mirror of https://github.com/tLDP/LDP
add privacy extension hints
This commit is contained in:
parent
6613be5484
commit
dca8639281
File diff suppressed because it is too large
Load Diff
|
@ -111,7 +111,7 @@ status open
|
|||
|
||||
\begin_layout Plain Layout
|
||||
|
||||
<revision> <revnumber>0.66wip</revnumber> <date>2014-05-13</date> <authorinitials
|
||||
<revision> <revnumber>0.66wip</revnumber> <date>2014-05-15</date> <authorinitials
|
||||
>PB</authorinitials></revision>
|
||||
\end_layout
|
||||
|
||||
|
@ -5093,6 +5093,269 @@ Example:
|
|||
# /sbin/ifconfig eth0 inet6 del 2001:0db8:0:f101::1/64
|
||||
\end_layout
|
||||
|
||||
\begin_layout Section
|
||||
Automatic IPv6 Address Configuration
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
In case, a Router Advertisement is received by a client, in case IPv6 autoconfig
|
||||
uration is enabled, the client configures itself an IPv6 address according
|
||||
to the prefix contained in the advertisement (see also
|
||||
\begin_inset CommandInset ref
|
||||
LatexCommand ref
|
||||
reference "hints-daemons-radvd"
|
||||
|
||||
\end_inset
|
||||
|
||||
).
|
||||
\end_layout
|
||||
|
||||
\begin_layout Section
|
||||
Enable Privacy Extension
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Privacy Extension as described in
|
||||
\begin_inset CommandInset href
|
||||
LatexCommand href
|
||||
name "RFC 4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6"
|
||||
target "http://www.faqs.org/rfcs/rfc4941.html"
|
||||
|
||||
\end_inset
|
||||
|
||||
(obsoleted
|
||||
\begin_inset CommandInset href
|
||||
LatexCommand href
|
||||
name "RFC 3041"
|
||||
target "http://www.faqs.org/rfcs/rfc3041.html"
|
||||
|
||||
\end_inset
|
||||
|
||||
) is replacing the static interface ID (mostly based on word-wide unique
|
||||
MAC address) used during autoconfiguration by a pseudo-random one and generatin
|
||||
g from time to time a new one deprecating the old one.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
Enable Privacy Extension using sysctl
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection*
|
||||
Temporary activation
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Enable privacy extension for e.g.
|
||||
interface
|
||||
\begin_inset Quotes sld
|
||||
\end_inset
|
||||
|
||||
eth0
|
||||
\begin_inset Quotes srd
|
||||
\end_inset
|
||||
|
||||
and prefer the generated address:
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# sysctl -w net.ipv6.conf.eth0.use_tempaddr=2
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Afterwards, restart of the interface is necessary
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# ip link set dev eth0 down
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# ip link set dev eth0 up
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Once a router advertisement is received, the result should look like following
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# ip -6 addr show dev eth0
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
inet6 2001:db8:0:1:8992:3c03:d6e2:ed72/64 scope global secondary dynamic
|
||||
<- pseudo-random IID
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
valid_lft 604711sec preferred_lft 86311sec
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
inet6 2001:db8:0:1::224:21ff:fe01:2345/64 scope global <- IID based
|
||||
on MAC
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
valid_lft 604711sec preferred_lft 86311sec
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
...
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection*
|
||||
Permanent activation
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
For permanent activation, either a special initscript value per interface
|
||||
will enable privacy or an entry in the /etc/sysctl.conf file like
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
net.ipv6.conf.eth0.use_tempaddr=2
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Note: interface must already exists with proper name when sysctl.conf is
|
||||
applied.
|
||||
If this is not the case (udev or delayed initialization) one has to configure
|
||||
privacy for all interfaces by default:
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
net.ipv6.conf.all.use_tempaddr=2
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
net.ipv6.conf.default.use_tempaddr=2
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Values can be activated during runtime, but at least an interface down/up
|
||||
or a reboot is recommended.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# sysctl -p
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
Enable Privacy Extension using NetworkManager
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Modern (client) systems are using NetworkManager (here: version 0.9.9.1-5.git2014031
|
||||
9.fc21) for configuring interfaces.
|
||||
A command line tool is built-in which can be used to change settings which
|
||||
are not available via GUI.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Check existing interfaces with:
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nmcli connection
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
NAME UUID TYPE DEVICE
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
ens4v1 d0fc2b2e-5fa0-4675-96b5-b723ca5c46db 802-3-ethernet ens4v1
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Current amount of IPv6 privacy extension addresses can be checked with
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# ip -o addr show dev ens4v1 | grep temporary | wc -l
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
0
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Current IPv6 privacy extension settings can be checked with
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nmcli connection show ens4v1 |grep ip6-privacy
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
ipv6.ip6-privacy: -1 (unknown)
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Enable IPv6 privacy extension and restart interface
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nmcli connection modify ens4v1 ipv6.ip6-privacy 2
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nmcli connection down ens4v1; nmcli connection up ens4v1
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
New IPv6 privacy extension settings can be checked with
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nmcli connection show ens4v1 |grep ip6-privacy
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
ipv6.ip6-privacy: 2 (active, prefer temporary IP)
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Now IPv6 privacy extension addresses are configured on the interface
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# ip -o addr show dev ens4v1 | grep temporary | wc -l
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
2
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
Test real use of Privacy Extension
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Whether the IPv6 address with an Interface ID generated by Privacy Extension
|
||||
is really used for outgoing connections, one can browse to
|
||||
\begin_inset CommandInset href
|
||||
LatexCommand href
|
||||
name "http://ip.bieringer.de/"
|
||||
target "http://ip.bieringer.de/"
|
||||
|
||||
\end_inset
|
||||
|
||||
, in case EUI64_SCOPE shows
|
||||
\begin_inset Quotes sld
|
||||
\end_inset
|
||||
|
||||
iid-privacy
|
||||
\begin_inset Quotes srd
|
||||
\end_inset
|
||||
|
||||
, then everything is working fine.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Chapter
|
||||
\begin_inset CommandInset label
|
||||
LatexCommand label
|
||||
|
@ -29873,7 +30136,8 @@ Releases 0.x
|
|||
0.66 2010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6
|
||||
NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bi
|
||||
e: add hints for nftables, 20140513/bie: extend section regarding address
|
||||
resolution and add source/destination address selection information
|
||||
resolution and add source/destination address selection information, 20140515/b
|
||||
ie: add hints for activation of privacy extension
|
||||
\end_layout
|
||||
|
||||
\begin_layout Description
|
||||
|
|
Binary file not shown.
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue