IPv6 link-local to the rescue
2 min read

IPv6 link-local to the rescue

The shoemaker's son always goes barefoot

Today I decided to finally update my home LAN. I've had my main subnet set as a /16 for maybe 6+ years. It has always urked me that I made this choice, and I'm unsure the original idea behind selecting it; However, I just couldn't be bothered to change it until today. I also finally intend on installing a local dns instance soon. I guess this inertia could be explained by the old saying,

The shoemaker's son always goes barefoot

The reason why today was the day, was due to us recently moving apartments, causing me to have less small devices connected with their static IP's. Secondly, I just built a new workstation at home... and it happened to be assigned a DHCP IP outside of the very small /29 I allocated for my remote access VPNs. Instead of setting a static IP, I figured it was time to update the subnet & dhcp settings.

So I made this change, very quickly, and was satisfied with how seamless it was..... until.... I went to log into my router and was greeted with:

ssh: connect to host erx port 22: Connection refused

ay Dios Mio, as my wife would say, I forgot the ill fated lines:

set service gui listen-address
set service ssh listen-address
// New IP, who dis?
It hurt more that I couldn't actually see this config, but I knew it was there

( ͡ಠ ʖ̯ ͡ಠ)


Yes, indeed, I was royally fucked. The reason why I was royally fucked is that I haven't taken a backup of my config in who knows how long. Once again, my LAN is said shoemaker's son.

Suddenly I was in a panic... do I have the keys for my VPN tunnels? Would I have to go through the effort of rebuilding them from scratch? Suddenly, it came to me. The boys at UBNT had a solution for me... SSH recovery via IPv6 link-local .

The concept is simple. After your router boots up & the SSH daemon comes online, you have about a minute or two to login via the link-local address on your lan, which bypasses the firewall on the device.

Since my connectivity through the device was fine, I knew I had the mac address to deduce the link-local:

[kazaii@broadview ~]$ arp -n | grep               ether   44:d9:e7:11:11:11   C                     enp4s0
[kazaii@broadview ~]$ 
// I replaced the non OUI elements with 11's
ARP, step 1

Now let's get the link-local (I mean, this can be calculated without but cmon, copy-paste-til-I-die. We just have to ping IPv6 all-nodes multicast address:

[kazaii@broadview ~]$ ping -6 ff02::1%enp4s0
PING ff02::1%enp4s0(ff02::1%enp4s0) 56 data bytes
64 bytes from fe80::46d9:e7ff:fe11:1111%enp4s0: icmp_seq=1 ttl=64 time=0.812 ms
[kazaii@broadview ~]$
// Nature finds a way
Thank you multicast & v6

Okay, now I just power cycle the device. ping -6 the IP and keep trying SSH until....

kazaii@broadview ~]$ ssh kazaii@fe80::46d9:e7ff:fe11:1111%enp4s0 -p 60257
  * This is SSH recovery shell which is accessible *
  * only from LAN via IPv6 link-local address      *

kazaii@fe80::46d9:e7ff:fe11:1111%enp4s0's password: 
// Great Odin's raven, that's a prompt, baby. 
The easiest target to hack is yourself. You know all your weaknesses.

Now all I had to do was set the new IP's and delete the old ones. Bam, I was in!

I then fixed up my VPN and only had to apologize to my wife softly that I took down our LAN, interrupting her Sunday morning browsing session in bed.

Time to take a backup.....