On 2021-12-28, Mike Fischer <[email protected]> wrote: > Thanks Stuart! > >> Am 28.12.2021 um 10:01 schrieb Stuart Henderson <[email protected]>: >> >> On 2021-12-27, Mike Fischer <[email protected]> wrote: >>> After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the >>> only way to combine a static IID with a dynamic prefix seems to be the >>> eui64 option: >>> inet6 autoconf eui64 >>> >>> However this limits the IID to a fixed value based on the MAC-address of >>> the interface and potentially leaks information about the vendor of the >>> interface to the Internet. >>> >>> Is there a way to combine "inet6 autoconf" with an arbitrary manually >>> defined IID? >> >> Not directly to a specific IID, but OpenBSD uses RFC 7217 by default >> rather than a MAC-address-based identifier. > > After rereading RFC 7217 my take is that the IID generated by this method > will change whenever the prefix changes (see section 4. Design Goals). That > is not what I want because it would require reconfiguration of the IID-based > forwarding rules on my router whenever the prefix and thus the IID changes.
Ah yes. > So I guess the only way to get a stable IID with dynamic prefixes is to use > the eui64 method? (Which is based on the MAC-address and leaks information.) > > My options for running an OpenBSD server using IPv6 thus seem to be: > - Find a provider with static public IPv6 addresses (prefixes) > - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs > - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static IPv6 > address (prefix) through IPv4 (6in4 tunnel) Another possibility: - Use an alternative RA client, if there's one that allows what you need. I would look at dhcpcd, this is probably the one most likely to support it. > Sounds like a missing feature in slaacd(8) then, unless someone can explain > why combining a dynamic IPv6 prefix with a manually configured static IID for > a server would be a bad idea. I don't think it's a bad idea as such, but you'll still have to deal with DNS and maybe firewall rules if the prefix changes so I don't know how much it buys really. Personally I would most likely use the MAC address-based autoconf address in this situation, I'm not all that bothered if someone knows the nic manufacturer (or it can often be reset with lladdr, though that doesn't always work well with every nic).
