Ip6 mac address leak prevention?
-
I've got a 2.2 Release system talking to a Comcast 100mbit WAN. Comcast has IP6 support and it seems to work fine using interface tracking on the LAN side once I disabled the over zealous bogon blocking. However, I noticed that pfSense assigns the client mac address as the local part of the IP6 address. I'd rather not have the mac addresses of specific clients leaking out onto the net - is there a way around this that I'm missing?
-
@jpp:
Comcast has IP6 support and it seems to work fine using interface tracking on the LAN side once I disabled the over zealous bogon blocking.
I really would appreciate if you filed a bug, documented why the darned 8000::/1 needs to go. Because devs think it's just perfectly fine there: https://redmine.pfsense.org/issues/3214
As for the rest, unless you are using DHCPv6, pfSense does not really assign anything. Any settings to use/prefer temporary IPv6 addresses need to be done on clients.
-
@jpp:
…
is there a way around this that I'm missing?
...Conceptually IPv6 is a public affair. And you can use privacy extensions.
-
All of my recent Mac OS X and iOS devices appear to follow RFC 4941 and create addresses with random host portions to use for outgoing traffic. You should see if whatever you're using has the same capability.
As for the rest, unless you are using DHCPv6, pfSense does not really assign anything.
I think when using interface tracking DHCPv6 is enabled whether you want it or not, but of course it won't assign an address with a MAC-based host portion.
-
As for the rest, unless you are using DHCPv6, pfSense does not really assign anything.
I think when using interface tracking DHCPv6 is enabled whether you want it or not, but of course it won't assign an address with a MAC-based host portion.
Unfortunately, this isn't true. pfSense will only let you enable DHCPv6 if you have one or more internal interfaces with static IPv6, and only for those interfaces with a static address. Otherwise it's all unmanaged/SLAAC for addresses.
Now, if you had set up an interface with a static IPv6 address and enabled DHCPv6, then changed the interface so it's not static but don't disable DHCPv6 first, it did used to keep DHCPv6 running so it would continue to function. Not sure if it still does though.
There is a feature request asking for DHCPv6 to list interfaces that are configured to track interface.
-
Looking at the code it might be a special case for tracking a 6RD or DHCP-PD WAN interface (I'm using 6RD), but when I first enabled track interface my Solaris 11.1 box promptly fetched a DHCPv6 address from pfSense. It even showed up in "Status->DHCPv6 Leases". I had to switch to a static LAN address to shut DHCPv6 off. My IPv4 WAN address is static so this shouldn't be a problem.
-
@virgiliomi:
Unfortunately, this isn't true. pfSense will only let you enable DHCPv6 if you have one or more internal interfaces with static IPv6, and only for those interfaces with a static address. Otherwise it's all unmanaged/SLAAC for addresses.
No, he is actually correct; "track interface" does enable a DHCP6 server on that interface. You'll see a process like this:
/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid em0 em1Note that this is actually explained in the description of the bug report you referenced as well. The real problem is that the web interface for some reason doesn't allow you to configure it, so there's no way to change the settings.
-
I really would appreciate if you filed a bug, documented why the darned 8000::/1 needs to go. Because devs think it's just perfectly fine there: https://redmine.pfsense.org/issues/3214
It is perfectly fine there. The problem is #3395 regressed and has been fixed (again…with a new comment to not move the thing).
-
The real problem is that the web interface for some reason doesn't allow you to configure it, so there's no way to change the settings.
It's something that's never gotten around to being done in a configurable manner. It's high on the list of things that aggravate me, though being a non-regression, going to be a little bit til I get back to that (post-2.2.1).
-
@jpp:
However, I noticed that pfSense assigns the client mac address as the local part of the IP6 address.
No, your clients are doing that themselves. They should be using privacy addressing, so the v6 IP with the MAC in it is assigned, but not actually used for Internet traffic. Check on privacy addressing with your client OS(es) of choice. It's on by default in every recent mainstream OS (Windows, Linux, OS X, iOS, BSDs, etc.).
