IPv6 privacy extensions and firewall policies

At work the office router already advertises an IPv6 prefix for our end user devices. Because our management networks are IPv4 only IPv6 was only used for browsing the internet. However the IPv6 rollout for our internal network is finally starting. However a colleague of mine who did the first IPv6 enabled system setup found a big “problem”: IPv6 privacy extensions (RFC 3041).

Since you are reading this I assume you already know what IPv6 privacy extensions mean. They are necessary in the modern internet and simply disabling it is not a solution. You want them enabled when dealing with end user devices.
So how can you create firewall policies with changeing IPv6 addresses? Here are a few solutions:

Solution 1: SLAAC + DHCPv6

Your router advertisement daemon is probably running in “unmanaged” mode. It's sending a prefix to use, DNS servers and probably a search domain. More isn't needed for clients to generate their addresses out of the advertised prefix.
If you switch to “managed” mode, clients are told to ask a DHCPv6 server. Afterwards you can give out static address assignments.



Solution 2: Force the source address to be used

Your device will always create a so called “secured” address. The last 64 bits are generated based on a DUID and never change, even when the prefix changes. If your prefix doesn't change, you've basically a static, predictable address. However with enabled privacy extensions it's never used to initiate a connection. The so called “temporary” address is used.
The goal is to tell your device to use its secured address for a specific subnet. See this example network config:

Your company provides your the following prefix: 2001:db8:dead:be00::/56
Your office LAN got the following prefix: 2001:db8:dead:be00::/64

Your device generated these addresses:

Secured:   2001:db8:dead:be00:5054:00ff:fe86:648e/64
Temporary: 2001:db8:dead:be00:5054:00ff:feac:723a/64

In the end, your device should use its secured address inside your own /56 network.

On Linux, you only need to add a new network rule via the ip command:

:~$: ip route add 2001:db8:dead:be00::/56 via yourgatewayaddress src 2001:db8:dead:be00:5054:00ff:fe86:648e

You've to substitute yourgatewayaddress with the address of your gateway. This can be a link local or global unicast address. Check ip -6 route to find it.

On Mac, there is no easy way to change the source address. You've to

The IPv6 development at work is finally starting. A new service is currently set up and it should be reachable over IPv6. The router for the office LAN is advertising an IPv6 prefix My colleague setting this up

Last week a colleague asked me how to create firewall policied

IPv6 privacy extensions are a really good thing.

When using SLAAC (Stateless Address Auto Configuration) each device generates it's own IPv6 address based on broadcasted addresses. Some time ago the devices used their MAC address for the last 64 its to generate a unique address. Nowadays the MAC address was substituted with a once randomly generated ID. But the effect is still the same. Normally the last 64 bits of your IPv6 address is always the same. If you roam between networks or don't have a static prefix only the first 64 bits change.
This allows really easy tracking a single device over multiple networks by simply looking at the last 64 bits. The tracker industry probably cheered after they found that out. That's why RFC 3041 aka “IPv6 privacy extension” was created. Each device generates a second, temporary IPv6 address with a “best before” date. That address is then used as source address. If it expires a new address is generated and used. The expired address is removed as soon as no states or sockets are present anymore. This is needed because changeing source address would break most statefull connection like SSH.

I call myself an IPv6 evangelist. Since I got to know IPv6 round about 8 years ago and saw the benefits of killing for example NAT I was really excited. And since the last 3 years the IPv6 migration progress is finally moving forward. Probably the IPv4 address space is more than exhausted and ISPs start to do NAT (lol!). Fuck NAT! NAT is truly a disseas.
I implemented IPv6 in my home network, servers etc. I've VLANs which are IPv6 only (true IPv6. No NAT64 or something like that). But then it hit me hard!

To be honest I've not ran into any problem with IPv6 at work. IPv6 was enabled in the LAN and everbody used it for regular internet browsing, but our main core network is IPv4 only. At least on the management side. A colleague asked a simple question: “How can I create firewall rules when we use temporary IPv6 addresses”. At home my end user devices with privacy extension address are in a VLAN having an IPv6 any to any rule. So I never ran into that problem and never thought about it. That's of course not a solution at your company LAN.
That question truly ashamed me. I've started to seriously question if IPv6 was a solution in that scenario.
With IPv4 you have one private address. It's not changeing and also used as outgoing address. Adding a second IPv4 address is pretty uncommon but necessary and wanted with IPv6.
Staying on IPv4 is never a solution! Here is the solution:

You first need a static prefix for your network. Let's say your ISP provided prefix is 2001:db8:dead:be00::/56. You defined the first subnet 2001:db8:dead:be00::/64 as your LAN subnet. Devices with enabled privacy extensions live here. For example your laptop generated the following addresses:

The secured address is the statically generated address. The temporary one is created because of enabled privacy extensions. The temporary one will always be set as source address.
You now need to set the static one as source address for a specify prefix. Let's say you want to use the secured address for your whole provided prefix. On linux you have to add a route for that like this:

:-$ ip route add 2001:db8:dead:be00::/56 via yourgatewayaddress src 2001:db8:dead:be00:5054:00ff:fe86:648e

Substitute yourgatewayaddress with the IPv6 of your gateway. This can be a global unicast address or a link local address. Check the routing table to get it.
If you try to connect to another client inside your provided prefix the secured address will be used. This address is fixed and you can use it in firewall policies. For the rest your temporary address will be used and your online privacy is safe. At least on OSI layer 3 :-)

Du hast einen Kommentar, einen Wunsch oder eine Verbeserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)