[sdnog] Temporary IPv6 Address

Mon Feb 2 14:48:32 SAST 2015

> On 29 Jan 2015, at 08:26, Sara Alamin <sara.alamin at sudren.edu.sd> wrote:
> 
> Thanks Nishal for the clear explanation.
> but I still wondering why the internet see the temporary address , is that mean the temporary address has a high priority than static/DHCP address?  

from my original explanation: 
"so how do these work?  when you connect to something, the connection from your side, is *sourced* from your temporary address.  that is why your "temporary" address showed up, when you connected to the website above, because the remote side saw this (your temporary address) as the connection-source; and this is what they log.  and, because this temporary address is randomised, and changes over time, it's not really possible to track you, just by using your IPv6 address." 

...so, yes, your operating system  *chooses* the temporary address over the EUI64 one.
you can change this behaviour if you want;  here's the sysctl for mac osx, for example: 

katala:~ nishal$ sysctl -w net.inet6.ip6.prefer_tempaddr
net.inet6.ip6.prefer_tempaddr: 1

>> remember that with IPv6, you can have multiple addresses on the same interface at the same time. 
> yes! honestly I cannot understand how that can be done? the interface use all the IP addresses on the same time ? and what is the benefit of that? 

no.  the operating system has the ability to choose, and/or use an address, depending on a set of criteria that it feels is important.  (speaking to everything at the same time, is just wasteful...)

consider the simple case of having to renumber a network with end-users.  every device will have an existing IPv6 addresses, in the network that's being used now (let's saying 2001:db8::/64).
now, you decide you need to renumber your network, so you add in the necessary upstream routing, etc, and as a final step, you add the new network prefix (say:  2001:eff::/64) to your the facing all the clients on that lan.  your router starts to do router advertisements (RAs) with the new address, so your network devices can now have two addresses;  at least one in each prefix - the original (2001:db8) and the new (2001:eff).  

while both networks are working, your operating system can then choose which address to use, based on it's own criteria (those are not really important) and you can connect using either address.

now, it's a day later, no-one has complained, (or noticed) so you decide you want to remove the old address.  since everyone already has an address in the new network prefix (as well as an address in the old one) you can simply remove the old IPv6 address off the router.  your clients will detect using router solicitation (RS) that the "old" address is no longer usable, because there is no router available for that prefix, and they will stop using this prefix, and switch over to the new address prefix that they would already have running and working.  all in the space of a RS->RA advert, which makes this very efficient, and the time to renumber, very very easy.  

mumtaz?   :-)

understanding the RS <-> RA communication is an important part if you administer LAN networks, so i'd suggest spending some time reading up on that.  some of the changes to IPv6 involve a little bit of re-thinking of how you already know networks to run, but with some practical experience, you'll find that these are actually not so difficult.

--n.