After reports of users tripping their tripwires locally, I decided to stop speculating about IPv6 and put it to the test
tl;dr - if your router gives you a fc... or fd... ipv6 address, you’re good, fe... you’ll trip your own tripwire
The authentication code in stash handles checking if the address is public and if the tripwire is to be tripped [1]. This is checking against golang’s net.isPrivate, which you can also test for yourself [2].
The formal RFC4193 definition of IPv6 private addresses includes fc00::/7 which resolves to fc00::/8 and fd00::/8, but fe80::/64, while reserved for link-local addresses [3] is not respected as a private network in golang.
Another common range is fec0::/10 which is reserved for site-local addresses but was never defined and hence, also not valid in golang [4]. While not defined properly, the fe prefix is still used by many routers nowadays instead of ULA or proper “Private Networks”