6

I have a static IPv6 /62 prefix and I use radvd on my router (running Debian) to advertise a /64 from within it to my entire network. Other than my router (which is ::1), I let EUI64 set the suffix based on the MAC address (i.e. matching the suffix of the automatic fe80:: address).

Most Linuxes are migrating to masking this for privacy reasons. I am really not concerned about the privacy implications, and further, want a perfectly predictable IPv6 address for services such as sshd.

In theory, this should be easy to configure. For example, on a Raspberry Pi running Raspbian, I've added to the /etc/sysctl.conf file:

###################################################################

# Enable IPv6 EUI64

#

net.ipv6.conf.all.use_tempaddr=0

net.ipv6.conf.default.use_tempaddr=0

net.ipv6.conf.eth0.use_tempaddr=0

Alas, nothing changes. (The last line was a last-ditch attempt; the previous two lines really ought to work alone.)

Something in these OSes is preventing EUI64 from working. What is it, and how do I enable it?

This particular machine is not running NetworkManager, but some of them are.

Jim MacKenzie
  • 180
  • 1
  • 10

1 Answers1

12

You are confusing two different address types:

  • temporary addresses generated according to RFC 4941 "Privacy extensions",
  • permanent addresses generated according to RFC 7217 "Opaque interface identifiers".

The former are always generated in addition to the default address and do not replace it, so certainly not what you have in mind.

The latter do replace the default EUI64-based address, but they are not temporary and have nothing to do with the use_tempaddr knob. Instead you need to change the primary address generation mode:

  • If SLAAC is performed by the kernel, change this sysctl:

    net.ipv6.conf.default.addr_gen_mode = 0
net.ipv6.conf.eth0.addr_gen_mode = 0

    (Looking at source code, it doesn't seem like all.addr_gen_mode is implemented.)

  • If SLAAC is performed by dhcpcd, use this dhcpcd.conf option:

    slaac hwaddr

  • If SLAAC is performed by NetworkManager:

    nmcli con modify "Connection name" ipv6.addr-gen-mode eui64
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Thank you; I'll give this a try. I don't absolutely require that my systems use the default EUI64 addresses, although I prefer it since they're predictable. A permanent IPv6 suffix of some other sort would also be suitable. The address I have now seems to be temporary 2: eth0: mtu 1500 state UP qlen 1000 inet6 blahblah::4d6a:b4b0:7b0d:41af/64 scope global mngtmpaddr noprefixroute dynamic – Jim MacKenzie Feb 24 '18 at 14:03
  • The secret for this situation was "slaac hwaddr" in /etc/dhcpcd.conf. Thank you. – Jim MacKenzie Feb 24 '18 at 14:08
  • 1
    No, if it doesn't say _the exact word_ `temporary`, then you're still looking at a permanent address, and it's fine to use it in DNS and elsewhere. (It is based on hashing the network prefix and a secret key... uh, in dhcpcd's case probably /etc/dhcpd.duid?) – u1686_grawity Feb 24 '18 at 14:46
  • 1
    Don't be confused by `mngtmpaddr` which has a nearly-opposite meaning. (It tells the kernel "if use_tempaddr is active, please manage temporary addresses _based on_ this address".) – u1686_grawity Feb 24 '18 at 14:49
  • 3
    How do I know which one is doing the SLAAC? – The Guy with The Hat Aug 10 '20 at 00:37
  • The Raspberry Pi documentation has a section called [Configuring Networking](https://www.raspberrypi.com/documentation/computers/configuration.html#configuring-networking), which tells you where to set these options. My RPi is a server connected via Ethernet cable, so currently it tells me I need to configure `dhcpcd`. – crimson_king May 25 '22 at 02:46