mirror of https://github.com/tLDP/LDP
add privacy extension hints
This commit is contained in:
parent
6613be5484
commit
dca8639281
File diff suppressed because it is too large
Load Diff
|
@ -111,7 +111,7 @@ status open
|
||||||
|
|
||||||
\begin_layout Plain Layout
|
\begin_layout Plain Layout
|
||||||
|
|
||||||
<revision> <revnumber>0.66wip</revnumber> <date>2014-05-13</date> <authorinitials
|
<revision> <revnumber>0.66wip</revnumber> <date>2014-05-15</date> <authorinitials
|
||||||
>PB</authorinitials></revision>
|
>PB</authorinitials></revision>
|
||||||
\end_layout
|
\end_layout
|
||||||
|
|
||||||
|
@ -5093,6 +5093,269 @@ Example:
|
||||||
# /sbin/ifconfig eth0 inet6 del 2001:0db8:0:f101::1/64
|
# /sbin/ifconfig eth0 inet6 del 2001:0db8:0:f101::1/64
|
||||||
\end_layout
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Section
|
||||||
|
Automatic IPv6 Address Configuration
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
In case, a Router Advertisement is received by a client, in case IPv6 autoconfig
|
||||||
|
uration is enabled, the client configures itself an IPv6 address according
|
||||||
|
to the prefix contained in the advertisement (see also
|
||||||
|
\begin_inset CommandInset ref
|
||||||
|
LatexCommand ref
|
||||||
|
reference "hints-daemons-radvd"
|
||||||
|
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
).
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Section
|
||||||
|
Enable Privacy Extension
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Privacy Extension as described in
|
||||||
|
\begin_inset CommandInset href
|
||||||
|
LatexCommand href
|
||||||
|
name "RFC 4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6"
|
||||||
|
target "http://www.faqs.org/rfcs/rfc4941.html"
|
||||||
|
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
(obsoleted
|
||||||
|
\begin_inset CommandInset href
|
||||||
|
LatexCommand href
|
||||||
|
name "RFC 3041"
|
||||||
|
target "http://www.faqs.org/rfcs/rfc3041.html"
|
||||||
|
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
) is replacing the static interface ID (mostly based on word-wide unique
|
||||||
|
MAC address) used during autoconfiguration by a pseudo-random one and generatin
|
||||||
|
g from time to time a new one deprecating the old one.
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Subsection
|
||||||
|
Enable Privacy Extension using sysctl
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Subsection*
|
||||||
|
Temporary activation
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Enable privacy extension for e.g.
|
||||||
|
interface
|
||||||
|
\begin_inset Quotes sld
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
eth0
|
||||||
|
\begin_inset Quotes srd
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
and prefer the generated address:
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# sysctl -w net.ipv6.conf.eth0.use_tempaddr=2
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Afterwards, restart of the interface is necessary
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# ip link set dev eth0 down
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# ip link set dev eth0 up
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Once a router advertisement is received, the result should look like following
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# ip -6 addr show dev eth0
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
inet6 2001:db8:0:1:8992:3c03:d6e2:ed72/64 scope global secondary dynamic
|
||||||
|
<- pseudo-random IID
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
valid_lft 604711sec preferred_lft 86311sec
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
inet6 2001:db8:0:1::224:21ff:fe01:2345/64 scope global <- IID based
|
||||||
|
on MAC
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
valid_lft 604711sec preferred_lft 86311sec
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
...
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Subsection*
|
||||||
|
Permanent activation
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
For permanent activation, either a special initscript value per interface
|
||||||
|
will enable privacy or an entry in the /etc/sysctl.conf file like
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
net.ipv6.conf.eth0.use_tempaddr=2
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Note: interface must already exists with proper name when sysctl.conf is
|
||||||
|
applied.
|
||||||
|
If this is not the case (udev or delayed initialization) one has to configure
|
||||||
|
privacy for all interfaces by default:
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
net.ipv6.conf.all.use_tempaddr=2
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
net.ipv6.conf.default.use_tempaddr=2
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Values can be activated during runtime, but at least an interface down/up
|
||||||
|
or a reboot is recommended.
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# sysctl -p
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Subsection
|
||||||
|
Enable Privacy Extension using NetworkManager
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Modern (client) systems are using NetworkManager (here: version 0.9.9.1-5.git2014031
|
||||||
|
9.fc21) for configuring interfaces.
|
||||||
|
A command line tool is built-in which can be used to change settings which
|
||||||
|
are not available via GUI.
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Check existing interfaces with:
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# nmcli connection
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
NAME UUID TYPE DEVICE
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
ens4v1 d0fc2b2e-5fa0-4675-96b5-b723ca5c46db 802-3-ethernet ens4v1
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Current amount of IPv6 privacy extension addresses can be checked with
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# ip -o addr show dev ens4v1 | grep temporary | wc -l
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
0
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Current IPv6 privacy extension settings can be checked with
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# nmcli connection show ens4v1 |grep ip6-privacy
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
ipv6.ip6-privacy: -1 (unknown)
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Enable IPv6 privacy extension and restart interface
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# nmcli connection modify ens4v1 ipv6.ip6-privacy 2
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# nmcli connection down ens4v1; nmcli connection up ens4v1
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
New IPv6 privacy extension settings can be checked with
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# nmcli connection show ens4v1 |grep ip6-privacy
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
ipv6.ip6-privacy: 2 (active, prefer temporary IP)
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Now IPv6 privacy extension addresses are configured on the interface
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
# ip -o addr show dev ens4v1 | grep temporary | wc -l
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Code
|
||||||
|
2
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Subsection
|
||||||
|
Test real use of Privacy Extension
|
||||||
|
\end_layout
|
||||||
|
|
||||||
|
\begin_layout Standard
|
||||||
|
Whether the IPv6 address with an Interface ID generated by Privacy Extension
|
||||||
|
is really used for outgoing connections, one can browse to
|
||||||
|
\begin_inset CommandInset href
|
||||||
|
LatexCommand href
|
||||||
|
name "http://ip.bieringer.de/"
|
||||||
|
target "http://ip.bieringer.de/"
|
||||||
|
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
, in case EUI64_SCOPE shows
|
||||||
|
\begin_inset Quotes sld
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
iid-privacy
|
||||||
|
\begin_inset Quotes srd
|
||||||
|
\end_inset
|
||||||
|
|
||||||
|
, then everything is working fine.
|
||||||
|
\end_layout
|
||||||
|
|
||||||
\begin_layout Chapter
|
\begin_layout Chapter
|
||||||
\begin_inset CommandInset label
|
\begin_inset CommandInset label
|
||||||
LatexCommand label
|
LatexCommand label
|
||||||
|
@ -29873,7 +30136,8 @@ Releases 0.x
|
||||||
0.66 2010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6
|
0.66 2010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6
|
||||||
NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bi
|
NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bi
|
||||||
e: add hints for nftables, 20140513/bie: extend section regarding address
|
e: add hints for nftables, 20140513/bie: extend section regarding address
|
||||||
resolution and add source/destination address selection information
|
resolution and add source/destination address selection information, 20140515/b
|
||||||
|
ie: add hints for activation of privacy extension
|
||||||
\end_layout
|
\end_layout
|
||||||
|
|
||||||
\begin_layout Description
|
\begin_layout Description
|
||||||
|
|
Binary file not shown.
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue