How to select the right ipv6 address from an interface, and not just the first one found.

[arpaterson]

I am using ddclient 3.9.1 (installed from raspberry pi os/debian apt) to update dynv6.com AAAA records, using the dyndns2 protocol.

It works as per their instructions if i add ssl=yes and remove the quotes around the token ie.

password=xxx

instead of

password=`xxx`

I am using usev6, if=eth0, however this selects the first ip6 returned by ip a s eth0.

After some configuration changes the desired global dynamic noprefixroute ip is shifted into second place by a global dynamic mngtmpaddr noprefixroute addr.

I saw some discussion about how to handle this in future, but haven't been able to find if there was any progress or documentation on how to grab the correct / a specific ipv6 address from an interface.

My use case is:

I have a Vodafone Station router (German one, no features, no bridge mode), a /64 prefix, and no possibility to get in over ipv4. Inside the network is DHCPv4 and DHCPv6 stateless I believe.

The only way in thru the firewall on my ISP mandated router is ipv6 host exposure - a device is selected by its MAC, not any of its ip6 addresses, and only the one ip6 address recognised/listed by the router is exposed. Only one ipv6:port or ipv6:portrange can be configured per MAC. It is very restrictive and buggy but if I massage it right it does work.

In order to hit the ip6 of a machine in my network I must get thru this firewall, (which cannot be disabled even if I wanted to, it re-enables after 24 hours), and I need dynv6 to point to that IP.

It works if the dynv6.com record is manually updated to the correct ip6 address of the machine in my network, which is exposed by the router firewall. ddclient is able to update the AAAA records at dynv6.com So the last stumbling block is ensuring that ddclient selects the correct one of eth0's several ipv6 addresses.

There is no way to expose another of the IPs, even a manually added or slaac hardware one, because the router only lists the one address for exposure. I am unsure how it selects this one.

Do we have a way to handle this?

[dkerr64]

The problem you have, I think, is that IPv6 by design allocates temporary addresses to internal hosts. The IPv6 design point was to try and avoid NAT (Network Address Translation) that became necessary for IPv4. So internal hosts are allocated a GUA (Global Unique Address) from within a delegated subnet... which could be your /64 or could be a separate /60 (or other length) prefix allocated to you by your ISP.

Because internal hosts are allocated GUAs there is a privacy and security concern. In IPv4/NAT internal hosts are "protected" from the outside by the gateway and private address range... you have to explicitly set up port forwarding to grant access. But with a IPv6 GUA a hosts publicly routable address is out in the wild. So IPv6 was designed to frequently deprecate an allocated internal GUA address and issue a new one, so the internal host is unlikely to have the same address as it had yesterday (or a few hours ago).

If I look at my router's external interface I have only one IPv6 GUA allocated by my ISP, and the link-local address. If I look at any internal host, I see 3 or 4 GUA's allocated by my router, they are always changing.

All of this is why dynamic IPv6 addresses and ddclient type approaches don't mix well.

What can you do? Not much. If you have control over your gateway/router then you can manage the allocation of IP addresses to internal hosts. For example, my router uses dnsmasq and I can configure it to always allocate a specific IPv6 within the delegated subnet to a host based on that host's MAC address. This is as close as you can get to a "static" IPv6 for an internal host and you can then push that out to public DNS servers. I think (but I would need to look back) that the IPv6 address selection code in ddclient will bias towards selecting such an address.

[arpaterson]

I understand what you are saying about ipv6 addresses being predominantly temporary, at least on user devices.

I believe the ip i want to use is generated from the prefix and duid, it seems to be persistent. My windows machine on the other hand gets a new ip6 regularly, on reboots, router reboots, new connections. I've observed my ubuntu machine behaving more like the windows machine - rolling thru ip6 addresses.

I think you are describing dhcp6 stateful in your case? Which is the most parallel with dhcp4. In any case I don't have access to influence any of that behaviour in the router. I would love to use it as a modem/bridge and use something more capable, but vodafone have dragged their heals on that for years already and if I'm honest, all I really need to do is reliably hit a vpn sever at this location.

[dkerr64]

I think your only option is to use cmdv6 and write your own script that returns the IPv6 address you want to use. Then you have full control.

[arpaterson]

That sounds promising, I could definitely do that. I'll look for the documentation.