Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto set valid lifetime of IPv6 mngtmpaddr address?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Sun Feb 14, 2016 10:21 pm    Post subject: Howto set valid lifetime of IPv6 mngtmpaddr address? Reply with quote

I have IPv6 enabled with privacy extensions and get IPv6 router advertisements (RA) from my telecom provider, which autoconfigures my IPv6 address.

Code:

cat /proc/sys/net/ipv6/conf/eth1/use_tempaddr
2

cat /proc/sys/net/ipv6/conf/eth1/temp_valid_lft
172800

cat /proc/sys/net/ipv6/conf/eth1/temp_prefered_lft
86400

ip -6 a
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2003:86:ae58:a4d7:e802:ab30:b014:8b18/64 scope global temporary dynamic
       valid_lft 107895sec preferred_lft 20895sec
    inet6 2003:86:ae58:a4d7:7254:d2ff:fe7c:39be/64 scope global mngtmpaddr dynamic
       valid_lft 604749sec preferred_lft 86349sec



As You can see, the settings of temp_valid_lft and temp_prefered_lft are honoured for the "global temporary dynamic" address, but not for the "global mngtmpaddr dynamic" address (which has the MAC address in the host part of the address).

Since I get a new /64 prefix every 24h from my provider via RA, and the valid lifetime of the mngtmpaddr address is 604800 s (7 days), at the end I have 6 deprecated mngtmpaddr addresses. E.g. deprecated address looks like so:

Code:

ip -6 a
    inet6 2003:86:ae58:a4f8:7254:d2ff:fe7c:39be/64 scope global deprecated mngtmpaddr dynamic
       valid_lft 366217sec preferred_lft 0sec

cat /proc/sys/net/ipv6/conf/eth1/max_addresses
16


I would like to get rid of these, even as I understand there is a maximum of IPv6 addresses defined in max_addresses.

Does anybody know howto reduce the valid lifetime of a "global mngtmpaddr dynamic" kind address?

Edit:
Kernel 4.1.12-gentoo
iproute2-3.19.0
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6741
Location: Blighty

PostPosted: Mon Feb 15, 2016 10:25 am    Post subject: Re: Howto set valid lifetime of IPv6 mngtmpaddr address? Reply with quote

1970 wrote:
As You can see, the settings of temp_valid_lft and temp_prefered_lft are honoured for the "global temporary dynamic" address, but not for the "global mngtmpaddr dynamic" address (which has the MAC address in the host part of the address).

Since I get a new /64 prefix every 24h from my provider via RA, and the valid lifetime of the mngtmpaddr address is 604800 s (7 days), at the end I have 6 deprecated mngtmpaddr addresses. E.g. deprecated address looks like so:


mngtmpaddr is a flag assigned to each address received via RA.
As the address itself is not a temporary one, rather one to base temporary addresses from, the temporary address lifetimes do not apply.
So you have a lot of depreated addresses. This is quite a common thing with IPv6 temporary addresses, but I need to ask why do you think this is a problem?

Yes the kernel does have a limit of the maximum number of addresses, but once this is reached it will trim the oldest deprecated ones first, so this should not be a problem.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Mon Feb 15, 2016 1:25 pm    Post subject: Re: Howto set valid lifetime of IPv6 mngtmpaddr address? Reply with quote

UberLord wrote:
Yes the kernel does have a limit of the maximum number of addresses, but once this is reached it will trim the oldest deprecated ones first, so this should not be a problem.


Nice to hear, thanks! Could You tell the source of this information?

Here it is not mentioned
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt


Last edited by 1970 on Mon Feb 15, 2016 3:41 pm; edited 1 time in total
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6741
Location: Blighty

PostPosted: Mon Feb 15, 2016 3:33 pm    Post subject: Reply with quote

Gah, my bad!

This happens with neighbour addresses, not actual ip addresses.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Tue Feb 16, 2016 7:30 pm    Post subject: Reply with quote

At least, when I get a complete new /56 prefix from telecom provider (which happens every 4 days), the old IPv6 addresses disappear before lifetime end (which makes sense, since they are not routable anymore).
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43207
Location: 56N 3W

PostPosted: Tue Feb 16, 2016 7:38 pm    Post subject: Reply with quote

1970,

I wonder if that's a problem for me. I have a static /48.

I'm not convinced that the privacy extensions are actually useful because the prefix doesn't change.
My /48 is always traceable to me, regardless of what I do with the IPv6 addresses.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6741
Location: Blighty

PostPosted: Tue Feb 16, 2016 8:29 pm    Post subject: Reply with quote

NeddySeagoon wrote:
I'm not convinced that the privacy extensions are actually useful because the prefix doesn't change.
My /48 is always traceable to me, regardless of what I do with the IPv6 addresses.


The /48 is traceable to you yes.
But due to privacy extensions that's where it stops, there is nothing to track back (from the IP layer anyway) to a specific machine where the address changes.
And thanks to the Internet of Things with IPv6 whose to say which machine from your desktop to your toaster is really a nefarious music sharing hub for Rick Astley?

Stable Private Addresses (i think very recent kernels support this, dhcpcd has done for almost two years now) provide a better solution to the problem because the address doesn't change (unless you change MAC address like a card, ssid or private key - or the advertised prefix).
This effectively masks your MAC address from upstream servers. But please remember, nothing hides it from nodes you directly talk to on the same network segment.
This makes it an excellent choice for servers as well.

But really, this is all a minor issue as there are many other and better ways to track you.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Tue Feb 16, 2016 8:31 pm    Post subject: Reply with quote

NeddySeagoon wrote:
1970,

I wonder if that's a problem for me. I have a static /48.

I'm not convinced that the privacy extensions are actually useful because the prefix doesn't change.
My /48 is always traceable to me, regardless of what I do with the IPv6 addresses.


Sure, if Your prefix doesn't change, it's like having a static IPv4 address.

IPv6 and privacy do not fit together good, as far as I have seen. I think IPv6 is more(only?) useful for servers with static prefix and without privacy extension. Private users need to regulary change the complete prefix for privacy reasons, not only the host part of the address (via privacy extensions) or the /64 subnet. And that is problem, since then all Your addresses in the whole "LAN" network change completely so that is not managable, as You cannot reference the hosts in Your "LAN" in a stable way. That is what I know. It looks to me that private useres need to stick with NATing, even with IPv6.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6741
Location: Blighty

PostPosted: Tue Feb 16, 2016 8:33 pm    Post subject: Reply with quote

1970 wrote:
It looks to me that private useres need to stick with NATing, even with IPv6.


NATing buys you nothing and is the devil spawn of networking.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43207
Location: 56N 3W

PostPosted: Tue Feb 16, 2016 8:42 pm    Post subject: Reply with quote

1970,

Once upon a time, IPv4 was supposed to work without NAT.
NAT was a hack to work around the fact that most of the IPv4 address space was allocated to the USA.

Just get used to IPv6 addresses being public and set up your firewall with a healthy degree of paranoia.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6741
Location: Blighty

PostPosted: Tue Feb 16, 2016 8:47 pm    Post subject: Reply with quote

You guys are missing it - IPv6 Privacy options are for hiding the hardware address of your network card from machines outside your local network segment.
That's it.

This gives you the equivalent privacy of IPv4 NAT.

The only way to get more private at the IP level is to use a tunnel.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43207
Location: 56N 3W

PostPosted: Tue Feb 16, 2016 9:15 pm    Post subject: Reply with quote

UberLord,

Ahhhh ... the penny dropped.

Thank you.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1970
n00b
n00b


Joined: 07 May 2010
Posts: 55

PostPosted: Wed Feb 17, 2016 4:48 am    Post subject: Reply with quote

NeddySeagoon wrote:
Once upon a time, IPv4 was supposed to work without NAT.


I think my post was pretty clear.
Given, You get 5 real, globally routable IPv4 addresses from Your telecom provider.

So You can give each of Your five computers/VMs at home an own real IPv4 address. Nice.

But then, You do not want to change these addresses, since then You cannot have one serving as NFS-Server, DNS-Server etc. since You would need to change DNS or any other configuration on client side, if You change the IPv4 addresses.

And static addresses bite with privacy.

So IPv4 NAT has the advantage, that You only need to change _one_ outer IPv4 address, while the IP addresses of Your LAN infrastructure can stay untouched and can talk to each other in a stable way.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5761

PostPosted: Wed Feb 17, 2016 10:39 pm    Post subject: Reply with quote

1970 wrote:
Sure, if Your prefix doesn't change, it's like having a static IPv4 address.

Correction: if you have a /56 prefix that doesn't change, it's like having 4722 quadrillion static IPv4 addresses.

If you think that isn't private enough, try brute-forcing that address space and let us know when you've succeeded - if the universe is still around then.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1747

PostPosted: Thu Feb 18, 2016 5:40 pm    Post subject: Reply with quote

Quote:
If you think that isn't private enough, try brute-forcing that address space and let us know when you've succeeded
Private like in "I don't know what to call" or "I won't know when I see it"?
I'd only call the latter one "private".
Quote:
while the IP addresses of Your LAN infrastructure can stay untouched and can talk to each other in a stable way.
You don't need static IP for that. You can use human readable names and a multicast group for neighbour discovery. Avahi, anyone?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5761

PostPosted: Thu Feb 18, 2016 5:59 pm    Post subject: Reply with quote

szatox wrote:
Private like in "I don't know what to call" or "I won't know when I see it"?
I'd only call the latter one "private".


Private as in both, this is a setup that (as explained in the first post) already has random temporary addresses for all outgoing connections - which on their own provide just as much protection as a stateful IPv4 NAT.


What's the threat model here?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum