TransWikia.com

On demand new IPv6 using privacy extension?

Server Fault Asked by WannabeCoder on December 12, 2020

Enabling Privacy Extension (net.ipv6.conf.eth0.use_tempaddr=2 in /etc/sysctl.conf) for IPv6 gives me a new IP address for a fixed period of time, is there a way to get a new IPv6 on demand? i.e. refresh a new IPv6 when needed?

ipipv6linux networkingnetworkingprivacy

One Answer

The "active" temporary address has properties temporary and dynamic but not deprecated. When it's about to become deprecated (ie: its preferred_lft value drops to 0), a new temporary address is added by the kernel to the interface.

The interface's current temporary address, will be part of the results shown here:

ip -6 address show temporary dynamic

but not part of the older addresses which are still valid but deprecated shown with:

ip -6 address show temporary deprecated

You just have to lower its preferred_lft property to near zero to trigger the creation of the new temporary address. From trial and error, this won't work if preferred_lft is set below 3: the countdown reaches 0 before triggering the creation and then it won't work anymore (but one can still set again preferred_lft to >= 3 later to get the trigger). I don't know if there's any knob about this peculiarity. 5 seconds looks like a safe value, meaning the new address will appear about 2 or 3 seconds later.

Let's suppose the current found value is 2001:db8::1/64 on interface eth0:

ip address change 2001:db8::1/64 dev eth0 preferred_lft 5

Note that tampering with this removes the dynamic property, which would have not happened naturally, and might possibly trigger later creation of additional temporary addresses sooner than expected.

With ip's JSON output and jq some scriptability is possible, here's what I came with to output the commands ready to pipe to a shell to change all candidate temporary addresses at once (usually requires a multi-homed system to get more than one but tampering with this might perhaps create multiple ones later too). It verifies that the temporary and dynamic address is not deprecated to consider it a candidate:

ip -6 -p -j address show temporary dynamic | jq -j '.[] |
    . as $i |
        .addr_info[] as $a |
            if $a.local == null // $a.deprecated == true then
                empty
            else
                "ip -6 address change ",
                $a.local, "/", $a.prefixlen,
                " dev ", $i.ifname,
                " preferred_lft 5n"
            end'

which would output again:

ip -6 address change 2001:db8::1/64 dev eth0 preferred_lft 5

You might consider also reducing valid_lft to have the now deprecated address disappear completely faster.

Correct answer by A.B on December 12, 2020

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP