Manually generating IPv6 privacy address
This is a quick tutorial to manually generate IPv6 address on a preferred schedule. Tested on Debian 12.
First create a new text file in your home directory for storing IPv6 prefix. For example /root/IPv6/IPv6-prefix.txt with a 0 in it and save it and set chmod 777 as permission for write access. Then create three bash scripts in your home directory as listed below and chmod 755 for execution permission for all of them. Change the name ens18 with the name of your ethenrnet adapter. Change the value preferred_lft 97200 to your desired lifespan of your IPv6 address.
/root/IPv6/IPv6-Add-Privacy-Address.sh
#!/bin/bash
IPv6PrefixFile=/root/IPv6/IPv6-Prefix.txt
IPv6Prefix=$(cat $IPv6PrefixFile)
IPv6Prefix=${IPv6Prefix:0:19}
IP=$(printf "$IPv6Prefix:%s"; openssl rand -hex 8 | sed 's/\(....\)/\1:/g; s/.$//');
ip addr add $IP/64 dev ens18 preferred_lft 97200
logger -p warning "IPv6 new privacy address added $IP"
# Remove deprecated IPv6 addresses
DHCPv6=$(ip -6 addr|awk '{print $2}'|grep -P '^(?!fe80)(?!fd)[[:alnum:]]{4}:.*/128'|cut -d '/' -f1)
for i in $(/sbin/ip -6 addr | grep -vE 'host|mngtmpaddr|temporary' | grep 'scope global deprecated\s$' | sed -e 's/^.*inet6 \([^ ]*\)\/.*$/\1/;t;d' | grep '^2'| grep -v "${DHCPv6}");
do
echo remving ${i}
ip -6 addr del ${i}/64 dev ens18
logger -p warning "IPv6 deprecated privacy address removed ${i}"
done
exit 0
/root/IPv6/IPv6-prefix.sh
#!/bin/bash
IPv6PrefixFile=/root/IPv6/IPv6-Prefix.txt
__rfc5952_expand () {
read addr mask < <(IFS=/; echo $1)
quads=$(grep -oE "[a-fA-F0-9]{1,4}" <<< ${addr/\/*} | wc -l)
grep -qs ":$" <<< $addr && { addr="${addr}0000"; (( quads++ )); }
grep -qs "^:" <<< $addr && { addr="0000${addr}"; (( quads++ )); }
[ $quads -lt 8 ] && addr=${addr/::/:$(for (( i=1; i<=$(( 8 - quads )) ; i++ )); do printf "0000:"; done)}
addr=$(for quad in $(IFS=:; echo ${addr}); do printf "${delim}%04x" "0x${quad}"; delim=":"; done)
[ ! -z $mask ] && echo $addr/$mask || echo $addr
}
IPv6Prefix=$(ip -f inet6 route | grep '^2' | grep '/64' | awk '{print $1}' | cut -d'/' -f1)
IPv6CurrentPrefix="$(__rfc5952_expand $IPv6Prefix)"
STOREDIPV6=$(cat $IPv6PrefixFile)
if [ $IPv6CurrentPrefix != $STOREDIPV6 ]; then
echo $IPv6CurrentPrefix > $IPv6PrefixFile
logger -p warning "IPv6 new prefix detected $IPv6CurrentPrefix"
# Add new IPv6 address
source /root/IPv6/IPv6-Add-Privacy-Address.sh
fi
exit 0
/root/IPv6/IPv6-System-Startup.sh
#!/bin/bash
IPv6PrefixFile=/root/IPv6/IPv6-Prefix.txt
echo "0" > $IPv6PrefixFile
source /root/IPv6/IPv6-prefix.sh
exit 0
Now add three new cron jobs to automate IPv6 address generation.
Cron Jobs
# IPv6 1AM
0 1 * * * /bin/bash /root/IPv6/IPv6-Add-Privacy-Address.sh > /dev/null 2>&1
# IPv6 Check Every 15 Min
*/15 * * * * /bin/bash /root/IPv6/IPv6-prefix.sh > /dev/null 2>&1
# IPv6 Maintenance
@reboot sleep 30 && /bin/bash /root/IPv6/IPv6-System-Startup.sh > /dev/null 2>&1
Let me know if you have any comments or if there is any error in this guide.