11.6. Configuring IPv6 Tokenized Interface Identifiers

In a network, servers are generally given static addresses and these are usually configured manually to avoid relying on a DHCP server which may fail or run out of addresses. The IPv6 protocol introduced Stateless Address Autoconfiguration (SLAAC) which enables clients to assign themselves an address without relying on a DHCPv6 server. SLAAC derives the IPv6 address based on the interface hardware, therefore it should not be used for servers in case the hardware is changed and the associated SLAAC generated address changes with it. In an IPv6 environment, if the network prefix is changed, or the system is moved to a new location, any manually configured static addresses would have to be edited due to the changed prefix.
To address these problems, the IETF draft Tokenised IPv6 Identifiers has been implemented in the kernel together with corresponding additions to the ip utility. This enables the lower 64 bit interface identifier part of the IPv6 address to be based on a token, supplied by the administrator, leaving the network prefix, the higher 64 bits, to be obtained from router advertisements (RA). This means that if the network interface hardware is changed, the lower 64 bits of the address will not change, and if the system is moved to another network, the network prefix will be obtained from router advertisements automatically, thus no manual editing is required.
To configure an interface to use a tokenized IPv6 identifier, issue a command in the following format as root user:
~]# ip token set ::1a:2b:3c:4d/64 dev eth4
Where ::1a:2b:3c:4d/64 is the token to be used. This setting is not persistent. To make it persistent, add the command to an init script. See Section 11.3, “Interface Control Scripts”.
Using a memorable token is possible, but is limited to the range of valid hexadecimal digits. For example, for a DNS server, which traditionally uses port 53, a token of ::53/64 could be used.
To view all the configured IPv6 tokens, issue the following command:
~]$ ip token
     token :: dev eth0 
     token :: dev eth1 
     token :: dev eth2 
     token :: dev eth3 
     token ::1a:2b:3c:4d dev eth4
To view the configured IPv6 token for a specific interface, issue the following command:
~]$ ip token get dev eth4
     token ::1a:2b:3c:4d dev eth4
Note that adding a token to an interface will replace a previously allocated token, and in turn invalidate the address derived from it. Supplying a new token causes a new address to be generated and applied, but this process will leave any other addresses unchanged. In other words, a new tokenized identifier only replaces a previously existing tokenized identifier, not any other IP address.

Note

Take care not to add the same token to more than one system or interface as the duplicate address detection (DAD) mechanism will not be able to resolve the problem. Once a token is set, it cannot be cleared or reset, except by rebooting the machine.