Re: force IPv6 dynamic address?

To: Jeremy Ardley <jeremy@ardley.org>
Cc: debian-user@lists.debian.org
Subject: Re: force IPv6 dynamic address?
From: Tim Woodall <debianuser@woodall.me.uk>
Date: Thu, 24 Mar 2022 09:53:19 +0000 (GMT)
Message-id: <[🔎] alpine.DEB.2.21.2203240939540.13359@einstein.home.woodall.me.uk>
In-reply-to: <[🔎] 29464861-0179-8248-89ca-c95f99bd13d2@ardley.org>
References: <[🔎] dc384f35-98ef-ecd9-25cd-4d3c0a56f2e3@ardley.org> <[🔎] alpine.DEB.2.21.2203231709390.13359@einstein.home.woodall.me.uk> <[🔎] 29464861-0179-8248-89ca-c95f99bd13d2@ardley.org>

On Thu, 24 Mar 2022, Jeremy Ardley wrote:


On 24/3/22 1:11 am, Tim Woodall wrote:

I believe it's setting this to 2 that you want (I think there's a
setting to go in eni to do this too)

https://sysctl-explorer.net/net/ipv6/use_tempaddr/

My concern is that if I go to 1 or 2 then logging for non email activity maysuffer.


I don't know how real network engineers would solve this, but at home I
tag all traffic based on MAC at my firewall so I can easily identify the
device in the iptables log regardless of the ip.

For traffic that is sent via an intercepting proxy I also rewrite the
ipv6 source address so that the (internal) ip is unique at the proxy.

Unknown MACs aren't allowed out.

But I'm as paranoid about unknown outbound connections as I am about
inbound ones - and, unfortunately, outbound is much harder to secure,
especially if you don't trust google!

Reply to:

Follow-Ups:
- Re: force IPv6 dynamic address?
  - From: Jeremy Ardley <jeremy@ardley.org>

References:
- force IPv6 dynamic address?
  - From: Jeremy Ardley <jeremy@ardley.org>
- Re: force IPv6 dynamic address?
  - From: Tim Woodall <debianuser@woodall.me.uk>
- Re: force IPv6 dynamic address?
  - From: Jeremy Ardley <jeremy@ardley.org>

Prev by Date: Re: force IPv6 dynamic address?
Next by Date: Re: force IPv6 dynamic address?
Previous by thread: Re: force IPv6 dynamic address?
Next by thread: Re: force IPv6 dynamic address?
Index(es):
- Date
- Thread