IPv6 EUI-64??
-
@JonathanLee said in IPv6 EUI-64??:
still weird to see 3 ip addresses for IPv6 on a device.
Give it a week. You'll see 8 global address and 1 link local. 7 of those global addresses are temporary. You get a new one every day and the oldest falls off the list. For more fun, you can enable Unique Local addresses for another 8!
-
@JonathanLee said in IPv6 EUI-64??:
pfSense can’t enable EUI-64
I have not use it myself and therefore don't know the effect it got on pfSense but check this Reddit thread:
https://www.reddit.com/r/freebsd/comments/1awv0jw/ipv6_privacy/
Quote from the thread:
Privacy extensions can be enabled with these sysctl tweaks.
net.inet6.ip6.use_tempaddr=1 net.inet6.ip6.prefer_tempaddr=1To make it persistent add it to your sysctl.conf
Also add this to your rc.conf
ipv6_privacy="YES" -
@patient0 thank you that is what I am after. A way to activate that protocol Thank you. I would need to disable them on my needs thoe
-
@JonathanLee said in IPv6 EUI-64??:
How do I enable IPv6 EUI-64 on my IPv6dhcp server?
I missed the EUI-64 part of the question earlier. EUI-64, like EUI-48 before it, is simply a MAC address. It's not something you enable. With IPv6, it's emulated by sticking FFFE in the middle of the 48 bit MAC and flipping the 7th bit.
Given that EUI 48 or 64 is determined by hardware, I don't see why you're worried about it. Here's some info about where EUI-48 & EUI-64 are used.
-
@JKnott Yes I want to use it. I would like to utilize EUI-64/EUI-48
I want to expose my MAC address inside of the ipv6 address for local hosts. I want to see the MAC address of the host inside of every ipv6 address that is assigned from pfsense to the clients.
That is my ultimate goal.
net.inet6.ip6.use_tempaddr is set to 0 already however I am not seeing a mac addresses within the ipv6 addresses
"bit-reversed order, non-canonical form" So it might be in big-endian or little-endian. I might have them already displayed however to the average user that is something they would assume is incorrect.
Make sure to upvote
-
@patient0 said in IPv6 EUI-64??:
ipv6_privacy
They are all prebuilt system tunables and they have it auto disabled
RESOLVED:
To enable EUI-64
change system tunables
net.inet6.ip6.use_tempaddr=1 net.inet6.ip6.prefer_tempaddr=1 ipv6_privacy=YEScheck status IPV6 dhcp leases and specifically look at the DUID this will now reflect the MAC address of the host using the address. That is it. Mine are clear and match the MAC address now. Easy
"DUID (Device Unique Identifier) is a key part of the DHCPv6 protocol that helps to ensure that each client device on a network has a unique IP address. This prevents the possibility of duplicate IP assignments, which can lead to network issues such as routing loops and DNS conflicts."
-
@JonathanLee said in IPv6 EUI-64??:
@JKnott Yes I want to use it. I would like to utilize EUI-64/EUI-48
On Ethernet, your MAC is EUI-48 and there's nothing you can do about it. If you want EUI-64, you'll have to run something like Firewire or Zigbee. As I mentioned, IPv6 emulates it by converting the EUI-48 by sticking FFFE in the middle. There is nothing else to do.
What's described above, in the system tunables, is enabling privacy addresses. With SLAAC, you normally get up to 7 of them anyway. Privacy addresses have a lifetime of 7 days and you get a new one every day.
Read the link above about EUI-64 and this:
-
@JKnott thanks for the reply. per network fundamentals, EUI-64 at its basics takes the a clients 48bit MAC address and utilizes it in a IPv6 addressing scheme, devices have a hardware address that is vendor assigned into the MAC address that is what is used. However it can be done in different ways it seems…
Don’t quote me on this part, I think every IPv6 has the MAC address ciphered into the address temp or not it just is masked better. The original design is for tracking logs etc. it is just sugar coated now makes everyone feel better about it. The DUID (Device Unique Identifier) is still coded into the IPv6 addresses. I think they use different ciphers for IPv6 unknowingly. No one gets untraceable untrackable devices, how could anyone call anyone else if that was the case. It needs some way to find a device on a network.
In pfSense If you test out turning on or off the directives shared with us, you can see the DUID will include a vendor MAC address into it with clear text, the IPv6 address just masks it better with the DUID. If you set that directive to zero only part of the MAC is included in the DUID, and if you turn the directive to on or 1 it is fully visible under leases area you can see the DUID matches a MAC address. It gets rid of arp request this way.
Make sure to upvote
-
@JonathanLee said in IPv6 EUI-64??:
MAC address ciphered into the address temp or not it just is masked better.
BS.. and this would be done on the client anyway.. Not pfsense..
Why would you think there is something in the pfsense to tell the client how to create their IPv6 address when using slaac?
-
@johnpoz test it you can see the DUID change and it will show a MAC address. The only reason pfSense would let you adapt the DUID in that way is to save time with static IPv6 dhcp addressing. If the directives are turned on the MAC address is inside the DUID in clear text without it on it’s seems to only include two parts of the MAC address in DUID on my system. New to me… again I could be wrong. PfSense would allow you adapt the DUID, just like pfSense gives you the ability to create private addresses and subnets. this adjustment is on the IPv6 dhcp so it’s this is used for private addresses or lan side assignments side. With Non SLAAC.
Is SLAAC public assignments? SLAAC is stateless management right?
I am talking about dhcp of ipv6 where duid is used. They have an algorithm that does not mask the MAC address makes it clear in duid before the ipv6 dhcp lease and creations.
https://datatracker.ietf.org/doc/html/rfc6939
https://datatracker.ietf.org/doc/html/rfc6355
https://www.rfc-editor.org/rfc/rfc8415They do have RFC info for DUID and Mac addressing. IPv6 still makes my head hurt. Again If you can spoof a Mac what good is the secure side of it …
-
@johnpoz your right they do change the MAC addresses your right they also spoof them today. Again if a 48 mac is hard coded into a network interface there must be a way to know the differences. Vendor ID is key
Make sure to upvote
-
@JonathanLee said in IPv6 EUI-64??:
Don’t quote me on this part, I think every IPv6 has the MAC address ciphered into the address temp or not it just is masked better.
Ooops! I quoted you!
An IPv6 address can use either the MAC address or a random number, your choice. As I mentioned, with SLAAC, you can have up to 8 global addresses. One is consistent and would be used for servers, etc.. The other 7 are always based on a random number and used when you connect to somewhere else. So, when you go to a web site, you will be using the most recent of the 7 temporary addresses.
-
@JonathanLee said in IPv6 EUI-64??:
Vendor ID is key
So, you're saying a vendor couldn't make, for example, both an Ethernet and Firewire interface? I doubt it.
-
@JKnott part of the 48 bit MAC address has vendor information you can use part of the 48 bit mac and find who made the device by way of online database.
Make sure to upvote
-
@JonathanLee pretty sure kea dhcpv6 allows for reservation of ipv6 via mac vs duid.. If that will help you out.. at some point here that will prob make it to pfsense integration.
-
@johnpoz I made a feature request for it but
https://redmine.pfsense.org/issues/15632
Jim pingle closed it
-
@JonathanLee its not going to do it for any IP out of the pool.. It would be for a reservation..
https://kb.isc.org/docs/what-are-host-reservations-how-to-use-them
hardware address is one of the options of the host-reservation-identifiers
-
@johnpoz maybe I should reopen it as a host reservation feature request
-
@JonathanLee not even sure why you are putting in a feature request at this point.. I would wait til kea is out of preview.. I would think since it is a clearly defined option in kea, that it would most likely be available once they out of preview mode for kea.
-
Yes, I've been aware of that for coming up on 30 years.
