# Private stable global IPv6 SLAAC address



## pswinslow (Sep 11, 2017)

I set up IPv6 using the handbook and it works, but I don't know how to get an address which:

1. Is global.
2. Persists across reboots.
3. Doesn't expose the hardware address of my NIC.

I can't use DHCP to get a permanent address from the router. I currently get a stable non-private address, a private temporary address, a DHCP address which changes frequently, and a link-local address.

This seems like it should be simple, but I can't find any way to make rtsold do what I want. I can't find any sysctl knob which does what I want, either. I know I'm not supposed to use static addresses and SLAAC at the same time, and I want the SLAAC temporary address.

Does anyone know how to do this?


----------



## SirDice (Sep 12, 2017)

Does your provider supply a native IPv6 connection or are you using a tunnel-broker like he.net?

My cable provider at home doesn't have IPv6 (still not!) so I have to use a tunnel-broker. It's fairly easy to set up. For my VPS the hoster provides native IPv6, I didn't have to do much to get that working either.


----------



## pswinslow (Sep 12, 2017)

I have native IPv6.


----------



## SirDice (Sep 13, 2017)

Does your provider actually support SLAAC? Not all providers do, some have SLAAC, some DHCPv6 and others simply require you to statically assign the IP. 

Try running `rtsol em0` (assuming em0 is your external network adapter). Open a second console or terminal and take a look with tcpdump(8) to see if there's actually anything responding. If you get an address starting with 2001 or 2002 you have a good global IPv6 address.


----------



## pswinslow (Sep 13, 2017)

SLAAC is working. All my Linux machines have stable global private addresses.

`tcpdump -vv > dump &`
`rtsol sis0`
`cat dump`



```
16:29:47.079300 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::1256:11ff:fe62:XXXX > Dell.local: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has Dell.local
          source link-address option (1), length 8 (1): 10:56:11:62:XX:XX
            0x0000:  1056 1162 XXXX
16:29:47.079413 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::20f:1fff:fea9:XXXX > fe80::1256:11ff:fe62:XXXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is Dell.local, Flags [solicited]
16:29:47.132293 IP6 (flowlabel 0x0e88f, hlim 64, next-header UDP (17) payload length: 50) Dell.local.37588 > cdns01.comcast.net.domain: [udp sum ok] 46042+ PTR? 251.0.0.224.in-addr.arpa. (42)
16:29:47.143542 IP6 (hlim 58, next-header UDP (17) payload length: 107) cdns01.comcast.net.domain > Dell.local.37588: [udp sum ok] 46042 NXDomain q: PTR? 251.0.0.224.in-addr.arpa. 0/1/0 ns: 224.in-addr.arpa. SOA sns.dns.icann.org. noc.dns.icann.org. 2017043051 7200 3600 604800 3600 (99)
16:29:47.369846 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::1256:11ff:fe62:XXXX > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
        hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 180s, reachable time 0s, retrans time 0s
          rdnss option (25), length 40 (5):  lifetime 86400s, addr: cdns01.comcast.net addr: cdns02.comcast.net
            0x0000:  0000 0001 5180 2001 0558 feed 0000 0000
            0x0010:  0000 0000 0001 2001 0558 feed 0000 0000
            0x0020:  0000 0000 0002
          prefix info option (3), length 32 (4): 2601:246:4202:XXXX::/64, Flags [onlink, auto], valid time 57281s, pref. time 57281s
            0x0000:  40c0 0000 dfc1 0000 dfc1 0000 0000 2601
            0x0010:  0246 4202 XXXX 0000 0000 0000 0000
          route info option (24), length 24 (3):  ::/0, pref=medium, lifetime=180s
            0x0000:  0000 0000 00b4 0000 0000 0000 0000 0000
            0x0010:  0000 0000 0000
          source link-address option (1), length 8 (1): 10:56:11:62:XX:XX
            0x0000:  1056 1162 XXXX
```


----------



## pswinslow (Sep 13, 2017)

`ifconfig`


```
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 00:0f:1f:a9:XX:XX
        hwaddr 00:0f:1f:a9:XX:XX
        inet6 fe80::20f:1fff:fea9:XXXX%sis0 prefixlen 64 scopeid 0x1
        inet6 2601:246:4202:XXXX:20f:1fff:fea9:XXXX prefixlen 64 autoconf
        inet6 2601:246:4202:XXXX:50a7:d452:c751:4baf prefixlen 64 autoconf temporary
        inet6 2601:246:4202:XXXX::6f66 prefixlen 64
        inet 10.0.0.158 netmask 0xffffff00 broadcast 10.0.0.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

Note the two autoconf addresses. One exposes my NIC MAC address, and the other is temporary.


----------



## SirDice (Sep 14, 2017)

pswinslow said:


> Note the two autoconf addresses. One exposes my NIC MAC address, and the other is temporary.


Not much you can do about this as it's part of the SLAAC definition.


> The lower 64 bits of these addresses are populated with a 64-bit interface identifier in modified EUI-64 format. This identifier is usually shared by all automatically configured addresses of that interface, which has the advantage that only one multicast group needs to be joined for neighbor discovery. For this, a multicast address is used, formed from the network prefix ff02::1:ff00:0/104 and the 24 least significant bits of the address.


https://en.wikipedia.org/wiki/IPv6_address#Stateless_address_autoconfiguration

To make this automatic add this to /etc/rc.conf:

```
ifconfig_sis0_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"
```


----------



## ronaldlees (Sep 14, 2017)

Perhaps at some point the SLAAC privacy extensions will be implemented in FreeBSD:

http://www.internetsociety.org/deploy360/resources/privacy-extensions-for-ipv6-slaac/


----------



## pswinslow (Sep 14, 2017)

Apparently FreeBSD implements RFC4941 privacy extensions, but the feature I'm looking for is unofficial (cryptographically generated addresses are mentioned as an alternate approach, and that may be what Linux is doing).


----------

