6

I am setting up a virtual lab environment in the cloud to experiment with IPv6 networks.

Bear with me please, I'm new to networking and my grasp of the whole IPv6 subject is quite shaky. Please correct me if I misunderstand any of the IPv6 concepts or my terminology is wrong etc.

So what I am trying to do is creating a Link (or Subnet) consisting of Unique Local Addresses (ULA).

Regarding RFC 4193 the structure is the following:

  Prefix            FC00::/7 prefix to identify Local IPv6 unicast
                    addresses.

  L                 Set to 1 if the prefix is locally assigned.
                    Set to 0 may be defined in the future.  See
                    Section 3.2 for additional information.

  Global ID         40-bit global identifier used to create a
                    globally unique prefix.  See Section 3.2 for
                    additional information.

  Subnet ID         16-bit Subnet ID is an identifier of a subnet
                    within the site.

  Interface ID      64-bit Interface ID as defined in [ADDARCH].

What I'm struggling with is generating the Pseudo-Random Global ID. RFC 4193 also specifies an algorithm to do so:

The algorithm described below is intended to be used for locally
assigned Global IDs.  In each case the resulting global ID will be
used in the appropriate prefix as defined in Section 3.2.

 1) Obtain the current time of day in 64-bit NTP format [NTP].

 2) Obtain an EUI-64 identifier from the system running this
    algorithm.  If an EUI-64 does not exist, one can be created from
    a 48-bit MAC address as specified in [ADDARCH].  If an EUI-64
    cannot be obtained or created, a suitably unique identifier,
    local to the node, should be used (e.g., system serial number).

 3) Concatenate the time of day with the system-specific identifier
    in order to create a key.

 4) Compute an SHA-1 digest on the key as specified in [FIPS, SHA1];
    the resulting value is 160 bits.

 5) Use the least significant 40 bits as the Global ID.

 6) Concatenate FC00::/7, the L bit set to 1, and the 40-bit Global
    ID to create a Local IPv6 address prefix.

This algorithm will result in a Global ID that is reasonably unique
and can be used to create a locally assigned Local IPv6 address
prefix.

Step 2) is what I'm having problems with. https://cd34.com/rfc4193/ implements the RFC 4193 algorithm utilizing a MAC address.

But what MAC address do I use?

I believe that if I just use the MAC of my physical Ethernet interface of my home PC I'm fine, right? If I understand correctly I could only run into the problem of the Global ID not being unique if someone generated a Global ID with the same MAC address at the exact same time.

Community
  • 1
snrrn
  • 163
  • 6

2 Answers2

8

Remember, the purpose of the algorithm is to avoid everyone picking FD00::/48 so they can abbreviate everything with the double colon. (Or other "easy" ones like FDAA:AAAA::/48, etc).

The section right above it (3.2.1) identifies that the formula in 3.2.2 is merely a suggested formula, not directed:

3.2.1.  Locally Assigned Global IDs

   Locally assigned Global IDs MUST be generated with a pseudo-random
   algorithm consistent with [RANDOM].  Section 3.2.2 describes a
   suggested algorithm.  It is important that all sites generating
   Global IDs use a functionally similar algorithm to ensure there is a
   high probability of uniqueness.

As long as you use something with at least as much randomness of what is outlined in 3.2.2, you will be fine.

The suggested formula provides two starting values: the current time, and the local system's MAC address. This creates two seed values for the final random output.

If you were picking your own values, you would want to pick a value that would be different every time you generated a new /48 (like the current time), and something that would be different if two people on opposite ends of the world happened to generate their ULA address space at the exact same second (like their individual MAC addresses).

So what MAC address? Whichever you want... your phone, your home PC, your work PC, your buddies VM on his hypervisor, etc. So long as you pick one that you would likely not pick again if you are faced with generating another ULA address scope in the future -- even a random series of 48 bits would also do the trick.

Community
  • 1
Eddie
  • 14,808
  • 6
  • 42
  • 82
  • 1
    I understand now. For a small lab network I think I'd be more than fine if I generated multiple Global IDs with the same MAC. But basically I increase the chances of collisions if I do so. – snrrn Feb 20 '18 at 18:04
  • 4
    @MichaelSchnerring You have a better chance of winning the lotto twice a week every week for a century than of having a ULA collision, provided you follow RFC 4193 or some other appropriate generation method. – Michael Hampton Feb 20 '18 at 18:16
  • 2
    @MichaelSchnerring Remember, you are picking 40 bits of randomness for every ULA assignment, that provides odds of 1 in 2^40 (approx 1 trillion~). Those are sufficiently good enough odds to avoid collisions. And remember, this is still ULA address space, which means not used on the Internet. So the collision would only prove problematic if the two companies that happened to pick the same 40 bits also happened to decide to merge their internal networks, or build VPN tunnels to each other. – Eddie Feb 20 '18 at 18:27
  • @MichaelHampton Nice. Love the analogy. =) – Eddie Feb 20 '18 at 18:28
  • @MichaelHampton I actually have a decent chance if I generate 2^20 ULAs right now. – user253751 Feb 21 '18 at 04:13
  • 1
    @immibis Yeah, a one in a million chance. But what would you do with all those ULAs? – Michael Hampton Feb 21 '18 at 07:45
  • @MichaelHampton Actually a 50% chance – user253751 Feb 21 '18 at 21:31
  • @immibis Really? How do you figure that? Math wasn't my strong suit... – Michael Hampton Feb 21 '18 at 21:35
  • 1
    @MichaelHampton It's the well-known [birthday paradox](https://en.wikipedia.org/wiki/Birthday_problem) - if you choose N things at random, you only have to choose things before you have a 50% chance of having a collision – user253751 Feb 21 '18 at 21:52
  • 1
    @immibis OK, now I understand the math. The square root of 2^40 is indeed 2^20. What I can't figure out is what you're going to do with 2^20 prefixes, and how you're going to figure out who you collided with. – Michael Hampton Feb 21 '18 at 22:00
4

The MAC address would be the MAC address of the interface on which you want to assign the network, but as it says, it can be some other unique identifier. MAC addresses only need to be unique on the LAN where they are connected, but they are probably unique in a much larger context.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
  • So this would be the MAC of the router interface? – snrrn Feb 20 '18 at 17:21
  • That would be a good choice, but it could be the MAC address of any device on the network. I think it tells you to use the MAC address of the device where you are building the ID, and that is probably for convenience because the application or tool you are using can probably get that by itself. That would mean it could be the PC where you are running the tool to create the ID. – Ron Maupin Feb 20 '18 at 17:23
  • Okay that makes sense but I don't see how I make this work in my cloud environment (OpenStack). The way way it works is that I can setup **Networks**. For Networks I can create **Subnets**, so I'd need the Global ID at this point to define the IP range of the subnet. Only then can I connect a host to the subnet. I guess a virtual router is generated as soon as I add a subnet to a network (I can see a default gateway). Also a virtual Ethernet interface is generated as soon as I connect a host to a subnet. So should I change the subnets IP range after I have connected everything? – snrrn Feb 20 '18 at 17:44
  • You could really use any MAC address, but you probably wouldn't want to use the same one twice, although with the other stuff in the algorithm, you wouldn't get the same result, but it could be skewed. – Ron Maupin Feb 20 '18 at 17:47
  • @MichaelSchnerring, you must remember that ULA addresses cannot communicate with the public Internet, so don't even try because the ISPs will drop traffic with those addresses. – Ron Maupin Feb 20 '18 at 17:48
  • 2
    Honestly. I don't bother looking for a MAC address; I just pick a random number from the nearest `/dev/urandom`. This MAC address thing always seemed rather ridiculous to me, and I would love to hear an explanation of why it's better than, say, an RFC 4086 compliant random number. – Michael Hampton Feb 20 '18 at 18:07
  • @RonMaupin you mean skewed in a way that the collision chance increases significantly? The reason I use ULAs is to use them for an Active Directory Domain. So I don't the addresses to be public. Right now my instances have UGAs, though only RDP traffic is allowed for these. – snrrn Feb 20 '18 at 18:11
  • @MichaelHampton, I think they wrote that in because you could have a generation tool that simply reads the MAC address of the host on which it is run. As written, it seems to be confusing people, and I haven't actually seen any tool for this. I agree that any random number works well. – Ron Maupin Feb 20 '18 at 18:12
  • @MichaelSchnerring, I simply mean it decreases entropy. You specifically do not want ordered Global IDs, not necessarily that there would be exact collisions. – Ron Maupin Feb 20 '18 at 18:14