add privacy extension hints

2014-05-15 06:07:45 +00:00 · 2014-05-15 06:07:45 +00:00 · dca8639281
parent 6613be5484
commit dca8639281
4 changed files with 1014 additions and 389 deletions
--- a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html
+++ b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html
--- a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.lyx
+++ b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.lyx
@ -111,7 +111,7 @@ status open

 \begin_layout Plain Layout

-<revision> <revnumber>0.66wip</revnumber> <date>2014-05-13</date> <authorinitials
+<revision> <revnumber>0.66wip</revnumber> <date>2014-05-15</date> <authorinitials
 >PB</authorinitials></revision>
 \end_layout

@ -5093,6 +5093,269 @@ Example:
 # /sbin/ifconfig eth0 inet6 del 2001:0db8:0:f101::1/64
 \end_layout

+\begin_layout Section
+Automatic IPv6 Address Configuration
+\end_layout
+
+\begin_layout Standard
+In case, a Router Advertisement is received by a client, in case IPv6 autoconfig
+uration is enabled, the client configures itself an IPv6 address according
+ to the prefix contained in the advertisement (see also 
+\begin_inset CommandInset ref
+LatexCommand ref
+reference "hints-daemons-radvd"
+
+\end_inset
+
+).
+\end_layout
+
+\begin_layout Section
+Enable Privacy Extension
+\end_layout
+
+\begin_layout Standard
+Privacy Extension as described in 
+\begin_inset CommandInset href
+LatexCommand href
+name "RFC 4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6"
+target "http://www.faqs.org/rfcs/rfc4941.html"
+
+\end_inset
+
+ (obsoleted 
+\begin_inset CommandInset href
+LatexCommand href
+name "RFC 3041"
+target "http://www.faqs.org/rfcs/rfc3041.html"
+
+\end_inset
+
+) is replacing the static interface ID (mostly based on word-wide unique
+ MAC address) used during autoconfiguration by a pseudo-random one and generatin
+g from time to time a new one deprecating the old one.
+\end_layout
+
+\begin_layout Subsection
+Enable Privacy Extension using sysctl
+\end_layout
+
+\begin_layout Subsection*
+Temporary activation
+\end_layout
+
+\begin_layout Standard
+Enable privacy extension for e.g.
+ interface 
+\begin_inset Quotes sld
+\end_inset
+
+eth0
+\begin_inset Quotes srd
+\end_inset
+
+ and prefer the generated address:
+\end_layout
+
+\begin_layout Code
+# sysctl -w net.ipv6.conf.eth0.use_tempaddr=2
+\end_layout
+
+\begin_layout Standard
+Afterwards, restart of the interface is necessary
+\end_layout
+
+\begin_layout Code
+# ip link set dev eth0 down
+\end_layout
+
+\begin_layout Code
+# ip link set dev eth0 up
+\end_layout
+
+\begin_layout Standard
+Once a router advertisement is received, the result should look like following
+\end_layout
+
+\begin_layout Code
+# ip -6 addr show dev eth0
+\end_layout
+
+\begin_layout Code
+2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
+\end_layout
+
+\begin_layout Code
+    inet6 2001:db8:0:1:8992:3c03:d6e2:ed72/64 scope global secondary dynamic
+   <- pseudo-random IID
+\end_layout
+
+\begin_layout Code
+       valid_lft 604711sec preferred_lft 86311sec
+\end_layout
+
+\begin_layout Code
+    inet6 2001:db8:0:1::224:21ff:fe01:2345/64 scope global     <- IID based
+ on MAC
+\end_layout
+
+\begin_layout Code
+       valid_lft 604711sec preferred_lft 86311sec
+\end_layout
+
+\begin_layout Code
+    ...
+\end_layout
+
+\begin_layout Subsection*
+Permanent activation
+\end_layout
+
+\begin_layout Standard
+For permanent activation, either a special initscript value per interface
+ will enable privacy or an entry in the /etc/sysctl.conf file like
+\end_layout
+
+\begin_layout Code
+net.ipv6.conf.eth0.use_tempaddr=2
+\end_layout
+
+\begin_layout Standard
+Note: interface must already exists with proper name when sysctl.conf is
+ applied.
+ If this is not the case (udev or delayed initialization) one has to configure
+ privacy for all interfaces by default:
+\end_layout
+
+\begin_layout Code
+net.ipv6.conf.all.use_tempaddr=2
+\end_layout
+
+\begin_layout Code
+net.ipv6.conf.default.use_tempaddr=2
+\end_layout
+
+\begin_layout Standard
+Values can be activated during runtime, but at least an interface down/up
+ or a reboot is recommended.
+\end_layout
+
+\begin_layout Code
+# sysctl -p
+\end_layout
+
+\begin_layout Subsection
+Enable Privacy Extension using NetworkManager
+\end_layout
+
+\begin_layout Standard
+Modern (client) systems are using NetworkManager (here: version 0.9.9.1-5.git2014031
+9.fc21) for configuring interfaces.
+ A command line tool is built-in which can be used to change settings which
+ are not available via GUI.
+\end_layout
+
+\begin_layout Standard
+Check existing interfaces with:
+\end_layout
+
+\begin_layout Code
+# nmcli connection 
+\end_layout
+
+\begin_layout Code
+NAME UUID TYPE DEVICE
+\end_layout
+
+\begin_layout Code
+ens4v1 d0fc2b2e-5fa0-4675-96b5-b723ca5c46db 802-3-ethernet ens4v1 
+\end_layout
+
+\begin_layout Standard
+Current amount of IPv6 privacy extension addresses can be checked with
+\end_layout
+
+\begin_layout Code
+# ip -o addr show dev ens4v1 | grep temporary | wc -l
+\end_layout
+
+\begin_layout Code
+0
+\end_layout
+
+\begin_layout Standard
+Current IPv6 privacy extension settings can be checked with
+\end_layout
+
+\begin_layout Code
+# nmcli connection show ens4v1 |grep ip6-privacy
+\end_layout
+
+\begin_layout Code
+ipv6.ip6-privacy: -1 (unknown)
+\end_layout
+
+\begin_layout Standard
+Enable IPv6 privacy extension and restart interface
+\end_layout
+
+\begin_layout Code
+# nmcli connection modify ens4v1 ipv6.ip6-privacy 2
+\end_layout
+
+\begin_layout Code
+# nmcli connection down ens4v1; nmcli connection up ens4v1
+\end_layout
+
+\begin_layout Standard
+New IPv6 privacy extension settings can be checked with
+\end_layout
+
+\begin_layout Code
+# nmcli connection show ens4v1 |grep ip6-privacy
+\end_layout
+
+\begin_layout Code
+ipv6.ip6-privacy: 2 (active, prefer temporary IP)
+\end_layout
+
+\begin_layout Standard
+Now IPv6 privacy extension addresses are configured on the interface
+\end_layout
+
+\begin_layout Code
+# ip -o addr show dev ens4v1 | grep temporary | wc -l
+\end_layout
+
+\begin_layout Code
+2
+\end_layout
+
+\begin_layout Subsection
+Test real use of Privacy Extension
+\end_layout
+
+\begin_layout Standard
+Whether the IPv6 address with an Interface ID generated by Privacy Extension
+ is really used for outgoing connections, one can browse to 
+\begin_inset CommandInset href
+LatexCommand href
+name "http://ip.bieringer.de/"
+target "http://ip.bieringer.de/"
+
+\end_inset
+
+, in case EUI64_SCOPE shows 
+\begin_inset Quotes sld
+\end_inset
+
+iid-privacy
+\begin_inset Quotes srd
+\end_inset
+
+, then everything is working fine.
+\end_layout
+
 \begin_layout Chapter
 \begin_inset CommandInset label
 LatexCommand label
@ -29873,7 +30136,8 @@ Releases 0.x
 0.66 2010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6
 NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bi
 e: add hints for nftables, 20140513/bie: extend section regarding address
- resolution and add source/destination address selection information
+ resolution and add source/destination address selection information, 20140515/b
+ie: add hints for activation of privacy extension
 \end_layout

 \begin_layout Description
--- a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.pdf
+++ b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.pdf
--- a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.sgml
+++ b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.sgml