• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Native IPv6 configuration question

Started by cshilton, August 22, 2024, 09:34:07 AM

Previous topic - Next topic

cshilton

So, I figure that this may be forum for this question. About a year ago, Verizon rolled out native IPv6 to me. I'm still using my HE tunnel because I'm not clear on the some of the implications.

Question: With Verizon's native IPv6 I'm getting 3 meaningful IP addresses on my interface, public - [2600:4040:xxxx:yyyy::host-part], and ULA - [fdww:xxxx:yyyy:zzzz::host-part] and of course, an link-local [fe80::host-part] address. Is the function of the ULA assignment to run local services?

Question: Is it safe to run services on the link local address?

What I see is that native IPv6 changes the way I get my IPv6 address. Verizon assigns me an address via dhcp-pd. That assignment is static the way a CATV cable modem gets a, for all intents, static IP. But I still need to assign known IP addresses to my DNS resolvers for example. With HE, this was [<he-prefix>::<static-host-part>] but with Verizon, the prefix can change. Being clear, is the dhcpcd program assigning me a ULA address so I can put my DNS resolver at a configured place?

-- Chris

cshilton

When I looked at this further, I discovered that I have my OpenBSD network stack to do IPv6 autoconf without an RA provider on the network. The ULA was self-generated.

Regarding the other part of the question: Should I use a ULA for local services like DNS resolution? A few people do this. It mainly involves assigning a ULA on the interface where you source your router advertisements and then statically assigning an IP address within that ULA to provide your service.

sdgathman

Quote from: cshilton on August 22, 2024, 09:34:07 AMQuestion: With Verizon's native IPv6 I'm getting 3 meaningful IP addresses on my interface, public - [2600:4040:xxxx:yyyy::host-part], and ULA - [fdww:xxxx:yyyy:zzzz::host-part] and of course, an link-local [fe80::host-part] address. Is the function of the ULA assignment to run local services?

Question: Is it safe to run services on the link local address?

The fd00::/8 (actually fc00::/7) IPs are the IPv6 equivalent of 192.168.0.0/16 or 10.0.0.0/8.  Link local (fe80) addresses could be used for services, but are inconvenient because you always have to specify the interface - and not all clients know how to do this, and the naming can be quite fickle.

For local services, use fc00::/7 - which you can route within your private network (all over the world, if your private network extends that far, which it might with VPN tunnels).  Actually, just use fd00::/8, because fc00::/8 is used by the Cjdns protocol.  I run services on Cjdns fc00::/8 ips because they are authenticated and e2e encrypted (and global).  Cjdns is inspired by IPv6 CGA, where the host part is a fingerprint of the TLS cert.  Cjdns extends this to where the entire IPv6 is a fingerprint of the TLS cert (throwing away certs outside the fc00::/8 fingerprint range).

troz

FC00::/8 is reserved for currently unspecified use. (basically, no one can agree on how to use it.) FD00::/8 is for non-public use. Technically, you can do whatever you want with it, but there are some "karen" RFC's telling you what to do. (in short, use random prefixes -- "global id" -- to minimize any collisions with other networks, should they ever need to be connected. if you've ever tried to merge to 10/8-using enterprise networks...) Should the IETF ever agree on how to manage "fc", cjdns will have to stop squatting on the space; shame on them for ever doing this in the first place.