78

This could be a no-brainer, but when I look in ifconfig it lists two different global IPv6 addresses. Is there a reason why I'm getting two assigned? Shouldn't I just get a single address?

valorin@gandalf:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr e8:9a:8f:6d:6a:aa  
          inet addr:172.10.10.1  Bcast:172.10.10.255  Mask:255.255.255.0

          inet6 addr: 2400:4000:cafe:2014:48c8:f262:ebe8:297b/64 Scope:Global
          inet6 addr: 2400:4000:cafe:2014:ea9a:8fff:fe6d:6aaa/64 Scope:Global

          inet6 addr: fe80::ea9a:8fff:fe6d:6aaa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:258 errors:0 dropped:0 overruns:0 frame:0
          TX packets:313 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:78280 (78.2 KB)  TX bytes:46173 (46.1 KB)
          Interrupt:41 Base address:0xe000
Stephen RC
  • 4,812
  • It doesn't seem to be the case anymore. in 14.04, 15.04, debian 8.2 or even windows 10. You should get just one global IPV6 adresse now – vigilian Sep 30 '15 at 13:04
  • @MichaelHampton may I ask why? – hdl May 13 '16 at 14:14
  • 3
    @hdl Because ifconfig is deprecated for many years. It is not even included by default in modern Linux distributions (but it can still be installed, for a while anyway). You will need to convert, because sooner or later ifconfig will go away completely. – Michael Hampton May 13 '16 at 14:15
  • Oh, ok, I've done a quick search and seen that it is being (very slowly) deprecated indeed, but only on Linux distros. – hdl May 13 '16 at 15:10
  • 5
    2400:4000:CAFE: ... That's beautiful – KevinOrr Sep 29 '16 at 15:39

1 Answers1

93

The address containing ea9a:8fff:fe6d:6aaa is an automatically configured address based on your Ethernet MAC address. You can recognize them because they contain ...ff:fe... in the middle of the last 64 bits. The rest of the bits is derived from your MAC address. Compare

ea9a:8fff:fe6d:6aaa

with

e8:9a:8f:6d:6a:aa

Because some people are worried that making your MAC address visible on the internet would cause content / website providers to track your behavior by your mac address (and such behavior wouldn't surprise me, although they can more easily track you with cookies, browser-local storage etc etc etc) the privacy extensions were introduced.

The address containing 48c8:f262:ebe8:297b is such an address. That is the address that will be used to connect to websites and other outgoing connections. It will change over time to maintain your privacy and make you harder to track.

Both addresses are available for you to use. Outgoing connections will use the privacy address, unless configured otherwise. You can also still receive incoming connections on the MAC address based IPv6 address. This is all done to give you lots of flexibility. If you want you could add even more addresses.

PS: another tool to see IPv6 addresses is

ip -6 addr

It will show you a bit more detail. You will see the word temporary after the privacy address, which indicates what it is.

Sander Steffann
  • 2,367
  • 1
    Which one will be used as the source address? How does the OS determine? – Felipe Alvarez May 20 '16 at 13:42
  • 2
    The default source address is determined according to https://tools.ietf.org/html/rfc6724. Usually the most recently generated temporary address will be used – Sander Steffann May 21 '16 at 21:14
  • 1
    Are temporary addresses re-assigned after the DHCP lease runs out? If so, how do you handle constantly changing IPs at the firewall? Do you have to open the whole DHCP range of IPs? – DanMan Mar 31 '18 at 15:43
  • 1
    There is no DHCP involved, this is SLAAC. If your security depends on the addresses of individual devices on a shared LAN then it's insecure anyway. – Sander Steffann Mar 31 '18 at 19:06