IPv6 EUI-64??

JonathanLee · Jul 23, 2024, 6:39 AM

@johnpoz test it you can see the DUID change and it will show a MAC address. The only reason pfSense would let you adapt the DUID in that way is to save time with static IPv6 dhcp addressing. If the directives are turned on the MAC address is inside the DUID in clear text without it on it’s seems to only include two parts of the MAC address in DUID on my system. New to me… again I could be wrong. PfSense would allow you adapt the DUID, just like pfSense gives you the ability to create private addresses and subnets. this adjustment is on the IPv6 dhcp so it’s this is used for private addresses or lan side assignments side. With Non SLAAC.

Is SLAAC public assignments? SLAAC is stateless management right?

I am talking about dhcp of ipv6 where duid is used. They have an algorithm that does not mask the MAC address makes it clear in duid before the ipv6 dhcp lease and creations.

login-to-view
https://datatracker.ietf.org/doc/html/rfc6939
https://datatracker.ietf.org/doc/html/rfc6355
https://www.rfc-editor.org/rfc/rfc8415

They do have RFC info for DUID and Mac addressing. IPv6 still makes my head hurt. Again If you can spoof a Mac what good is the secure side of it …

JonathanLee · Jul 23, 2024, 5:50 AM

@johnpoz your right they do change the MAC addresses your right they also spoof them today. Again if a 48 mac is hard coded into a network interface there must be a way to know the differences. Vendor ID is key

JKnott · Jul 23, 2024, 2:10 PM

@JonathanLee said in IPv6 EUI-64??:

Don’t quote me on this part, I think every IPv6 has the MAC address ciphered into the address temp or not it just is masked better.

Ooops! I quoted you!

An IPv6 address can use either the MAC address or a random number, your choice. As I mentioned, with SLAAC, you can have up to 8 global addresses. One is consistent and would be used for servers, etc.. The other 7 are always based on a random number and used when you connect to somewhere else. So, when you go to a web site, you will be using the most recent of the 7 temporary addresses.

JKnott · Jul 23, 2024, 2:12 PM

@JonathanLee said in IPv6 EUI-64??:

Vendor ID is key

So, you're saying a vendor couldn't make, for example, both an Ethernet and Firewire interface? I doubt it.

JonathanLee · Jul 23, 2024, 3:11 PM

@JKnott part of the 48 bit MAC address has vendor information you can use part of the 48 bit mac and find who made the device by way of online database.

johnpoz · Jul 23, 2024, 3:14 PM

@JonathanLee pretty sure kea dhcpv6 allows for reservation of ipv6 via mac vs duid.. If that will help you out.. at some point here that will prob make it to pfsense integration.

JonathanLee · Jul 23, 2024, 3:17 PM

@johnpoz I made a feature request for it but

https://redmine.pfsense.org/issues/15632

Jim pingle closed it

johnpoz · Jul 23, 2024, 3:34 PM

@JonathanLee its not going to do it for any IP out of the pool.. It would be for a reservation..

https://kb.isc.org/docs/what-are-host-reservations-how-to-use-them

hardware address is one of the options of the host-reservation-identifiers

JonathanLee · Jul 23, 2024, 4:01 PM

@johnpoz maybe I should reopen it as a host reservation feature request

johnpoz · Jul 23, 2024, 4:03 PM

@JonathanLee not even sure why you are putting in a feature request at this point.. I would wait til kea is out of preview.. I would think since it is a clearly defined option in kea, that it would most likely be available once they out of preview mode for kea.

JKnott · Jul 23, 2024, 4:49 PM

@JonathanLee

Yes, I've been aware of that for coming up on 30 years.