IPv6 Static Address with SLAAC
I've got IPv6 on my home network, mostly as a playground since IPv4 will someday surely fade away.
One thing that IPv6 offers is a "privacy" or "protection" feature called SLAAC (stateless address auto-configuration) where devices will receive new addresses periodically. There are plenty of IPv6 addresses to go around (I have 2 /64 ranges from my tunnel provider, orĀ 18,446,744,073,709,551,616 addresses each), so this is easy to do. The addresses will remain on the devices for a while, and the device will get another, and eventually stop using the old one, repeating the process continuously.
There's a mechanism in place to prevent collisions by leveraging the device's MAC address, which some say reduces the privacy, but it still offers the protection. This means that machines managed this way have shorter visibility with that address, and therefore less vulnerability. Unlike IPv4, where the same IP address is probably in use months after appearing in some log file, IPv6 addresses will not likely be there even minutes later.
What this also means is that a machine's address will change enough that it'll be hard to pin down your own machines for connecting to them for useful purposes, like as print and file servers, or to access as remote stations.
This is done in IPv4 using static addresses, and can be done in DHCP with reservations. This can also be done with the radvd mechaisn most often used, or with the less used DCHPv6, but it seems to be the case that then you have a static reservation and lose the dynamic adress shifting that SLAAC usually offers.
I just learned today there's a way to provide a static address and still use SLAAC!
Simply, at least on my Ubuntu box, I've configured my network interface to receive automatic configuration from the server, and then added a line to assign it a static address after. And it's as simple as this in my /etc/network/interfaces file:
iface br0 inet6 auto up ip -6 addr add 2001:ABCD:EF01:2345::6789/64 dev br0
The first line, ending in "auto" receives the SLAAC configuration, changing the IP periodically. The second line adds the static address (in my real configuration with my real tunnel prefix) with my network's prefix, a bunch of zeroes, and my chosen static suffix. I chose to leave as much set to zero as possible to reduce the chance of collision with the SLAAC addresses; of course it's possible to have SLAAC give all of those zeroes, but it's very unlikely.
Now when I reach out to the Internet, my IP will be presented as something like PREFIX:10ce:b7af:f6cd:8052, but I can use the PREFIX::STATIC address to reach the device, really from anywhere.
Security merged with ease.
