3

I've been accustomed to IPv4 for so long and I'm really unfamiliar with IPv6.

I recently wanted to add a firewall rule to my OpenWRT router to allow inbound IPv6 connection to a certain port of my Fedora machine. However I learned that IPv6 addresses can change from time to time. So I referred to an official tutorial and found that I can use interface identifier with a negative netmask (something like ::xxxx:xxxx:xxxx:xxxx/-64) to make sure my OpenWRT router can always found my Fedora even if the subnet prefix changes as the PD provided by ISP changes.

Then, my next thing to do is to find a "static interface identifier". (There are dynamic ones, right?) So, I typed ip a on my Fedora and got

$ ip a
...
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether xx.xx.xx.xx.xx.xx brd ff:ff:ff:ff:ff:ff
    altname enp0s18
    inet 10.0.1.3/22 brd 10.0.3.255 scope global noprefixroute ens18
       valid_lft forever preferred_lft forever
    inet6 fd4a:xxxx:xxxx::ppp/128 scope global dynamic noprefixroute
       valid_lft 42931sec preferred_lft 1533sec
    inet6 240e:xxxx:xxxx:xxxx::ppp/128 scope global dynamic noprefixroute
       valid_lft 1533sec preferred_lft 1533sec
    inet6 240e:xxxx:xxxx:xxxx:qqqq:qqqq:qqqq:qqqq/64 scope global dynamic noprefixroute
       valid_lft 3336sec preferred_lft 3336sec
    inet6 fd4a:xxxx:xxxx:0:xxxx:xxxx:xxxx:xxxx/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fd8e:xxxx:xxxx:0:xxxx:xxxx:xxxx:xxxx/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

I initially thought that I could find something like EUI-64, but none of the interface identifiers looks related to the MAC address of the interface. Then, since a GUA must start with 240e in my case, I noticed the ::ppp and ::qqqq:qqqq:qqqq:qqqq interface identifiers. The ::ppp also appears in the address starts with fd4a. Both addresses are temporary (I believe) since the valid/preferred lft are not "forever".

So, my question is, can any of ::ppp/-64 and ::qqqq:qqqq:qqqq:qqqq/-64 be used in OpenWRT firewall rules to pointing to my Fedora machine? Can they change with time? If neither of them is appropriate, can/should I manually assign an interface identifier to my Fedora machine? Is there any other solution?

Improve this question
1
  • 1
    For your local network, just set yourself a prefix (see Wikipedia to the range for such IP), but you may need to rewrite your mind, and use hostnames instead of IP. DNSmask (in OpenWRT) handle them well. (yeah, it is inconvenient for host firewalls, and some other problems: it requires openWRT working). Each device can choose the method on how to choose random local address, and MAC is no more the most used (for privacy reasons). Commented Mar 28, 2024 at 12:14

1 Answer 1

Reset to default
0

  1. Addresses with a /128 most likely come from DHCPv6, and their IIDs are assigned by the DHCP server. The IID is most likely static, but only as far as your DHCPv6 client's DUID/IAID.

  2. Addresses with the temporary flag are RFC 4941 "Privacy Extensions" addresses, and their IIDs are re-generated every X hours. Ignore those.

  3. Addresses that remain are the ones that have static IIDs. They might have a limited lifetime because the address prefix received from RA has a limited lifetime.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.