IPv6 best practice questions

I finally decided to take the plunge and get a HE IPv6 tunnel and address since my ISP doesn’t hand out IPv6 for static addresses.

Now that the the Omnia will route to the exact internal address in my subnet (for IPv6), this has brought up some questions about IPv6, which is why I’m going through this excersize.

One question I have is how to best set the IPv6 address on my main server. It’s IPv4 address is statically set, but the IPv6 address was assigned, I believe, from SLAAC and includes the MAC address.

I am considering just using the SLAAC address, but I’m concerned about reducing the occurrence of personally identifiable information, so would be interested in not having the MAC address be part of the IPv6 address.

Does anyone have any strategy or best practice they have decided to use for assigning static IPv6 addresses?

I was hoping to avoid using a dynamic dns client to update my domain registrar, but I may end up doing this to keep the records correct.

maybe some kernel parameters to consider

net.ipv6.conf.default.use_tempaddr
net.ipv6.conf.default.autoconf

and in the downstream ifaces, e.g. lan, perhaps

option ip6ifaceid 'random'

ula prefixed static ipv6 can be set on the iface with list ip6addr

just be aware of https://github.com/openwrt/luci/issues/2729#issuecomment-496476496

After a bit more reading, it looks like I should set net.ipv6.conf.default.stable_secret to get what I want.

Setting this in sysctl.conf to a 128-bit number appears to get a stable address via SLAAC not related to the MAC address.

There may be a way to do this in Windows, but that’s an excersize for another day.

:exploding_head: thought this was fixed years ago…

Which “fixed” how?

That Linux would do privacy by default? Not unless you’re using NetworkManager which does appear to do this by default. I’m not really interested in using NM to configure my server and my other machine uses DHCP, via /etc/network/interface for largely historical reasons and since I play around with the network a bit.

One system I have that uses NM has 13 IPv6 addresses, 6 routable and 7 ULA, though 1 looks like a special one of some sort (/128). None match with the ethernet device MAC address. This is also a DHCP client but uses NM.

It does appear to be on by default in Windows, I just don’t know if it changes every time I boot. This isn’t really important to me since I don’t use Windows as a server anywhere.

I also notice the local DNS doesn’t see the AAAA addresses, though if I ping <shortname> or ssh <shortname>it will use the ULA address. These all require more investigation.

But all this variety has me wondering, as I did with my original posting whether anyone has a strategy or best practice around IPv6.

I also appear to be mixing up two different things.

  • temporary addresses generated according to RFC 4941 “Privacy extensions”
  • permanent addresses generated according to RFC 7217 “Opaque interface identifiers”

For my server and any “statically” assigned SLAAC hosts, I want RFC 7217, which is what the net.ipv6.conf.default.stable_secret appears to do.

Apparently RFC 4941 addresses are always generated in addition to the default address and do not replace it, thus the 13 IPv6 addresses on my one machine.

you could check for the iface addrgenmode. On the router it appears to be eui64

What been fixed in kernel is -> automatically enable stable privacy mode if stable_secret set

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9b29c6962b70f232cde4076b1020191e1be0889d

The problem appears to be that the stable secret is not being generated on the TO when being setup, as it recommended.

RFC 4941 covers DHCP whilst RFC 7217 indeed SLAAC.


To my understanding that covers only iface being added after having set the stable secret but not ifaces that existed prior to it.

After having set net.ipv6.conf.default.stable_secret then ran sysctl -a | grep stable showing that the existing devices are not covered with the default.stable_secret

“fixed” in a sense that one has to put in extra work to get an ipv6 address that contains (parts of) the mac address.

not a sixie… thanks for the fruitfull discussion thou

I suspect I’ll need to reboot my server for all my interfaces to use this option then. This option certainly wasn’t set on my Debian Stretch system.

You’re welcome. I sort of want this thread for folks who are interested in having more control of their network environment, but like me, haven’t really taken the IPv6 plunge and might be IPv4 proficient and feel a little intimidated by IPv6.