Re: IPv6 autoconf with static IID?
Ok, ignore my previous mail. The solution is to use -soii: # ifconfig em0 autoconf eui64 -soii lladdr f2:b6:71:e6:11:7e This makes the non temporary public and ULA addresses use the EUI-64 IID based on the lladdr. Thanks! Mike > Am 29.12.2021 um 19:37 schrieb Mike Fischer : > > On Tue, Dec 28, 2021, at 21:05, Mike Fischer wrote: >>> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >>> Seems like the simplest way, especially using the lladdr option. >> Yes, I’ll give that a try. > > Ok, I have tried the following: > > Remove my current IPv6 configuration from em0: > # ifconfig em0 -inet6 > Test the new configuration: > # ifconfig em0 inet6 autoconf eui64 lladdr f2:b6:71:e6:11:7e > > This results in: > - The interface em0 has the expected lladr of f2:b6:71:e6:11:7e > - The link local IPv6 address is: fe80::f0b6:71ff:fee6:117e (using the > modified EUI-64 version of the lladdr) as expected > - The public IPv4 IPs use my current prefix and a random IID, no relation to > the lladdr: 2001:db8::eb7f:1267:44d0:45a4 (*) > - The ULA addresses behave the same as the public ones, i.e. the IID has not > relation to the lladdr. > > Why is (one of) the public addresses not using the EUI-64 method of > generation the IID? > > I realize that autoconf generates the SOII addresses with random IIDs. But > shouldn’t the eui64 option also create an IP with the modified EUI-64 as the > IID? > > ifconfig(8) states: > eui64 Fill the interface index (the lowermost 64 bits of an IPv6 address) > automatically. > > Which is kind of a bland statement anyway. It should IMHO reference that a > modified EUI-64 is used. But it does not say that this is only true for the > link local address. > > > If have tried changing the order of the parameters, but it makes no > difference: > ifconfig em0 inet6 autoconf lladdr f2:b6:71:e6:11:7e eui64 > ifconfig em0 inet6 lladdr f2:b6:71:e6:11:7e eui64 autoconf > > I have also tried to do this without the lladdr parameter, same results just > with a different lladdr. > > If I leave out the autoconf parameter I only get a link local address. > > > *) I have substituted 2001:db8:: for the real public prefix here. > > > Thanks! > > Mike
Re: IPv6 autoconf with static IID?
On Tue, Dec 28, 2021, at 21:05, Mike Fischer wrote: >> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >> Seems like the simplest way, especially using the lladdr option. > Yes, I’ll give that a try. Ok, I have tried the following: Remove my current IPv6 configuration from em0: # ifconfig em0 -inet6 Test the new configuration: # ifconfig em0 inet6 autoconf eui64 lladdr f2:b6:71:e6:11:7e This results in: - The interface em0 has the expected lladr of f2:b6:71:e6:11:7e - The link local IPv6 address is: fe80::f0b6:71ff:fee6:117e (using the modified EUI-64 version of the lladdr) as expected - The public IPv4 IPs use my current prefix and a random IID, no relation to the lladdr: 2001:db8::eb7f:1267:44d0:45a4 (*) - The ULA addresses behave the same as the public ones, i.e. the IID has not relation to the lladdr. Why is (one of) the public addresses not using the EUI-64 method of generation the IID? I realize that autoconf generates the SOII addresses with random IIDs. But shouldn’t the eui64 option also create an IP with the modified EUI-64 as the IID? ifconfig(8) states: eui64 Fill the interface index (the lowermost 64 bits of an IPv6 address) automatically. Which is kind of a bland statement anyway. It should IMHO reference that a modified EUI-64 is used. But it does not say that this is only true for the link local address. If have tried changing the order of the parameters, but it makes no difference: ifconfig em0 inet6 autoconf lladdr f2:b6:71:e6:11:7e eui64 ifconfig em0 inet6 lladdr f2:b6:71:e6:11:7e eui64 autoconf I have also tried to do this without the lladdr parameter, same results just with a different lladdr. If I leave out the autoconf parameter I only get a link local address. *) I have substituted 2001:db8:: for the real public prefix here. Thanks! Mike
Re: IPv6 autoconf with static IID?
Hi Thomas! Am 28.12.2021 um 16:24 schrieb Thomas Bohl : > > Hello, > >> My Internet connection is using dynamic IPv6 prefixes. I want to configure a >> local (OpenBSD) machine so its public IPv6 address adjusts to changes in the >> network prefix but keeps a static Interface Identifier (IID). I’d also like >> to be able to configure the IID manually. >> Essentially this would be a server running on the LAN but with a public IPv6 >> address, reachable from the Internet. > > I wrote a script that runs every minute via cron and detects a public IPv6 > network change. On a detected change you could run for example > > ifconfig $interface inet6 alias $newIPv6Net:1:2:3:4 > update-dyndns-whatever > > (You configure what $interface is, and $newIPv6Net is the new network > prefix.) So you always (minus up to a minute) have a working :1:2:3:4 > interface identifier. > > I use the script since four years, but only now decided to publish it. I hope > it is self-explanatory and that my English comments make sense. > > https://aloof.de/f/IPv6Aliases-en.sh > https://aloof.de/f/IPv6Aliases-de.sh Thanks! You have obviously put a lot of thought into this script and solved a number of potential issues. A couple of observations: - »grep -v '^fd00‘« to remove ULA addresses is not correct. For example the ULA I am using at home starts with fd28:… - Also you are taking separate steps to filter link-local and ULA addresses. Solution to both issues: replace »grep -v '^fd00' | grep -v '^fe80‘« with »grep -vE '^(fe80|fd)‘« At first I thought that using route(8) is overly complicated. But it nicely solves the problem of extracting the prefix which would be much more difficult using ifconfig(8). Mike
Re: IPv6 autoconf with static IID?
Hi Diana! > Am 28.12.2021 um 15:58 schrieb deich...@placebonol.com: > > I'm still interested in why you are concerned about "leaking" the MAC address? Well, knowing the vendor of an interface might lead an attacker to exploit known security issues relevant to that vendor. While I deem the risk with OpenBSD to be very low, in the case of a hypervisor generating the MAC, knowing which one might make the target more interesting. > Changing the MAC with laddr will still leak the MAC but now it will be the > one you created. Yes, I’ll be trying this method shortly. > If you do decide to change the MAC to a long defunct NIC manufacturer. That > is what I do for fun. Some of my 10G interfaces use Western Digital OUI, > from 10base-2 era. Good idea! :-) I checked the IEEE registry and determined that currently no prefix of 0xF2, 0xF6, 0xFA or 0xFE is allocated. So combining such a prefix with 5 bytes from /dev/random should work as well. I have read somewhere that two bits might need to/should have a fixed value in the first octet: 0bxx10. But I couldn’t find any reference yet. Thus the above values to be on the safe side. Still have to make sure no two interfaces on the same network segment use the same MAC though, but the odds are pretty good. Mike > > G.day > diana > KI5PGJ > > On December 28, 2021 6:05:54 AM MST, Mike Fischer > wrote: >> >>> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >>> >>> On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: >>> | So I guess the only way to get a stable IID with dynamic prefixes is >>> | to use the eui64 method? (Which is based on the MAC-address and >>> | leaks information.) >>> >>> What information leak are you afraid of? Someone else knowing the >>> MAC-address of your system? You can fix that by changing the MAC >>> address of your interface (see the lladdr option in the ifconfig(8) >>> manpage at http://man.openbsd.org/ifconfig#lladdr for details) >> >> Interesting! I hadn’t thought of that. >> > SNIP >> >> My thoughts exactly. >> >> >> Thanks for your input! >> >> Mike
Re: IPv6 autoconf with static IID?
On Tue, Dec 28, 2021, at 21:05, Mike Fischer wrote: >> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >> Seems like the simplest way, especially using the lladdr option. > Yes, I’ll give that a try. That’s how I “solved” that problem too, though I’m not too worried about leaking anything, so I just did it for vanity. Note that you can’t control the middle 16 bits (:xxff:fexx:), and you should always set the local bit (02:00:00:00:00:00) in custom MAC addresses. For example, ce:cc:ff:ee:80:00 has the local bit set, and it yields an IPv6 address of ::::feee:8000.
Re: IPv6 autoconf with static IID?
I'm still interested in why you are concerned about "leaking" the MAC address? Changing the MAC with laddr will still leak the MAC but now it will be the one you created. If you do decide to change the MAC to a long defunct NIC manufacturer. That is what I do for fun. Some of my 10G interfaces use Western Digital OUI, from 10base-2 era. G.day diana KI5PGJ On December 28, 2021 6:05:54 AM MST, Mike Fischer wrote: > >> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : >> >> On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: >> | So I guess the only way to get a stable IID with dynamic prefixes is >> | to use the eui64 method? (Which is based on the MAC-address and >> | leaks information.) >> >> What information leak are you afraid of? Someone else knowing the >> MAC-address of your system? You can fix that by changing the MAC >> address of your interface (see the lladdr option in the ifconfig(8) >> manpage at http://man.openbsd.org/ifconfig#lladdr for details) > >Interesting! I hadn’t thought of that. > SNIP > >My thoughts exactly. > > >Thanks for your input! > >Mike >
Re: IPv6 autoconf with static IID?
> Am 28.12.2021 um 13:09 schrieb Paul de Weerd : > > On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: > | So I guess the only way to get a stable IID with dynamic prefixes is > | to use the eui64 method? (Which is based on the MAC-address and > | leaks information.) > > What information leak are you afraid of? Someone else knowing the > MAC-address of your system? You can fix that by changing the MAC > address of your interface (see the lladdr option in the ifconfig(8) > manpage at http://man.openbsd.org/ifconfig#lladdr for details) Interesting! I hadn’t thought of that. > | My options for running an OpenBSD server using IPv6 thus seem to be: > | - Find a provider with static public IPv6 addresses (prefixes) > > That would work, but means you have to change providers - is that > really what you want? Could be a good message to your current ISP to > step up their IPv6 game. It’s more a question of whether I am willing to pay at least 50% more than I’m paying now for a professional (business) plan instead of a typical (private) home plan just for the privilege of getting static IPs. As this is mostly for experimenting and testing I can’t really justify the extra cost. It would be nice if they offered a (reasonably paid) option to add static IPs to their private plans though. > > | - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs > > Seems like the simplest way, especially using the lladdr option. Yes, I’ll give that a try. > | - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static > | IPv6 address (prefix) through IPv4 (6in4 tunnel) > > Seems less useful / efficient, if your provider offers native IPv6. My thoughts exactly. Thanks for your input! Mike
Re: IPv6 autoconf with static IID?
On 2021-12-28, Mike Fischer wrote: > Thanks Stuart! > >> Am 28.12.2021 um 10:01 schrieb Stuart Henderson : >> >> On 2021-12-27, Mike Fischer wrote: >>> After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the >>> only way to combine a static IID with a dynamic prefix seems to be the >>> eui64 option: >>> inet6 autoconf eui64 >>> >>> However this limits the IID to a fixed value based on the MAC-address of >>> the interface and potentially leaks information about the vendor of the >>> interface to the Internet. >>> >>> Is there a way to combine "inet6 autoconf" with an arbitrary manually >>> defined IID? >> >> Not directly to a specific IID, but OpenBSD uses RFC 7217 by default >> rather than a MAC-address-based identifier. > > After rereading RFC 7217 my take is that the IID generated by this method > will change whenever the prefix changes (see section 4. Design Goals). That > is not what I want because it would require reconfiguration of the IID-based > forwarding rules on my router whenever the prefix and thus the IID changes. Ah yes. > So I guess the only way to get a stable IID with dynamic prefixes is to use > the eui64 method? (Which is based on the MAC-address and leaks information.) > > My options for running an OpenBSD server using IPv6 thus seem to be: > - Find a provider with static public IPv6 addresses (prefixes) > - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs > - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static IPv6 > address (prefix) through IPv4 (6in4 tunnel) Another possibility: - Use an alternative RA client, if there's one that allows what you need. I would look at dhcpcd, this is probably the one most likely to support it. > Sounds like a missing feature in slaacd(8) then, unless someone can explain > why combining a dynamic IPv6 prefix with a manually configured static IID for > a server would be a bad idea. I don't think it's a bad idea as such, but you'll still have to deal with DNS and maybe firewall rules if the prefix changes so I don't know how much it buys really. Personally I would most likely use the MAC address-based autoconf address in this situation, I'm not all that bothered if someone knows the nic manufacturer (or it can often be reset with lladdr, though that doesn't always work well with every nic).
Re: IPv6 autoconf with static IID?
On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: | So I guess the only way to get a stable IID with dynamic prefixes is | to use the eui64 method? (Which is based on the MAC-address and | leaks information.) What information leak are you afraid of? Someone else knowing the MAC-address of your system? You can fix that by changing the MAC address of your interface (see the lladdr option in the ifconfig(8) manpage at http://man.openbsd.org/ifconfig#lladdr for details) Then you leak your "self chosen" MAC address - up to you to decide if that's still a concern (but note that it's not really different from "leaking" your IPv6 address in that case). | My options for running an OpenBSD server using IPv6 thus seem to be: | - Find a provider with static public IPv6 addresses (prefixes) That would work, but means you have to change providers - is that really what you want? Could be a good message to your current ISP to step up their IPv6 game. | - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs Seems like the simplest way, especially using the lladdr option. | - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static | IPv6 address (prefix) through IPv4 (6in4 tunnel) Seems less useful / efficient, if your provider offers native IPv6. Paul -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: IPv6 autoconf with static IID?
Thanks Stuart! > Am 28.12.2021 um 10:01 schrieb Stuart Henderson : > > On 2021-12-27, Mike Fischer wrote: >> After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the >> only way to combine a static IID with a dynamic prefix seems to be the eui64 >> option: >> inet6 autoconf eui64 >> >> However this limits the IID to a fixed value based on the MAC-address of the >> interface and potentially leaks information about the vendor of the >> interface to the Internet. >> >> Is there a way to combine "inet6 autoconf" with an arbitrary manually >> defined IID? > > Not directly to a specific IID, but OpenBSD uses RFC 7217 by default > rather than a MAC-address-based identifier. After rereading RFC 7217 my take is that the IID generated by this method will change whenever the prefix changes (see section 4. Design Goals). That is not what I want because it would require reconfiguration of the IID-based forwarding rules on my router whenever the prefix and thus the IID changes. So I guess the only way to get a stable IID with dynamic prefixes is to use the eui64 method? (Which is based on the MAC-address and leaks information.) My options for running an OpenBSD server using IPv6 thus seem to be: - Find a provider with static public IPv6 addresses (prefixes) - Use dynamic IPv6 addresses (prefixes) and eui64 IIDs - Use an IPv6 tunnel broker like tunnelbroker.net to tunnel a static IPv6 address (prefix) through IPv4 (6in4 tunnel) Sounds like a missing feature in slaacd(8) then, unless someone can explain why combining a dynamic IPv6 prefix with a manually configured static IID for a server would be a bad idea. Anyway, many thanks for your reply! Mike
Re: IPv6 autoconf with static IID?
On 2021-12-27, Mike Fischer wrote: > After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the > only way to combine a static IID with a dynamic prefix seems to be the eui64 > option: > inet6 autoconf eui64 > > However this limits the IID to a fixed value based on the MAC-address of the > interface and potentially leaks information about the vendor of the interface > to the Internet. > > Is there a way to combine "inet6 autoconf" with an arbitrary manually defined > IID? Not directly to a specific IID, but OpenBSD uses RFC 7217 by default rather than a MAC-address-based identifier.
IPv6 autoconf with static IID?
Hi! Maybe I’m completely off track with my idea, so please let me know if that is the case. I’ve done some reading and experimenting with IPv6 but wouldn’t consider myself an expert yet. Goal: = My Internet connection is using dynamic IPv6 prefixes. I want to configure a local (OpenBSD) machine so its public IPv6 address adjusts to changes in the network prefix but keeps a static Interface Identifier (IID). I’d also like to be able to configure the IID manually. Essentially this would be a server running on the LAN but with a public IPv6 address, reachable from the Internet. Details: My Internet provider allocates a dynamic, public IPv6 /64 prefix to my router. The IID of the router is based on the MAC-address of its outside interface (EUI64) and doesn’t change. I’ll call this combination of /64 prefix and IID the "IPv6 address of the router". My Internet provider additionally allocates a dynamic, public IPv6 /56 prefix to my router. Traffic to addresses from this range are routed to the IPv6 address of the router. The router in turn communicates a /64 prefix based on this /56 prefix and a fixed 8-bit value to my LAN devices. Effectively the LAN devices operate with a dynamic, public /64 prefix. My router also allows configuration of LAN devices/ports that are reachable from the Internet. This forwarding configuration is based on the IID of the device for IPv6. Without such a forwarding rule, no Internet traffic can open a connection to any LAN device. So for an IPv6 service on the LAN to be reachable from the Internet, the following criteria must be met: - A forwarding rule must exist on the router that matches the port and IID of the LAN device. Packets from the Internet are routed to the public IPv6 address of the router. The forwarding rule sets up routing to the LAN device. - The LAN device must have an IPv6 address matching the current /64 prefix and the IID configured for the forwarding settings on the router. - A service must listen on the port and IPv6 address on the LAN device. (pf(4) must allow the traffic of course.) - (Optional) A DNS entry could point to the IPv6 address. This probably requires some form of DDNS to adjust the DNS record when the IPv6 prefix changes. Keeping this updated is a separate problem not relevant for my question. Note: When I use the term "its IPv6 address" I realize that this is generally only one of a number of IPv6 addresses in use on an interface at any given time. Basically I am referencing the address returned by: ifconfig em0|grep 'inet6'|grep -vE ' fe80:| fd|deprecated|temporary' I.e. no link-local, ULA, temporary or deprecated addresses. Also note that there is no DHCPv6 server in my configuration. Question/Problem: = After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the only way to combine a static IID with a dynamic prefix seems to be the eui64 option: inet6 autoconf eui64 However this limits the IID to a fixed value based on the MAC-address of the interface and potentially leaks information about the vendor of the interface to the Internet. Is there a way to combine "inet6 autoconf" with an arbitrary manually defined IID? Example: So let’s say I want to use 0123:4567:89ab:cdef as the IID and the current prefix is 2001:db8:0:4201::/64 then how would I specify this in a way that allows slaacd(8) to generate an address using the current /64 prefix and this IID to form 2001:db8::4201:123:4567:89ab:cdef/128? When the prefix changes to e.g. 2001:db8:0:2a01::/64 I want the address of the interface to change to 2001:db8::2a01:123:4567:89ab:cdef/128. I may be showing my ignorance here but it seems to me that combining dynamic IPv6 prefixes with manually chosen IIDs should be possible? This question pertains to OpenBSD 7.0 stable on amd64 with all patches applied in case that makes a difference. Thanks! Regards, Mike