Part 1 of this series described a mechanism similar to time-based one-time passwords (TOTP) that allows a client to communicate with a server on a constantly changing IPv6 address. TOTP are commonly used in two-factor authentication schemes, where a user logging in to a service has to provide a password and a code generated by a hardware token or an app on a smartphone. Since the code is time-based it can be created even if the token or phone isn't connected to a network: the device only needs a reasonably accurate idea of the current time.
For the present purpose, however, the device will almost certainly be connected: the point of generating the ever-changing IPv6 address is to connect to the hidden server. If we're unable to connect to an IPv6 address there's little point in having it.
This leads to a second stupid idea: the server can generate its temporary IPv6 address by combining a secret with a random string and then it can publish the string. The random string, like the time, doesn't need to be kept secret, so it can be made available to anybody on a static IP address. Only clients that know the server's secret can use the random string to work out the server's current ephemeral IPv6 address. A slight tweak to the previous script should do it:
#!/bin/sh # display the current random-based IPv6 address uuid=`wget -q -O - http://ipv6.example.com:8080/uuid.txt` secret="Zarniwoop" prefix="2001:db8:1:2:3:4" suffix1="cafe" suffix2="babe" for salt in "Zarquon" "Frankie" "Benjy" do message="${secret}${uuid}${salt}" sum=`echo "$message" | md5sum` # reserve a /124 for static addresses somesum=`echo "$sum" | cut -c1-7` if [ "$somesum" != "0000000" ] then suffix1=`echo "$sum" | cut -c1-4` suffix2=`echo "$sum" | cut -c5-8` break fi done echo "${prefix}:${suffix1}:${suffix2}"
The above client script should be combined with a similar server script which runs as a cron job. Note that the server script puts the current random string into a file that it serves on a static IP address.
With a suitable CGI script any web server can redirect visitors to the hidden server. frippery.org uses this to implement another mirror that's only available via an ephemeral IPv6 address.
Some notes:
Some of these could usefully be encoded in DNS entries for the server.
For example, the AAAA DNS entry for mirror.frippery.org
returns
2a00:1098:0:86:1000:33:0:607c
. Unless you get very lucky that
isn't really its IP address. Instead the value encodes the prefix of the
server's address range (60 hex is 96 decimal) and the prefix of the static
address range (7c hex is 124 decimal).
For more continue to Part 3.