Ephemeral IPv6 server addresses (part 3)

if a server changes IP address and no one pings it, does it make a sound?

I'm trying to figure out ways to use my virtual private server's 4 billion IPv6 addresses.

In the previous installment the server and its clients independently derived the same IPv6 address from a shared secret and a random string. In that case the server generated the random string, changing it from time to time and posting it on the web for anyone to see.

If the server is only used occasionally it might appear wasteful to have it repeatedly setting up addresses that no one uses. Suppose we turn things around and have the client ask the server to configure a new address when it needs to connect. This is a bit like port knocking, where a client uses a secret pattern of accesses to signal to a server that it should open a port.

The procedure could be:

The client-side script would look like this:

   #!/bin/sh

   # open a new address on server based on a random number

   read uuid </proc/sys/kernel/random/uuid

   secret="Quordlepleen"
   prefix="2001:db8:1:2:3:4"

   suffix1="feed"
   suffix2="face"
   for salt in "Majikthise" "Vroomfondel" "Prosser"
   do
      message="${secret}${uuid}${salt}"
      sum=`echo "$message" | md5sum`

      # reserve a /124 for static addresses
      somesum=`echo "$sum" | cut -c1-7`
      if [ "$somesum" != "0000000" ]
      then
         suffix1=`echo "$sum" | cut -c1-4`
         suffix2=`echo "$sum" | cut -c5-8`
         break
      fi
   done
   echo "${prefix}:${suffix1}:${suffix2}"

   message="${uuid}${secret}"
   hash=`echo "${message}" | md5sum | cut -c1-32`

   wget -O - -q "http://ipv6.example.com:8080/cgi-bin/knock.cgi?uuid=$uuid&hash=$hash"

This script is quite similar to previous efforts. The implementation on the server requires a matching CGI script. It's quite likely that this script won't be run as root, so it'll be unable to set up the new IP address itself. I've worked around this by having the script dump the address into a file. The file is monitored by a second script which is run as root. When this second script is notified that the contents of the file have changed it reads the new IP address and configures the network. This isn't a very robust solution: improvements would be required for anything more than a test deployment.

The above technique can be used to have, say, an ssh server that's only available on a single, apparently random, address chosen from the 4 billion available to the server. But only when a client requests access.

Also note:

More random IPv6 ramblings in Part 4.


Ron Yorston
19th August 2015 (updated 24th August 2015)