# Howto set valid lifetime of IPv6 mngtmpaddr address?

## 222697

I have IPv6 enabled with privacy extensions and get IPv6 router advertisements (RA) from my telecom provider, which autoconfigures my IPv6 address.

```

cat /proc/sys/net/ipv6/conf/eth1/use_tempaddr 

2

cat /proc/sys/net/ipv6/conf/eth1/temp_valid_lft 

172800

cat /proc/sys/net/ipv6/conf/eth1/temp_prefered_lft 

86400

ip -6 a

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000

    inet6 2003:86:ae58:a4d7:e802:ab30:b014:8b18/64 scope global temporary dynamic 

       valid_lft 107895sec preferred_lft 20895sec

    inet6 2003:86:ae58:a4d7:7254:d2ff:fe7c:39be/64 scope global mngtmpaddr dynamic 

       valid_lft 604749sec preferred_lft 86349sec

```

As You can see, the settings of temp_valid_lft and temp_prefered_lft are honoured for the "global temporary dynamic" address, but not for the "global mngtmpaddr dynamic" address (which has the MAC address in the host part of the address).

Since I get a new /64 prefix every 24h from my provider via RA, and the valid lifetime of the mngtmpaddr address is 604800 s (7 days), at the end I have 6 deprecated mngtmpaddr addresses. E.g. deprecated address looks like so:

```

ip -6 a

    inet6 2003:86:ae58:a4f8:7254:d2ff:fe7c:39be/64 scope global deprecated mngtmpaddr dynamic 

       valid_lft 366217sec preferred_lft 0sec

cat /proc/sys/net/ipv6/conf/eth1/max_addresses 

16

```

I would like to get rid of these, even as I understand there is a maximum of IPv6 addresses defined in max_addresses.

Does anybody know howto reduce the valid lifetime of a "global mngtmpaddr dynamic" kind address?

Edit:

Kernel 4.1.12-gentoo

iproute2-3.19.0

----------

## UberLord

 *1970 wrote:*   

> As You can see, the settings of temp_valid_lft and temp_prefered_lft are honoured for the "global temporary dynamic" address, but not for the "global mngtmpaddr dynamic" address (which has the MAC address in the host part of the address).
> 
> Since I get a new /64 prefix every 24h from my provider via RA, and the valid lifetime of the mngtmpaddr address is 604800 s (7 days), at the end I have 6 deprecated mngtmpaddr addresses. E.g. deprecated address looks like so:
> 
> 

 

mngtmpaddr is a flag assigned to each address received via RA.

As the address itself is not a temporary one, rather one to base temporary addresses from, the temporary address lifetimes do not apply.

So you have a lot of depreated addresses. This is quite a common thing with IPv6 temporary addresses, but I need to ask why do you think this is a problem?

Yes the kernel does have a limit of the maximum number of addresses, but once this is reached it will trim the oldest deprecated ones first, so this should not be a problem.

----------

## 222697

 *UberLord wrote:*   

> Yes the kernel does have a limit of the maximum number of addresses, but once this is reached it will trim the oldest deprecated ones first, so this should not be a problem.

 

Nice to hear, thanks! Could You tell the source of this information?

Here it is not mentioned

https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txtLast edited by 222697 on Mon Feb 15, 2016 3:41 pm; edited 1 time in total

----------

## UberLord

Gah, my bad!

This happens with neighbour addresses, not actual ip addresses.

----------

## 222697

At least, when I get a complete new /56 prefix from telecom provider (which happens every 4 days), the old IPv6 addresses disappear before lifetime end (which makes sense, since they are not routable anymore).

----------

## NeddySeagoon

1970,

I wonder if that's a problem for me.  I have a static /48.

I'm not convinced that the privacy extensions are actually useful because the prefix doesn't change.

My /48 is always traceable to me, regardless of what I do with the IPv6 addresses.

----------

## UberLord

 *NeddySeagoon wrote:*   

> I'm not convinced that the privacy extensions are actually useful because the prefix doesn't change.
> 
> My /48 is always traceable to me, regardless of what I do with the IPv6 addresses.

 

The /48 is traceable to you yes.

But due to privacy extensions that's where it stops, there is nothing to track back (from the IP layer anyway) to a specific machine where the address changes.

And thanks to the Internet of Things with IPv6 whose to say which machine from your desktop to your toaster is really a nefarious music sharing hub for Rick Astley?

Stable Private Addresses (i think very recent kernels support this, dhcpcd has done for almost two years now) provide a better solution to the problem because the address doesn't change (unless you change MAC address like a card, ssid or private key - or the advertised prefix).

This effectively masks your MAC address from upstream servers. But please remember, nothing hides it from nodes you directly talk to on the same network segment.

This makes it an excellent choice for servers as well.

But really, this is all a minor issue as there are many other and better ways to track you.

----------

## 222697

 *NeddySeagoon wrote:*   

> 1970,
> 
> I wonder if that's a problem for me.  I have a static /48.
> 
> I'm not convinced that the privacy extensions are actually useful because the prefix doesn't change.
> ...

 

Sure, if Your prefix doesn't change, it's like having a static IPv4 address.

IPv6 and privacy do not fit together good, as far as I have seen. I think IPv6 is more(only?) useful for servers with static prefix and without privacy extension. Private users need to regulary change the complete prefix for privacy reasons, not only the host part of the address (via privacy extensions) or the /64 subnet. And that is problem, since then all Your addresses in the whole "LAN" network change completely so that is not managable, as You cannot reference the hosts in Your "LAN" in a stable way. That is what I know. It looks to me that private useres need to stick with NATing, even with IPv6.

----------

## UberLord

 *1970 wrote:*   

> It looks to me that private useres need to stick with NATing, even with IPv6.

 

NATing buys you nothing and is the devil spawn of networking.

----------

## NeddySeagoon

1970,

Once upon a time, IPv4 was supposed to work without NAT.

NAT was a hack to work around the fact that most of the IPv4 address space was allocated to the USA.

Just get used to IPv6 addresses being public and set up your firewall with a healthy degree of paranoia.

----------

## UberLord

You guys are missing it - IPv6 Privacy options are for hiding the hardware address of your network card from machines outside your local network segment.

That's it.

This gives you the equivalent privacy of IPv4 NAT.

The only way to get more private at the IP level is to use a tunnel.

----------

## NeddySeagoon

UberLord,

Ahhhh ... the penny dropped.  

Thank you.

----------

## 222697

 *NeddySeagoon wrote:*   

> Once upon a time, IPv4 was supposed to work without NAT.
> 
> 

 

I think my post was pretty clear.

Given, You get 5 real, globally routable IPv4 addresses from Your telecom provider.

So You can give each of Your five computers/VMs at home an own real IPv4 address. Nice.

But then, You do not want to change these addresses, since then You cannot have one serving as NFS-Server, DNS-Server etc. since You would need to change DNS or any other configuration on client side, if You change the IPv4 addresses.

And static addresses bite with privacy.

So IPv4 NAT has the advantage, that You only need to change _one_ outer IPv4 address, while the IP addresses of Your LAN infrastructure can stay untouched and can talk to each other in a stable way.

----------

## Ant P.

 *1970 wrote:*   

> Sure, if Your prefix doesn't change, it's like having a static IPv4 address.

 

Correction: if you have a /56 prefix that doesn't change, it's like having 4722 quadrillion static IPv4 addresses.

If you think that isn't private enough, try brute-forcing that address space and let us know when you've succeeded - if the universe is still around then.

----------

## szatox

 *Quote:*   

> If you think that isn't private enough, try brute-forcing that address space and let us know when you've succeeded

 Private like in "I don't know what to call" or "I won't know when I see it"?

I'd only call the latter one "private". 

 *Quote:*   

>  while the IP addresses of Your LAN infrastructure can stay untouched and can talk to each other in a stable way.

  You don't need static IP for that. You can use human readable names and a multicast group for neighbour discovery. Avahi, anyone?

----------

## Ant P.

 *szatox wrote:*   

> Private like in "I don't know what to call" or "I won't know when I see it"?
> 
> I'd only call the latter one "private". 

 

Private as in both, this is a setup that (as explained in the first post) already has random temporary addresses for all outgoing connections - which on their own provide just as much protection as a stateful IPv4 NAT.

What's the threat model here?

----------

