On 15/10/20 08:02, Christian Weisgerber wrote:
On 2020-10-14, Fernando Gont <[email protected]> wrote:
Set the VL to 30', and the PL to 15'. You could even set the VL to 15',
and the PL to 7.5', if necessary.
How does this influence the lifetime of privacy addresses?
It should affect it at all.
Temporary (privacy) addresses enforce an upper limit on the Valid and
Preferred Lifetimes.
As such, as RAs keep being received, the PL and VL would continue being
refreshed/extended, until their "cumulative" values hit the VL and PL
for temporary addresses, at which point they would no longer be
extended/refreshed, and temporary addresses would be regenerated.
(With the current default values, the lifetimes for the prefixes are
longer than the PL/VL for temporary addresses... so if you do an
ifconfig, you'd see the PL/VL of temporary addresses decreasing over
time, until they expire. However, if you employ the suggested values for
the PL/VL of RAs, what you see is that VL/PL decrease from say, 30'/15',
and upon receipt of an RA they are reset to 30'/15, and start decreasing
again... until the commulative values reach the VL/PL for temporary
addresses (as specified in RFC4941), at which point you'll finally see
them decreasing from 30'/15' until they expire).
Even with rad(8)'s defaults, I already need to specify an originating
non-privacy address for all long-running ssh sessions, otherwise
they die when the privacy address they're using is forcefully expired
after a week or so.
Yep. After all, "privacy addresses" (RFC4941) are temporary.
Unfortunately, IPv6 lacks an appropriate API for apps to specify the
semantics of the addresses they intend yo use. If such an API was
available, one might expect that ssh would signal the OS that it shoudl
use stable addresses as opposed to temporary adddresses when
establishing new ssh sessions.
Thanks,
--
Fernando Gont
e-mail: [email protected] || [email protected]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
