Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ipv6: temp address does not renew
198 views
Skip to first unread message
Andreas B
Jun 26, 2023, 5:40:07 AM6/26/23
to
Hi,
I'm very puzzled by the behaviour of ipv6 temp addresses on Debian 12.
Expected behaviour: as soon as a temp address becomes deprecated, a
new one is generated. This is the behaviour on Debian 11.
What actually happens: When the (first) temp address becomes
deprecated (in my case, this happens in practice 24h after boot, i.e.
after the interface is brought up), no new temp address is generated.
When the temp address is deprecated, outgoing connections start to use
the eui64 address. I.e., my mac address is being used on the internet.
This seems very weird to me, and cannot possibly be intended?
I did some checking to try to find out why this is (not relevant as it
turns out, but still).
As far as I can tell, the relevant ipv6-settings is the same on both
Debian 11 and Debian 12:
net.ipv6.conf.all.temp_prefered_lft = 86400 (= 24h)
net.ipv6.conf.all.temp_valid_lft = 604800 (= 7d)
net.ipv6.conf.<if>.use_tempaddr = 2
NetworkManager version differences:
NetworkManager version in Debian 11: 1.30.6
NetworkManager version in Debian 12: 1.42.4
I wanted to downgrade the version on Debian 12, but no old version is available.
I then disabled NetworkManager and used /etc/network/interfaces (with
privext = 2) to administer my interface to see if that made a
difference, but the problem is the same.
Tested on two different machines; the problem exist on both.
Best regards,
Andreas
I'm very puzzled by the behaviour of ipv6 temp addresses on Debian 12.
Expected behaviour: as soon as a temp address becomes deprecated, a
new one is generated. This is the behaviour on Debian 11.
What actually happens: When the (first) temp address becomes
deprecated (in my case, this happens in practice 24h after boot, i.e.
after the interface is brought up), no new temp address is generated.
When the temp address is deprecated, outgoing connections start to use
the eui64 address. I.e., my mac address is being used on the internet.
This seems very weird to me, and cannot possibly be intended?
I did some checking to try to find out why this is (not relevant as it
turns out, but still).
As far as I can tell, the relevant ipv6-settings is the same on both
Debian 11 and Debian 12:
net.ipv6.conf.all.temp_prefered_lft = 86400 (= 24h)
net.ipv6.conf.all.temp_valid_lft = 604800 (= 7d)
net.ipv6.conf.<if>.use_tempaddr = 2
NetworkManager version differences:
NetworkManager version in Debian 11: 1.30.6
NetworkManager version in Debian 12: 1.42.4
I wanted to downgrade the version on Debian 12, but no old version is available.
I then disabled NetworkManager and used /etc/network/interfaces (with
privext = 2) to administer my interface to see if that made a
difference, but the problem is the same.
Tested on two different machines; the problem exist on both.
Best regards,
Andreas
Arno Lehmann
Jun 26, 2023, 6:10:07 AM6/26/23
to
Hi Andreas,
Am 26.06.2023 um 11:13 schrieb Andreas B:
> Hi,
>
> I'm very puzzled by the behaviour of ipv6 temp addresses on Debian 12.
>
> Expected behaviour: as soon as a temp address becomes deprecated, a
> new one is generated. This is the behaviour on Debian 11.
Reasonable expectation, I think.
> ...
$ ip -6 a | sed -e 's/[0-9a-f]\{1,4\}:/XXXX:/g'
XXXX: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
XXXX: enoXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:bef4/64 scope global
temporary dynamic
valid_lft 86180sec preferred_lft 14180sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:71be/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:4c58/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:267a/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:d25b/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:2cee/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:4717/64 scope global
dynamic mngtmpaddr noprefixroute
valid_lft 86180sec preferred_lft 14180sec
inet6 XXXX::XXXX:XXXX:XXXX:ce35/64 scope link noprefixroute
valid_lft forever preferred_lft forever
This is using network manager with simple default settings, the IPv6
address is correctly auto-generated.
Settings are
/proc/sys/net/ipv6/conf/all/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/all/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/all/use_tempaddr: 0
/proc/sys/net/ipv6/conf/default/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/default/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/default/use_tempaddr: 0
/proc/sys/net/ipv6/conf/eno1/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/eno1/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/eno1/use_tempaddr: 2
/proc/sys/net/ipv6/conf/lo/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/lo/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/lo/use_tempaddr: -1
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
Am 26.06.2023 um 11:13 schrieb Andreas B:
> Hi,
>
> I'm very puzzled by the behaviour of ipv6 temp addresses on Debian 12.
>
> Expected behaviour: as soon as a temp address becomes deprecated, a
> new one is generated. This is the behaviour on Debian 11.
> ...
> Tested on two different machines; the problem exist on both.
Seems to work correctly on my single Debian 12 system:
$ ip -6 a | sed -e 's/[0-9a-f]\{1,4\}:/XXXX:/g'
XXXX: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
XXXX: enoXXXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:bef4/64 scope global
temporary dynamic
valid_lft 86180sec preferred_lft 14180sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:71be/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:4c58/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:267a/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:d25b/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:2cee/64 scope global
temporary deprecated dynamic
valid_lft 86180sec preferred_lft 0sec
inet6 XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:4717/64 scope global
dynamic mngtmpaddr noprefixroute
valid_lft 86180sec preferred_lft 14180sec
inet6 XXXX::XXXX:XXXX:XXXX:ce35/64 scope link noprefixroute
valid_lft forever preferred_lft forever
This is using network manager with simple default settings, the IPv6
address is correctly auto-generated.
Settings are
/proc/sys/net/ipv6/conf/all/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/all/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/all/use_tempaddr: 0
/proc/sys/net/ipv6/conf/default/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/default/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/default/use_tempaddr: 0
/proc/sys/net/ipv6/conf/eno1/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/eno1/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/eno1/use_tempaddr: 2
/proc/sys/net/ipv6/conf/lo/temp_prefered_lft: 86400
/proc/sys/net/ipv6/conf/lo/temp_valid_lft: 604800
/proc/sys/net/ipv6/conf/lo/use_tempaddr: -1
Arno
--
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
Andreas B
Jun 26, 2023, 7:20:07 AM6/26/23
to
Arno,
Thank you so much for your prompt response.
Very interesting that it's working as expected for you.
At least I can isolate the problem to being local for my network.
I asked about this in #debian on irc, and it was suggested that I
check if I use dhcpv6 or dhcpv6-pd. I'm not 100% into ipv6
terminology, but I think my ISP uses dhcp-pd to give me a prefix.
Other than that I don't think dhcpv6 is in use. I use SLAAC with and
without privacy extensions (basically, a complete default setup).
In any case, I do not believe that my ISP changed anything in those 30
minutes it took me to install bookworm, so I can't understand why it
behaves differently.
I'll have to dig deeper.
Thank you for input and comments!
Best,
Andreas
Thank you so much for your prompt response.
Very interesting that it's working as expected for you.
At least I can isolate the problem to being local for my network.
I asked about this in #debian on irc, and it was suggested that I
check if I use dhcpv6 or dhcpv6-pd. I'm not 100% into ipv6
terminology, but I think my ISP uses dhcp-pd to give me a prefix.
Other than that I don't think dhcpv6 is in use. I use SLAAC with and
without privacy extensions (basically, a complete default setup).
In any case, I do not believe that my ISP changed anything in those 30
minutes it took me to install bookworm, so I can't understand why it
behaves differently.
I'll have to dig deeper.
Thank you for input and comments!
Best,
Andreas
Andreas B
Jan 8, 2024, 7:20:06 AM1/8/24
to
A follow up on this.
I recently swapped my ISP's router with my own.
New temp-addresses are now generated when old ones become deprecated, as expected.
I haven't checked thoroughly (yet), but the only immediate difference I can see, is that the router lifetime is 600 seconds (RA).
My ISP's router used a lifetime of 86400 seconds (24h), I think.
Best,
Andreas
I recently swapped my ISP's router with my own.
New temp-addresses are now generated when old ones become deprecated, as expected.
I haven't checked thoroughly (yet), but the only immediate difference I can see, is that the router lifetime is 600 seconds (RA).
My ISP's router used a lifetime of 86400 seconds (24h), I think.
Best,
Andreas
Marco Moock
Jan 8, 2024, 7:30:06 AM1/8/24
to
Am 08.01.2024 um 13:01:38 Uhr schrieb Andreas B:
> I haven't checked thoroughly (yet), but the only immediate difference
> I can see, is that the router lifetime is 600 seconds (RA). My ISP's
> router used a lifetime of 86400 seconds (24h), I think.
That affect when the old addresses must be removed from the interface.
> I haven't checked thoroughly (yet), but the only immediate difference
> I can see, is that the router lifetime is 600 seconds (RA). My ISP's
> router used a lifetime of 86400 seconds (24h), I think.
Check
valid_lft 582619sec preferred_lft 63918sec
in ip a for each address.
0 new messages