IPv6 privacy extensions for WAN interface

[schnipp]

Today I started the first experiment to migrate to IPv6. First step is a basic setup for accessing IPv6 webpages.

So, I request an IPv6 address from my ISP to be assigned to the WAN interface. The router advertisment message from my ISP offers me a /64 prefix (currently no prefix delegation is used). The firewall itself generates an IPv6 address for its WAN interface via SLAAC.

What I am missing is an option to enable IPv6 privacy extensions, to random the host id. Are privacy extensions implemented in Opnsense (v.19.1.4)?

[bartjsmit]

If you only have a /64 that means that you can only have a single IPv6 subnet. Since you don't require NAT on IPv6, that subnet should be on your LAN. It is quite normal for your WAN to have an fe80:: link local address.

RFC 4941 makes more sense for clients on the LAN. The only reason to browse from OPNsense is to retrieve updates.

Bart...

[schnipp]

I know that /64 is a single subnet. Because my internal network is still IPv4 only, I do not need to request a delegation prefix. Thus, the subnet offered by my ISP is correct.

Related to privacy extensions clients are responsible to randomize their host id. But, please consider the opnsense machine also as a client due to its services (proxy, ntpd etc.). So, the firewall should also randomize its own IPv6 address when using SLAAC.

Clients in my LAN (IPv4) use the proxy to access IPv6 ressources in the Internet.

[franco]

Last time this came up it was said the FreeBSD used didn't yet support the privacy extensions.


Cheers,
Franco

[lattera]

HardenedBSD enabled IPv6 privacy extensions by default[1]. Unless explicitly disabled by OPNsense 19.1, they should still be enabled.

[1]: https://github.com/HardenedBSD/hardenedBSD/wiki#generic-system-hardening

[schnipp]

I also did some research and figured out that FreeBSD supports privacy extensions which can be controlled by syscontrols

• net.inet6.ip6.use_tempaddr
• net.inet6.ip6.prefer_tempaddr

I'll test this the next days. Adjusting the syscontrols is already included in opnsense's system tunables (System -> Settings -> Tunables).

[franco]

https://github.com/opnsense/src/commit/0c0e584f24#diff-b94e5e88e89f4adca84e1105361c3d50L100

I don't want to block these, but all we have is conflicting information about the state of implementation and an unclear view on operational impact. I also don't think anyone ever pushed for these which adds to the data here indicating something is going on here beyond our control.


Cheers,
Franco

[schnipp]

I have enabled the following two options:

• net.inet6.ip6.use_tempaddr
• net.inet6.ip6.prefer_tempaddr

Now, the pppoe interface gets an additional temporary address when using SLAAC. Basic tests shows that this address is used for Internet communication via opnsense's proxy.

We should consider that this kind of addresses should not be used for DynDNS registrations because the binding gets invalid in case the temporary address changes.

Edit:
The temporary address is not shown in the GUI (possibly a bug?) but is shown with ifconfig. You can also verify using websites like http://ipv6-test.com/ or https://www.whatismyip.com/

[bartjsmit]

That's a useful setting, good catch.

You can also verify your IP from the firewall console with curl ifconfig.co/ip

Bart...

[schnipp]

I have to do some further checks like lifetime of the temporary address and regeneration in case of prefix change.

Edit:
But we should keep possible problems (as franco mentioned) in mind (e.g. establishing IPsec connections which needs some more testing)