I finally decided to take the plunge and get a HE IPv6 tunnel and address since my ISP doesn’t hand out IPv6 for static addresses.
Now that the the Omnia will route to the exact internal address in my subnet (for IPv6), this has brought up some questions about IPv6, which is why I’m going through this excersize.
One question I have is how to best set the IPv6 address on my main server. It’s IPv4 address is statically set, but the IPv6 address was assigned, I believe, from SLAAC and includes the MAC address.
I am considering just using the SLAAC address, but I’m concerned about reducing the occurrence of personally identifiable information, so would be interested in not having the MAC address be part of the IPv6 address.
Does anyone have any strategy or best practice they have decided to use for assigning static IPv6 addresses?
I was hoping to avoid using a dynamic dns client to update my domain registrar, but I may end up doing this to keep the records correct.
That Linux would do privacy by default? Not unless you’re using NetworkManager which does appear to do this by default. I’m not really interested in using NM to configure my server and my other machine uses DHCP, via /etc/network/interface for largely historical reasons and since I play around with the network a bit.
One system I have that uses NM has 13 IPv6 addresses, 6 routable and 7 ULA, though 1 looks like a special one of some sort (/128). None match with the ethernet device MAC address. This is also a DHCP client but uses NM.
It does appear to be on by default in Windows, I just don’t know if it changes every time I boot. This isn’t really important to me since I don’t use Windows as a server anywhere.
I also notice the local DNS doesn’t see the AAAA addresses, though if I ping <shortname> or ssh <shortname>it will use the ULA address. These all require more investigation.
But all this variety has me wondering, as I did with my original posting whether anyone has a strategy or best practice around IPv6.
I also appear to be mixing up two different things.
temporary addresses generated according to RFC 4941 “Privacy extensions”
permanent addresses generated according to RFC 7217 “Opaque interface identifiers”
For my server and any “statically” assigned SLAAC hosts, I want RFC 7217, which is what the net.ipv6.conf.default.stable_secret appears to do.
Apparently RFC 4941 addresses are always generated in addition to the default address and do not replace it, thus the 13 IPv6 addresses on my one machine.
To my understanding that covers only iface being added after having set the stable secret but not ifaces that existed prior to it.
After having set net.ipv6.conf.default.stable_secret then ran sysctl -a | grep stable showing that the existing devices are not covered with the default.stable_secret
I suspect I’ll need to reboot my server for all my interfaces to use this option then. This option certainly wasn’t set on my Debian Stretch system.
You’re welcome. I sort of want this thread for folks who are interested in having more control of their network environment, but like me, haven’t really taken the IPv6 plunge and might be IPv4 proficient and feel a little intimidated by IPv6.
thought this was fixed years ago…