Need help configuring multiple IPv6 addresses

Hello,

I’m trying to configure a unique-local IPv6 address for OpenSuSE. I also want to switch from using a dynamic IPv6 address to a static. IPv6 is still something I struggle with though.

I run ifconfig and I count 7 global-link addresses and 1 link-local address. From what I’ve read, my ethernet adapter should always have at least two IPv6 addresses, a global-link and a link-local. I don’t understand why I have 7 global-link addresses though.

So, I want to make sure I do this right and understand everything before I go jumping in. I’ve configured sshd to listen on the static private IPv4 address, but now I want to configure it to listen on a private IPv6 address. I was reading that I shouldn’t use the link-local address for this kind of stuff but should configure a unique-local address (somewhere in the block of fc00::/7). I tried using the Network Settings in Gnome, and I see how I can configure an IPv6 address, but as soon as I do this, I believe it’s going to replace the IPv6 addresses that I currently get from my router (the global ones). I cannot figure out how to add more than one IPv6 address. Can anyone point me in the right direction? In Network Settings, I see the Network Setup Method is set to Wicked Service. I see where I can add multiple IPv4 addresses, but not multiple IPv6 addresses.

If there’s any information that I’ve left out and can provide, please feel free to ask. I’ve searched the internet for a good bit and couldn’t find the information I was looking for. I think this could be because I still don’t fully understand IPv6 and might be using the wrong query. Any help would be greatly appreciated.

Thanks!

I wouldn’t consider myself particularly expert on IPv6 theory and practice (I just try to absorb what comes my way),

  • I wouldn’t know what the reasoning might be behind not using the auto-generated link-local IPv6 IP address for whatever you want. An IPv6 link-local is not the same as an IPv4 link-local, the former when created conforms completely with all that is necessary to be functional, whereas an auto-generated IPv4 is not. If you want to add another link-local address, I can’t see why that should ordinarily be a problem, just ping the address first to make sure it’s not already being used, and in general if you use some random address the address space is so large it’s nearly impossible to cause a collision.

  • AFAIK most global-link addresses aren’t auto-generated so that means <someone> created and assigned those addresses for some reason. At least one address might have been generated by retrieving the IPv6 of your DG and parsing its network prefix. A starting point for investigating why those addresses exist is that if those addresses were assigned by DHCP, ask the DHCP Administrator. Reasons might include subnetting for organizational or routing purposes, monitoring and management, etc. As you seem to have discovered, in general the rules for using or not using DHCP are the same as in IPv4… Choose one and the settings applied by the other are disabled. If you have control over your DHCP, remember you can have the best of both worlds… You can configure “assigned leases” so that DHCP will always hand out the same IP address to a recognized machine, and DHCP leases for that machine won’t expire(and change).

  • YaST has always been slow to support IPv6, in the past some have discovered that you can simply add IPv6 addresses in the IPv4 fields. In any case, I’m pretty sure you can also just edit the interface files directly if you want to configure static addresses… You can already do that with IPv4 addressing.

HTH,
TSU

Why? Do you have one? If not, where are you going to get one?

ethernet adapter should always have at least two IPv6 addresses, a global-link and a link-local

No. You need address that allows you to communicate with your peer(s). What address is needed for it, depends entirely on your infrastructure and who you communicate with (and how). It is true that in most cases it probably means global unique address. But it is not “should”, it is at most “usually”.

I don’t understand why I have 7 global-link addresses though.

How do you expect anyone answer it without actually knowing your infrastructure? You likely get them from your router/provider/whatever. Show output of “ip a”, this may provide some clue.

now I want to configure [sshd] to listen on a private IPv6 address

Why? This cannot be the goal, it is means to achieve some goal that you do not explain.

I was reading that I shouldn’t use the link-local address for this kind of stuff

Again - why? It is as private as you can get :slight_smile:

Can anyone point me in the right direction?

Right for what? If the only question is how to define additional IPv6 addresses - you can do it using wicked and YaST.

I see where I can add multiple IPv4 addresses, but not multiple IPv6 addresses.

This is misleading, YaST says “IPv4” but in reality accepts also IPv6 addresses.

“Homesteading” IPv6 addresses is quite common.

As long as you configure anything that uses your ISP’s prefix, your IPv6 will be Internet capable (discoverable and routable).
And, because at least today and maybe for the next 20 years or more the address space is so ridiculously large, as long as your address doesn’t cause a conflict AFAIK no one is going to complain about anyone using any address without telling anyone (including their ISP).

So, figuring out what IPv6 address might be possible does require a minimum understanding (and a link-local address of course might not require any understanding at all) but otherwise in many if not almost all cases you’re free to do anything you want.

TSU

I’m not quite sure what is being asked. So I’ll answer just this part.

That is due to the IPv6 privacy extensions. So you have one link-local address. You have one permanent global address. And you have one temporary global address, which is partly randomized.

Every 24 hours, a new temporary global address is added. But the system still has to retain the previous temporary address because it might be in use for a prior connection. So the number of addresses builds up over time.

I recently turned off the privacy extensions. So now I only have one link-local address and one global address. Yes, that makes my system a bit easier to track using the IP address. But the advertisers are already tracking with browser cookies, so I’m doubting that this will cause me a problem. And I have a simpler IPv6 address space because of turning off the privacy extensions.

I would be okay with using the link-local addresses, so long as my PCs weren’t being assigned the global-link addresses. That’s what the concern was. My understanding are these are the IPv6 version of a public IP address. I didn’t want my computers on the LAN having public IP addresses and being directly accessible over the internet.

The DHCPv6 server on the cable modem assigned the global-link addresses. I’ve tried configuring it to assign unique-local addresses, which, according to the UI, I should be able to do. This is what it says:


Server Settings 
 LAN Delegated Prefix will be derived from System Delegated Prefix and Start Address will have the same prefix as the LAN Delegated Prefix.

However, when I set the System Delegated Prefix to anything (link-local, unique-local, etc), the LAN Delegated prefix does not change. It remains the IPv6 global-link. A friend says most people probably wouldn’t be trying to configure something like this with a residential modem and he thinks most companies (like Spectrum, who we’re currently using) has the prefix “hard coded”. We had a Spectrum guy come out and he said what we were trying to do was way above him and he suggested we switch to business grade, because the business grade techs have more training. I don’t really see why they give us an option to change it, if it doesn’t actually change anything though. I guess that puts a stop to what I’m trying to do though, have the cable modem assign private IPv6 addresses (link-local or unique-local), and assign static IPv6 addresses to my Linux servers and a few other devices.

Thank you! Editing the files directly sounds like the way to go, if I can ever get the DHCPv6 server to assign the types of addresses I want.

What do you mean by this? I rent a cable modem from a company that has a DHCP server on it that hands out IPv4 addresses and a DHCP server that hands out IPv6 addresses. For IPv4, I pick what network I want it on (ie, 192.168.1.0 network, or 192.168.2.0 network, etc). Then, I configure the DHCP server to start handing out IP addresses at someplace like 20. So, for example, let’s say I’m on the 192.168.2.0 network and my DHCPv4 server on the cable modem is handing out addresses starting at 192.168.2.20. Anything under 20 I can configure as static on my LAN. My Linux server, for instance, is 192.168.2.3 and 192.168.2.4. The printer is 192.168.2.2. The cable modem is 192.168.2.1. I wanted to do the same with IPv6.

Okay, thank you for correcting me. It was a mistake in my part. I was being careless as to how I worded my sentences. Sorry about that.

I was hoping for a more generic answer, like maybe a new IPv6 address is needed for every new connection to another IPv6 address. If you’re connecting to one machine over the IPv6 protocol, you’ll have one address, if you’re connecting to two, you’ll have two. Something along those lines.

Why can this not be a goal? I use IPv6 on my local area networks and there is no reason to have it listening on a public IP address. I have firewalls setup, but I configure sshd to listen on address 192.168.2.3 and 192.168.2.4. This should mean, even if my firewalls allow the connections through, people won’t be able to access my SSH server with the IPv4 protocol. Because our local PCs are being assigned IPv6 global-link address, right now, if I want the SSH server to accept IPv6 connections, I have to tell it to listen on the public IPv6 address, not a local one. Unless I’m misunderstanding something. This was one of the reasons I asked here for help. I hope this clears things up a bit for you.

It is private, but I was under the impression that link-local addresses are not routable and unique-local addresses are routable. In our house, we have a couple of networks. Right now, we haven’t switched our backbone over to fiber, but we will as soon as the company that provides it offers IPv6 addresses (they’re working on it). We’re currently using a slower 50Mbps connection from Spectrum. It’s a broadband connection over coax. Am I wrong in thinking unique-local addresses are routable and link-local addresses are not?

I tried typing IPv6 addresses in YaST but it would not accept them. When I click on Add under the Additional Addresses title, I can type the first two bytes, but then when I go to hit the : key, it will not allow me to hit it.

Thanks!

This was really helpful. I appreciate you taking the time to answer one of my questions. If I were to assign a unique-local or link-local IPv6 address, I wonder if the temporary addresses will still be created. I bet this is something google could give me the answer to.

I bet the IPv6 privacy extensions is turned off on CentOS 7. One of the VPSes I rent has an IPv6 address but I only see the global-link and link-local. I don’t see any temporary global addresses there. From this one company, if you want more public IPv4 addresses, you need to provide them with a real reason (which is definitely understandable), but for IPv6 addresses, I think I can just request them and get them approved, not that I currently need more than one global IPv6 for that specific VPS.

Thank you.