Does “Static IPv6” LAN interface break the ISP GUA prefix delegation router advertisements?

Evolve 0

@jknott
But are you talking about manual editing the host override file?

If this is the case, I don't want to do manual actions, that is editing the host override file in order to let the DNS resolver resolve the IPV6 hostnames, this is because this implies that I need to get every stable SLAAC address from every device on the network and add it to host override file, if you have many devices in the network this is a nightmare.

With Dhcpv6 the resolving of the IPV6 hostnames would be automatic. (Given that the network device sends a hostname in the dhcpv6 request, clearly)

JKnott

@evolve-0

Here's what I'm talking about. Here's a list of my current ULA addresses, though the exact same thing applies to my GUA.

inet6 fd48:1a37:2160:0:c14e:be6f:20c0:6239/64 scope global temporary dynamic 
inet6 fd48:1a37:2160:0:dd35:5608:b18a:aceb/64 scope global temporary deprecated dynamic 
inet6 fd48:1a37:2160:0:649a:3a35:f820:e971/64 scope global temporary deprecated dynamic 
inet6 fd48:1a37:2160:0:88bc:3344:47:9e2/64 scope global temporary deprecated dynamic 
inet6 fd48:1a37:2160:0:d053:5e35:4415:af6b/64 scope global temporary deprecated dynamic 
inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa/64 scope global dynamic mngtmpaddr 

The last one, ending in f5fa, is my consistent address and is based on the MAC address. All the rest are privacy addresses and only the latest isn't deprecated. I don't yet have seven, as I updated the linux version a few days ago, and there hasn't been enough time since then to get them.

Evolve 0

@jknott
Ok, but do you put the f5fa ending address in the Pfsense host override file manually in order to let the Pfsense dns resolver resolve the f5fa hostname?

JKnott

@evolve-0

No, that address is based on the MAC address of the interface. Optionally, I could have used a random number. Either way, that particular address doesn't change. As I mentioned, the privacy addresses change daily, which make them useless for using with DNS.

Also, these addresses are on my Linux desktop system. Pfsense does not use privacy addresses. In the DNS resolver I used that consistent address with the host name for a host override. You will see those things on your system, once you have it working.

Evolve 0

@jknott

So, you finally confirmed that you manually put that address in the host override.

The whole point is to avoid this “manual” action.

With the Dhcpv6 server Pfsense saves an association between a IPV6 address and its hostname and It is able to automatically resolve it without any manual intervention.

JKnott

@evolve-0

How does that host name get configured? I bet at some point it's manually configured. If you're doing that, does it really matter where you configure it?

Evolve 0

@jknott

I am not talking about the configuring of the host name.

I am talking about automatic resolution of IPV6 hostnames.

If you use the Pfsense Dhcpv6 server, Pfsense has all the data to resolve the client hostname since It gives the client the IPV6 address and has also its host name because it (the host name) has been sent by the client in the dhcpv6 request.

I cannot explain cleaner that that.

JKnott

@evolve-0

And how does the dhcp server get the host name? Unless random names are used, at some point, someone has to configure a host name somewhere. It doesn't just happen automagically.

Evolve 0

@jknott It is part of the Dhcpv6 specifications, when a client requests a IPv6 address to a Dhcpv6 server it sends the hostname in its request.

JKnott

@evolve-0

And how is that host name originally configured. If I want to call a computer "Bob", at some point I have to enter that name somewhere. Sure, with DHCP, it can pass a host name to the server, nothing new there, but it's still manually configured at some point. Well, why not do that at the server, where you're already doing more. What happens if you take that computer to another network, where a different name is expected?

Evolve 0

@jknott
That's a good point.

So I think that with Pfsense I have only two ways to achieve what I want but both aren't without problems:

1. Do what you suggested, so manual overriding the Pfsense host override with the stable ULA addresses. With this approach the biggest annoyance that I see is that some devices use privacy extensions and in case of os reinstall the stable ULA would be different since it's randomly generated so I would have to update the host override file with the new ULA

2. Use a static Dhcpv6 mapping but this has the same annoyance because I need the DUID in order to create a static Dhcpv6 mapping and unfortunately DUID is not guaranteed to be the same on os reinstall

JKnott

@evolve-0

Whether a device uses privacy extensions is irrelevant. It will still have a consistent address. You can enable or disable privacy addresses. You cannot disable the consistent address. All you can do is choose whether it will be MAC based or random number. Either way, it does not change until you change it.

Evolve 0

@jknott
Yes but if it is random based and you have to reset the device a new different random based consistent address will be generated.

JKnott

@evolve-0

No, when the random number is selected, it does not change. It's as though you pulled a number out of a hat and used that number to configure the interface. The random numbers used for the privacy addresses do change daily.

With SLAAC, you will have one consistent address that doesn't change and up to 7 privacy addresses that do.

Take a look at my ULA prefix. Other than the first 7 bits, that is a random number. I generated the number and pasted it into the configuration and it hasn't changed since I did that.

Evolve 0

@jknott
Are you telling me that if the device was reset (os reinstall) the stable ULA addresses would be identical to the one ending with f5fa?

Evolve 0

@jknott
Wow, I didn't know that, I am reading RFC 7217( stable private addresses), I guess it's what you refer to, I didn't know that, it's cool..

JKnott

@evolve-0

Yes, the random number used for the consistent address is generated when the interface is configured.

There's one other point against DHCPv6. It's not supported by Android devices. You can thank some genius at Google for that one.

Evolve 0

@jknott
I know his name, Lorenzo

Anyway.. Thanks a lot for clearing my thoughts about the IPv6 slaac private stable address.

This is definitely the way to go, that is using only slaac (unmanaged) with different Ra subnets, one from the ISP PD and the other with a random chosen ULA prefix.

Get all the stable slaac IPv6 addresses and save them in the Pfsense host override associating them unique and intuitive names.

Thanks a lot for all your help, I really appreciate it.

P.s.: I read carefully the RFC 7217 and there are rare cases in which the generated slaac privacy stable address would be different:
"Finally, we note that since different implementations are likely to use different values for the secret_key parameter, and may also employ different PRFs for F() and different sources for the Net_Iface parameter, the addresses generated by this scheme should not expected to be stable across different operating-system installations. For example, a host that is dual-boot or that is reinstalled may result in different IPv6 addresses for each operating system and/or installation."

But I think that that depends on the type of the OS, I think that in most cases the stable privacy address is the same even between the same os reinstall, maybe different between different versions of the same OS and most certainly different between different ones but I think we can live with that

JKnott

@evolve-0

I don't see that being a problem. No matter how the random number is generated, duplicate address detection is used to avoid collisions. As long as there is a 64 bit random number, it's actual value is irrelevant. If it matches with an address on a different subnet, so what? The prefix will be different, so the address will still be unique.

I think some people worry too much about "privacy". While there may be some concern about tracking people where they go through their MAC address, there's no reason to worry about it for the stable address. It would only be used for reaching a computer, so the address must be known. If it's always in one location, then there's nothing to track. Further, once you're off the local network, there's no way to tell if it's a MAC or random number based address.