[opensuse] IPv6 - do you use SLAAC or DHCP ?
Just wondering, which method do you use? It seems to me that using SLAAC will produce some pretty difficult-to-recognize addresses, so for now I've got a DHCP6 setup. -- Per Jessen, Zürich (19.2°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Just wondering, which method do you use? It seems to me that using SLAAC will produce some pretty difficult-to-recognize addresses, so for now I've got a DHCP6 setup.
I normally use SLAAC, but also have random number addresses enabled. It's easy enough to add the SLAAC addresses to a hosts file or DNS. The random number addresses came about because some people had security concerns about using the MAC address. You can configure computers to use either or both, as well as manual configuration and DHCP6. The random address is fine if you're not running servers, but you need some static method if you are. On my home network, I'm running dnsmasq, so all I have to do is add the host names and addresses to the host file on that computer and then restart dnsmasq. I also use an external DNS for when I'm away from home. If you have both IPv4 and IPv6 addresses for a computer, list the IPv6 first in the hosts file, so that it gets priority. BTW, that random number address also changes periodically. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
Just wondering, which method do you use? It seems to me that using SLAAC will produce some pretty difficult-to-recognize addresses, so for now I've got a DHCP6 setup.
I normally use SLAAC, but also have random number addresses enabled. It's easy enough to add the SLAAC addresses to a hosts file or DNS. The random number addresses came about because some people had security concerns about using the MAC address. You can configure computers to use either or both, as well as manual configuration and DHCP6. The random address is fine if you're not running servers, but you need some static method if you are.
Thanks James - yes, I am running servers, but the only truly dynamic devices I have are phones and pads etc.
If you have both IPv4 and IPv6 addresses for a computer, list the IPv6 first in the hosts file, so that it gets priority.
I don't use the hosts file anywhere, but I think IPv6 is given priority by default (by way of /etc/gai.conf). -- Per Jessen, Zürich (22.5°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
If you have both IPv4 and IPv6 addresses for a computer,
list the IPv6 first in the hosts file, so that it gets priority. I don't use the hosts file anywhere, but I think IPv6 is given priority by default (by way of /etc/gai.conf).
I haven't configured that file, but I found that having IPv4 listed first caused it to be used. Also, not everything here is a linux box where I can change that file. I also have a smart phone & tablet and occasionally run my notebook with Windoes 7. So, putting IPv6 in hosts is a trivial matter. Also, I only do that on the computer that's my firewall/router/dns server/dhcp server/ntp server/IPv6 tunnel end point.. I generally don't worry about the hosts files on other computers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
but the only truly dynamic devices I have are phones and pads etc.
Even my Android smart phone and tablet use both SLAAC & random addresses.
Yes, I figure that's what I'll be doing as well. -- Per Jessen, Zürich (18.1°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
but the only truly dynamic devices I have are phones and pads etc.
Even my Android smart phone and tablet use both SLAAC & random addresses.
Yes, I figure that's what I'll be doing as well.
Hmmm, I guess running both SLAAC and DHCP isn't that easy. Once I started the RA daemon on the main router/firewall, every box on the network got a global IPv6 address. I guess I have to configure them individually to use DHCP. In fact, I don't want any automatic IPv6 assignment for existing boxes - this would mean IPv6 traffic where none existed before, I can think of scripts and apps that may very well choke on that. -- Per Jessen, Zürich (22.3°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
but the only truly dynamic devices I have are phones and pads etc. Even my Android smart phone and tablet use both SLAAC & random addresses. Yes, I figure that's what I'll be doing as well.
Hmmm, I guess running both SLAAC and DHCP isn't that easy. Once I started the RA daemon on the main router/firewall, every box on the network got a global IPv6 address. I guess I have to configure them individually to use DHCP. In fact, I don't want any automatic IPv6 assignment for existing boxes - this would mean IPv6 traffic where none existed before, I can think of scripts and apps that may very well choke on that.
Why are you bothering with DHCP6? It's really not needed, unless you want to provide IPv6 server addresses to clients. As I mentioned, it's easy enough to add IPv6 addresses to DNS or hosts file, so you don't have to worry about typing in an IPv6 address. On my network, I use the SLAAP addresses as mention. I use manual configuration for anything that's permanently attached to my network, for things like NTP & DNS server. Other devices, such as my smart phone, tablet and notebook computer use DHCP to get the IPv4 address for those servers. Everything just works well and uses IPv6 whenever possible. It sounds like you're making work for yourself, when you don't have to. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
but the only truly dynamic devices I have are phones and pads etc. Even my Android smart phone and tablet use both SLAAC & random addresses. Yes, I figure that's what I'll be doing as well.
Hmmm, I guess running both SLAAC and DHCP isn't that easy. Once I started the RA daemon on the main router/firewall, every box on the network got a global IPv6 address. I guess I have to configure them individually to use DHCP. In fact, I don't want any automatic IPv6 assignment for existing boxes - this would mean IPv6 traffic where none existed before, I can think of scripts and apps that may very well choke on that.
Why are you bothering with DHCP6? It's really not needed, unless you want to provide IPv6 server addresses to clients.
That is primarily what my current DHCP4 setup does - provides static addresses to servers. Plus default route, ntp options and any static routes needed. It's mostly a way of keeping the config central. I'm possibly just thinking in old ways too much.
As I mentioned, it's easy enough to add IPv6 addresses to DNS
But when they're randomly generated even for well-known clients, how is my DNS updated?
or hosts file, so you don't have to worry about typing in an IPv6 address.
I would still like to be able to recognize them in logs etc. With ip6?tables, tcpdump and such I'd also still want to recognize them in. For a server that has nnn.nn.2.49 today, I was thinking of assigning 2001:db8:1020:ff1::1:2049 - no problem with DHCP6.
On my network, I use the SLAAP addresses as mention. I use manual configuration for anything that's permanently attached to my network, for things like NTP & DNS server.
Okay. How do you prevent those servers from getting a randomly generated IPv6 address?
Other devices, such as my smart phone, tablet and notebook computer use DHCP to get the IPv4 address for those servers. Everything just works well and uses IPv6 whenever possible. It sounds like you're making work for yourself, when you don't have to.
I agree, that is entirely possible. -- Per Jessen, Zürich (19.2°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
James Knott wrote:
On my network, I use the SLAAP addresses as mention. I use manual configuration for anything that's permanently attached to my network, for things like NTP & DNS server.
Okay. How do you prevent those servers from getting a randomly generated IPv6 address?
Hmm, it seems that the SLAAC is automagically disabled when dhclient6 is running. Which solves my issue with having both SLAAC and DHCP6, except for three Windows boxes. And I don't really have to worry about those. -- Per Jessen, Zürich (18.8°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
As I mentioned, it's easy enough to add IPv6 addresses to DNS But when they're randomly generated even for well-known clients, how is my DNS updated?
There are two common ways to get an IPv6 address, as I mentioned in a previous nete. There is one based on the MAC address and it is permanent. Short of replacing the NIC, that address won't change. The other is to use a random number, which does change frequently. It's possible on both Linux & Windows and I expect Mac too, to enable either or both methods. I didn't have to do anything special on Linux to get both. They just work. On Window XP, they also just worked, but on Windows 7, I had to specifically enable the MAC based address. Like the link local address, the MAC based address will contain your MAC address, but with FFFE inserted in the middle. With openSUSE you should have both address types, assuming you have RADVD running somewhere to assign the network portion of the address.
I would still like to be able to recognize them in logs etc. With ip6?tables, tcpdump and such I'd also still want to recognize them in. For a server that has nnn.nn.2.49 today, I was thinking of assigning 2001:db8:1020:ff1::1:2049 - no problem with DHCP6.
Once you've been working with them for a while, you'll soon recognize the MAC based addresses.
On my network, I use the SLAAP addresses as mention. I use manual configuration for anything that's permanently attached to my network, for things like NTP & DNS server. Okay. How do you prevent those servers from getting a randomly generated IPv6 address?
You should have both MAC based and random addresses already. Just use the MAC based for your servers. It doesn't matter about the random number one, so long as your DNS or hosts file contain the MAC based. If you have a random address, it's normally used for outgoing connections, not incoming. Run ifconfig to see your addresses. You should see a link local address that starts with FE80:: and the right hand portion is your MAC address with FFFE in the middle and the universal/local bit of the MAC inverted. If you have a MAC based address, the host part of the address will be identical to that of the link local address, but with the network portion assigned by your router.. A random number address will have the same network portion as the MAC address, but the least significant 64 bits will be a random number and if your computer has been up for a while there will be a few of them. The top one will be the current, but the others are still valid, but deprecated. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
but with FFFE inserted in the middle. With openSUSE you should have both address types, assuming you have RADVD running somewhere to assign the network portion of the address.
Yes, I do. Not all systems got both types though. When a system is assigned both, which one is used for outgoing connections?
I would still like to be able to recognize them in logs etc. With ip6?tables, tcpdump and such I'd also still want to recognize them in. For a server that has nnn.nn.2.49 today, I was thinking of assigning 2001:db8:1020:ff1::1:2049 - no problem with DHCP6.
Once you've been working with them for a while, you'll soon recognize the MAC based addresses.
Hmm, I rarely recognize MAC addresses today, somehow I can't imagine that changing :-) I occasionally recognize the OUI, but not the rest. I guess I could live with it, but I would prefer a more recognisable scheme. Today I have a setup with 192.68.x, where x : 2 = physical servers, 3 = printers 4 = telephones & security cameras 6 = fixed desktops & laptops, 7 = dynamic clients (usually wifi), 9 = xen servers, 13 = ILO cards 1 = everything else. (some of these will never do IPv6 though).
On my network, I use the SLAAP addresses as mention. I use manual configuration for anything that's permanently attached to my network, for things like NTP & DNS server. Okay. How do you prevent those servers from getting a randomly generated IPv6 address?
You should have both MAC based and random addresses already. Just use the MAC based for your servers. It doesn't matter about the random number one, so long as your DNS or hosts file contain the MAC based. If you have a random address, it's normally used for outgoing connections, not incoming.
When I started radvd on the router/firewall, most of my systems only had
one address, the MAC-based one. I would not want the random address
used for outgoing connections though. (for arbitrary clients yes, but
not for anything fixed). I mean, imagine a mailserver delivering
outgoing mail from a random address??
Hmm, so with SLAAC, systems are assigned an address based on the MAC of
the interface. That doesn't change so I can set up the DNS based on
that. Do you know how I can prevent the random address from being
used/allocated? It's possible that most of our systems are too old
(pre 12.x) for the random address to work, but with 13.1M2 I got this:
2: enp3s1f0:
Per Jessen wrote:
Yes, I do. Not all systems got both types though. When a system is assigned both, which one is used for outgoing connections?
The random address.
When I started radvd on the router/firewall, most of my systems only had one address, the MAC-based one. I would not want the random address used for outgoing connections though. (for arbitrary clients yes, but not for anything fixed). I mean, imagine a mailserver delivering outgoing mail from a random address??
Think of outgoing as you using a browser and incoming, your servers. It is only the incoming traffic that needs to know the address. So, look up your MAC based address and use it for your DNS. For outgoing, it really doesn't matter which you use. There's a way to turn off random, but I don't recall the details at the moment.
Hmm, so with SLAAC, systems are assigned an address based on the MAC of the interface. That doesn't change so I can set up the DNS based on that. Do you know how I can prevent the random address from being used/allocated? It's possible that most of our systems are too old (pre 12.x) for the random address to work, but with 13.1M2 I got this:
2: enp3s1f0:
mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:15:60:57:07:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.2.140/21 brd 192.168.7.255 scope global enp3s1f0 valid_lft forever preferred_lft forever inet6 2001:db8:2010:1ff:a5e4:4fb7:2ef0:5d1b/64 scope global temporary dynamic valid_lft 557201sec preferred_lft 38201sec inet6 2001:db8:2010:1ff:215:60ff:fe57:7f1/64 scope global dynamic valid_lft 2550353sec preferred_lft 563153sec inet6 fe80::215:60ff:fe57:7f1/64 scope link valid_lft forever preferred_lft forever
"fe80::215:60ff:fe57:7f1/64 scope link" is your link local address. That will never change, unless you replace the NIC. "2001:db8:2010:1ff:215:60ff:fe57:7f1/64 scope global dynamic" is your MAC based address. Use this in your DNS. In both of the above, you'll see your MAC address with FFFE inserted in the middle, as well as the 2 in the first part of the host address. That 2 is due to the universal/local bit being inverted. This is done so that if you create local addresses, you don't have that bit on, making the address a bit simpler. "inet6 2001:db8:2010:1ff:a5e4:4fb7:2ef0:5d1b/64 scope global temporary dynamic" is your random number address. As you get more, all but the lastest will say "temporary deprecated dynamic". I've got 3 of those. I don't recall which version of openSUSE the random numbers started with, but, IIRC, they weren't there 3 years ago. As I mentioned, don't worry about that random address. It will be used only when you are accessing something else from your computer. Just use the MAC address in your DNS and you'll be fine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
Yes, I do. Not all systems got both types though. When a system is assigned both, which one is used for outgoing connections?
The random address.
When I started radvd on the router/firewall, most of my systems only had one address, the MAC-based one. I would not want the random address used for outgoing connections though. (for arbitrary clients yes, but not for anything fixed). I mean, imagine a mailserver delivering outgoing mail from a random address??
Think of outgoing as you using a browser and incoming, your servers. It is only the incoming traffic that needs to know the address. So, look up your MAC based address and use it for your DNS. For outgoing, it really doesn't matter which you use. There's a way to turn off random, but I don't recall the details at the moment.
For outgoing, at least for a mailserver, it does matter a lot which address is being used. Using the random address would mean the receiving server would have no way of identifying the sending server. If using dhclient6 actually means not getting a random address assigned, that's probably what I need to do.
It's possible that most of our systems are too old (pre 12.x) for the random address to work, but with 13.1M2 I got this:
2: enp3s1f0:
mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:15:60:57:07:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.2.140/21 brd 192.168.7.255 scope global enp3s1f0 valid_lft forever preferred_lft forever inet6 2001:db8:2010:1ff:a5e4:4fb7:2ef0:5d1b/64 scope global temporary dynamic valid_lft 557201sec preferred_lft 38201sec inet6 2001:db8:2010:1ff:215:60ff:fe57:7f1/64 scope global dynamic valid_lft 2550353sec preferred_lft 563153sec inet6 fe80::215:60ff:fe57:7f1/64 scope link valid_lft forever preferred_lft forever "fe80::215:60ff:fe57:7f1/64 scope link" is your link local address. That will never change, unless you replace the NIC.
Right.
"2001:db8:2010:1ff:215:60ff:fe57:7f1/64 scope global dynamic" is your MAC based address. Use this in your DNS.
Right.
"inet6 2001:db8:2010:1ff:a5e4:4fb7:2ef0:5d1b/64 scope global temporary dynamic" is your random number address. As you get more, all but the lastest will say "temporary deprecated dynamic". I've got 3 of those.
Interesting. Thanks James, I'll be back with more questions :-) -- Per Jessen, Zürich (17.7°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----Original Message----- For outgoing, at least for a mailserver, it does matter a lot which address is being used. Using the random address would mean the receiving server would have no way of identifying the sending server. If using dhclient6 actually means not getting a random address assigned, that's probably what I need to do. -----Original Message----- I surely hope that you use something else then your ip for identifying... -) So you probably mean "the (sub-)net allowing connections" V6 offers some privacy by using random numbers instead of fixed mac-addresses. One of the nicest things about v6 is, that you can add a lot of multiple addresses to you NIC. So while still using a randomized address for surfing, you can still add additional fixed addresses for other purposes. afaicr, the idea was: "outgoing=random, incoming=fixed" for both servers and desktops hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hans Witvliet wrote:
-----Original Message-----
For outgoing, at least for a mailserver, it does matter a lot which address is being used. Using the random address would mean the receiving server would have no way of identifying the sending server.
If using dhclient6 actually means not getting a random address assigned, that's probably what I need to do.
-----Original Message----- I surely hope that you use something else then your ip for identifying... -) So you probably mean "the (sub-)net allowing connections"
The first thing e.g. postfix does is do a reverse lookup of the IP of an inbound connection. Then it does a forward lookup.
V6 offers some privacy by using random numbers instead of fixed mac-addresses. One of the nicest things about v6 is, that you can add a lot of multiple addresses to you NIC.
Hmm, but that works with IPv4 too? -- Per Jessen, Zürich (17.8°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
If using dhclient6 actually means not getting a random address assigned, that's probably what I need to do.
With dhclient6 I still get a random address assigned too. I must have misread something yesterday. -- Per Jessen, Zürich (16.7°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
For outgoing, at least for a mailserver, it does matter a lot which address is being used. Using the random address would mean the receiving server would have no way of identifying the sending server.
If using dhclient6 actually means not getting a random address assigned, that's probably what I need to do.
You can always turn off the random addresses. You can find the info on doing that here: http://en.opensuse.org/SDB:Native_IPv6#Stateless_Autoconfiguration -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Think of outgoing as you using a browser and incoming, your servers. It is only the incoming traffic that needs to know the address. So, look up your MAC based address and use it for your DNS. For outgoing, it really doesn't matter which you use. There's a way to turn off random, but I don't recall the details at the moment.
echo 0 > /proc/sys/net/ipv6/conf/default/use_tempaddr I have to say, I don't really see the point of using a random address on our own network. -- Per Jessen, Zürich (17.8°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I have to say, I don't really see the point of using a random address on our own network.
The idea is so you can "surf the web" without having an address that can be traced to a specific piece of hardware. Granted, if you're the only one using your network, it won't make much difference. However, if you take your notebook computer somewhere else and want to be anonymous, then it might be useful. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
I have to say, I don't really see the point of using a random address on our own network.
The idea is so you can "surf the web" without having an address that can be traced to a specific piece of hardware.
Still doesn't make any sense on my own network - in particular not when it's not for web-access. Email, ssh, vpn, snmp, rsync - as an admin, I would want to know the identity of a client, just like I do today.
Granted, if you're the only one using your network, it won't make much difference.
Well, not just me personally, but desktops and servers on my local corporate network. I mean, why should somebody's telephone use a random address when connecting to the Asterisk server?
However, if you take your notebook computer somewhere else and want to be anonymous, then it might be useful.
Yes, that is a reasonable use case. -- Per Jessen, Zürich (17.2°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
[snip ] ... assuming you have RADVD running somewhere to assign the network portion of the address.
radvd is very picky with the config syntax, huh? Everything has got to be in the _right_ order :-) -- Per Jessen, Zürich (17.9°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
James Knott wrote:
[snip ] ... assuming you have RADVD running somewhere to assign the network portion of the address. radvd is very picky with the config syntax, huh? Everything has got to be in the _right_ order :-)
I don't recall configuring anything with RADVD. It just worked. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Per Jessen wrote:
James Knott wrote:
[snip ] ... assuming you have RADVD running somewhere to assign the network portion of the address. radvd is very picky with the config syntax, huh? Everything has got to be in the _right_ order :-)
I don't recall configuring anything with RADVD. It just worked.
The sample won't "just" work - I think at least you'd need to change the IPv6 prefix? I also wanted to limit the function to just two clients (to avoid having global IPv6 addresses assigned to all my systems). It was pretty fussy about where I put the "clients" config line. -- Per Jessen, Zürich (17.1°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Hans Witvliet
-
James Knott
-
Per Jessen