac private" in the configuration file), but not how to obtain such an address without using DHCP. How do I do that?
|
slaac private only works for addresses generated by a Router Advertisement - not DHCP at all.
dhcpcd is also a RA and DHCPv6 client you know. |
How do I calculate and activate the stable private address? All of the examples I saw regarding them use DHCP.
| UberLord wrote: | | curmudgeon wrote: | Next question. How do I assign my own permanent link-local addresses (say fe80::10/64), again skipping the EUI-64 based addresses? I foresee myself able to type "ssh fe80::10" in the not too distant future, but not an entire address based on the MAC address. :)
|
Maybe add the stable IPv6 addresses to DNS?
I generally set my router to fe80::1 and I don't bother with anything else. |
Where do you add them to DNS? Don't they need to go in the net configuration? Will routers automatically pick up all ipv6 addresses that a machine has?
One new question now. Does some way exist to get the (say /64) network from the router at boot time (which might change) and create the needed addresses from there (if, for example, I had an ssh server on 1:2:3:4::10, but the next time I booted, the router belonged to 1:2:3:5/64 subnet)? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3477
|
| Posted: Fri Dec 06, 2019 9:53 am Post subject: |
|
|
| Quote: | | I understand that, but they have no protection against tracking abuse (unless say, I could regenerate a new one at will - at least every reboot). |
And how is this tracking protection any good anyway, when ISPs assign a static /64 prefix to you? |
|
| Back to top |
|
|
curmudgeon
Veteran
Joined: 08 Aug 2003
Posts: 1744
|
| Posted: Fri Dec 06, 2019 11:03 am Post subject: |
|
|
| szatox wrote: | | Quote: | | I understand that, but they have no protection against tracking abuse (unless say, I could regenerate a new one at will - at least every reboot). |
And how is this tracking protection any good anyway, when ISPs assign a static /64 prefix to you? |
I don't have a lot of experience (yet) with this ISP, but so far resetting the connection brings up a different /64 prefix. But even if it didn't, I still see a big difference in the ability to track to a specific device versus the ability to track to a /64 prefix that already has more than a dozen devices in it (and that number will only grow over time). |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
