Use IPv6 temporary address only with remote peers

6

1

I think this question concerns the interaction between the configurable Default Address Selection algorithm defined by RFC-3484 and the temporary addresses defined by RFC-4941, though the solution may require some third kind of functionality. My environment is Linux (kernel version 3.2.0 on Ubuntu 12.04) with the iproute2 utility (version ss111117).

How can I configure my computer to use a regular, non-privacy enhanced address to connect to other nodes under the same prefix, but use a temporary address for connections to nodes outside that prefix?

For example, let's say that my computer is fuzzy, and my file server is bunny. Somewhere out on the IPv6 Internet is a website I want to visit, nosey.example.com. Here are the addresses assigned on fuzzy:

neirbowj@fuzzy:~$ ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:d00d:babe:6d3b:96d0:f584:beb3/64 scope global temporary dynamic 
       valid_lft 599342sec preferred_lft 80342sec
    inet6 2001:db8:d00d:babe:22fc:11ff:fe53:b2e7/64 scope global dynamic 
       valid_lft 2591986sec preferred_lft 604786sec
    inet6 fe80::22fc:11ff:fe53:b2e7/64 scope link 
       valid_lft forever preferred_lft forever

bunny has a statically configured address on the same prefix.

neirbowj@fuzzy:~$ grep bunny /etc/hosts
2001:db8:d00d:babe::1    bunny

nosey.example.com is not on this prefix.

neirbowj@fuzzy:~$ host -t aaaa nosey.example.com
nosey.example.com has IPv6 address 2001:db8:b00b:1e5::1

The address labels on fuzzy are set to their defaults.

neirbowj@fuzzy:~$ ip addrlabel
prefix ::1/128 label 0 
prefix ::/96 label 3 
prefix ::ffff:0.0.0.0/96 label 4 
prefix 2001::/32 label 6 
prefix 2001:10::/28 label 7 
prefix 2002::/16 label 2 
prefix fc00::/7 label 5 
prefix ::/0 label 1

When I connect to bunny, I want to use 2001:db8:d00d:babe:22fc:11ff:fe53:b2e7, because it is not flagged "temporary". When I connect to nosey.example.com, I want to use 2001:db8:d00d:babe:6d3b:96d0:f584:beb3 because it is flagged "temporary". Is this possible, and if so, how?

I have already read How does IPv6 source address selection work in Linux, but I don't see how any of the rules would affect this choice, nor even how the temporary flag informs address selection at all.

The reason I think I should be able to do this is because of this excerpt.

RFC-4941
Section 3.1 Assumptions

[...]

Finally, this document assumes that when a node initiates outgoing
communication, temporary addresses can be given preference over
public addresses when the device is configured to do so.
[ADDR_SELECT] mandates implementations to provide a mechanism, which
allows an application to configure its preference for temporary
addresses over public addresses.  It also allows for an
implementation to prefer temporary addresses by default, so that the
connections initiated by the node can use temporary addresses without
requiring application-specific enablement.  This document also
assumes that an API will exist that allows individual applications to
indicate whether they prefer to use temporary or public addresses and
override the system defaults.

neirbowj

Posted 2013-08-29T03:11:21.590

Reputation: 394

Answers

2

It seems like a strange place, but in Linux you can do this in the routing table.

Say that your routing table currently looks like this:

# ip -6 route
2001:db8:d00d:babe::/64 dev eth0  proto kernel  metric 256 
default via 2001:db8:d00d:babe::1 dev eth0  metric 1024

You can specify routes that override the source address. In this case you could do:

# ip -6 route add 2001:db8:d00d:babe::/64 \
                  dev eth0 \
                  src 2001:db8:d00d:babe:22fc:11ff:fe53:b2e7 \
                  metric 128

Because this route has a lower metric than the current one (which has metric 256) it will override it. When you now connect to bunny at address 2001:db8:d00d:babe::1 this route will match and it will use the configured source address.

If you also want to use a specific source address for other subnets you can create a route for that as well. For example:

# ip -6 route add 2001:db8:d00d::/48 \
                  via 2001:db8:d00d:babe::1 \
                  dev eth0 \
                  src 2001:db8:d00d:babe:22fc:11ff:fe53:b2e7 \
                  metric 128

Sander Steffann

Posted 2013-08-29T03:11:21.590

Reputation: 4 169

This is a great answer to a slightly different question, because this approach is agnostic to the address type (static, DHCPv6, SLAAC, SLAAC+privacy, etc). While it may be the best I can do, I want to wait a little longer before accepting your answer. – neirbowj – 2013-08-29T19:46:41.870

@neirbowj The method by which you obtain your addresses isn't really relevant. This is how you would do it. BTW, you can also throw this into /etc/network/interfaces to make it permanent. – Michael Hampton – 2013-08-30T00:48:04.073

I didn't say I couldn't do it this way, but if you read my question, I hope you will see why the nature and source of the addresses is very relevant. – neirbowj – 2013-08-30T02:21:11.080

1@neirbowj Your question doesn't say anything about that. Perhaps you forgot to add it? – Michael Hampton – 2013-08-30T22:45:41.673

@MichaelHampton: I state it in three places: the title ("Use temporary addresses..."), the first sentence that ends with '?' (regular, non-privacy enhanced vs. temporary), and the sentence just before "Is this possible, and if so, how?" ("because it is not flagged ... because it is flagged ..."). – neirbowj – 2013-08-31T17:19:11.363

@neirbowj And this answer covers it perfectly. What's the problem? – Michael Hampton – 2013-08-31T17:53:10.200

Addresses flagged as temporary are used by default. So you only need to set routing table entries to override that default. Fits your question I would think. – Sander Steffann – 2013-09-01T16:09:12.207

Asked: 2013-08-29T03:11:21.590

Viewed: 1 406 times

Active: 2013-08-29T19:26:41.380