Difference between revisions of "Non-Local IPv6 Router Advertisement"

From Exterior Memory
Jump to: navigation, search
(Specify Global IPv6 Address for the Gateway)
(Disable link-local IPv6 addresses on the gateway)
 
(3 intermediate revisions by the same user not shown)
Line 30: Line 30:
 
For easier debugging, network administrators may prefer to see a global IPv6 address as the gateway in hosts, instead of a link-local IPv6 address. Technically, it is possible to accomplish this in two ways.
 
For easier debugging, network administrators may prefer to see a global IPv6 address as the gateway in hosts, instead of a link-local IPv6 address. Technically, it is possible to accomplish this in two ways.
  
 +
* Use the global scope IPv6 address in the router advertisement
 
* Disable link-local IPv6 addresses on the gateway. This is '''not recommended'''.
 
* Disable link-local IPv6 addresses on the gateway. This is '''not recommended'''.
* Use the global scope IPv6 address in the router advertisement
 
  
 
The recommended method is to use the ''radvd'' (thus not ''rtadvd'') router advertisement daemon, and set the parameter:
 
The recommended method is to use the ''radvd'' (thus not ''rtadvd'') router advertisement daemon, and set the parameter:
Line 37: Line 37:
  
 
Unfortunately, not all clients support this option.
 
Unfortunately, not all clients support this option.
 
===Disable link-local IPv6 addresses on the gateway===
 
 
An interface typically has one IPv4 address, but multiple IPv6 addresses. Consider the following example:
 
 
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 
    options=27<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
 
    ether 00:23:df:97:90:38
 
    inet 192.0.2.3 netmask 0xffffff00 broadcast 192.0.2.255
 
    inet6 2001:db8:637:2a::3 prefixlen 64
 
    inet6 2001:db8:637:2a:223:dfff:fe97:9038 prefixlen 64 autoconf
 
    inet6 2001:db8:637:2a:acfe:e43b:2c35:d387 prefixlen 64 autoconf temporary
 
    inet6 fe80::223:dfff:fe97:9038%en0 prefixlen 64 scopeid 0x4
 
 
This host has four IPv6 addresses:
 
* A manually configured or DHCPv6 assigned address (<tt>2001:db8:637:2a::3</tt>)
 
* A SLAAC (Stateless Address Auto Configuration) address based on the router advertisement and the MAC address of the interface (this can be identified by the <tt>ff:fe</tt> part of the IPv6 address: <tt>2001:db8:637:2a:223:dfff:fe97:9038 </tt>). Note that SLAAC is enabled in the kernel by default. Unlike IPv4 DHCP which need to be specifically enabled, SLAAC is always configured if the server receives an router advertisement.
 
* An temporary address, automatically configured based on the router advertisement, but not based on the MAC address for enhanced privacy (<tt>2001:db8:637:2a:acfe:e43b:2c35:d387</tt>)
 
* A link-local address based on the MAC address and interface name (recognisable by the <tt>fe80</tt> prefix and the interface appendix after the <tt>%</tt> sign: <tt>fe80::223:dfff:fe97:9038%en0</tt>)
 
 
You can disable respectively SLAAC and link-local address with the following kernel parameters.
 
 
For Linux kernels:
 
sysctl net.ipv6.conf.all.accept_ra_defrtr=0
 
sysctl net.ipv6.conf.default.accept_ra_defrtr=0
 
sysctl net.ipv6.conf.all.autoconf=0
 
sysctl net.ipv6.conf.default.autoconf=0
 
 
For BSD kernels:
 
sysctl net.inet6.ip6.accept_rtadv=0
 
sysctl net.inet6.ip6.auto_linklocal=0
 
 
For my FreeBSD 9.0 host, setting <tt>auto_linklocal</tt> to <tt>0</tt> had no effect. In addition, the [http://www.freebsd.org/cgi/man.cgi?query=ifconfig&sektion=8 man page for ifconfig] explicitly states that removing the link-local IPv6 address may result in unexpected behaviour. Hence, I recommend to leave the link-local interfaces in place, and configure the router advertisement daemon, as described in the next section.
 
  
 
===Use global scope IPv6 address in the router advertisement===
 
===Use global scope IPv6 address in the router advertisement===
Line 208: Line 175:
 
|}
 
|}
  
As you can see, a router advertisement contains two options: one to specify the router MAC address and one to specify the IP prefix of the subnet.
+
As you can see, a router advertisement contains two ''options'': one to specify the router MAC address and one to specify the IP prefix of the subnet. The prefix is used for stateless automatic address configuration (SLAAC).
  
The original specification ([http://tools.ietf.org/html/rfc4861#section-4.6.2 RFC 4861]) of the Prefix Information only specified two flags:
+
This original specification did not contain the IP address of the router. The router address had to be derived from the source IP address in the IPv6 header. Since this is the link-local IPv6 address, the host will use the link-local IPv6 address of the router.
 +
 
 +
The original specification ([http://tools.ietf.org/html/rfc4861#section-4.6.2 RFC 4861]) of the Prefix Information specified two flags:
 
;L:on-link flag.
 
;L:on-link flag.
 
;A:autonomous address-configuration flag. Specifies that the prefix can be used for stateless auto-configuration.
 
;A:autonomous address-configuration flag. Specifies that the prefix can be used for stateless auto-configuration.
 
This original specification did not contain the IP address of the router. That had to be derived from the source IP address in the IPv6 header. This IP address is usually the link-local IPv6 address, since the IPv6 specifies that in these (link-local) communications, a local scope IP address should be used.
 
  
 
The specification was later changed (in [http://tools.ietf.org/html/rfc6275#section-7.2 RFC 6275]) to include a third flag:
 
The specification was later changed (in [http://tools.ietf.org/html/rfc6275#section-7.2 RFC 6275]) to include a third flag:
Line 220: Line 187:
 
;R:router address flag. Signals that the prefix IP contains the complete IP address assigned to the sending router.
 
;R:router address flag. Signals that the prefix IP contains the complete IP address assigned to the sending router.
  
If this is set, the host can use the global IP address of the router instead of the link-local IP address.
+
If this R-flag is set, the host uses the global IP address of the router instead of the link-local IP address. This global address is specified in the ''IP prefix'' field, which is changed not to contain the IP prefix, but the IP address of the router (since this is an address within the prefix range, the prefix can be derived by using this field and the prefix length field.)
  
 
The [http://www.litech.org/radvd/ radvd software], distributed with Linux, can set the R flag using the <tt>AdvRouterAddr on</tt>. Be sure to set the global IP address of the router in the <tt>prefix</tt> field:
 
The [http://www.litech.org/radvd/ radvd software], distributed with Linux, can set the R flag using the <tt>AdvRouterAddr on</tt>. Be sure to set the global IP address of the router in the <tt>prefix</tt> field:
Line 257: Line 224:
 
Even if the router IPv6 address is advertised, not all clients support this feature. For example, Mac OS X.7 still uses the link-local address.
 
Even if the router IPv6 address is advertised, not all clients support this feature. For example, Mac OS X.7 still uses the link-local address.
  
 +
===Disable link-local IPv6 addresses on the gateway===
 +
 +
An interface typically has one IPv4 address, but multiple IPv6 addresses. Consider the following example:
 +
 +
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
 +
    options=27<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
 +
    ether 00:23:df:97:90:38
 +
    inet 192.0.2.3 netmask 0xffffff00 broadcast 192.0.2.255
 +
    inet6 2001:db8:637:2a::3 prefixlen 64
 +
    inet6 2001:db8:637:2a:223:dfff:fe97:9038 prefixlen 64 autoconf
 +
    inet6 2001:db8:637:2a:acfe:e43b:2c35:d387 prefixlen 64 autoconf temporary
 +
    inet6 fe80::223:dfff:fe97:9038%en0 prefixlen 64 scopeid 0x4
 +
 +
This host has four IPv6 addresses:
 +
* A manually configured or DHCPv6 assigned address (<tt>2001:db8:637:2a::3</tt>)
 +
* A SLAAC (Stateless Address Auto Configuration) address based on the router advertisement and the MAC address of the interface (this can be identified by the <tt>ff:fe</tt> part of the IPv6 address: <tt>2001:db8:637:2a:223:dfff:fe97:9038 </tt>). Note that SLAAC is enabled in the kernel by default. Unlike IPv4 DHCP which need to be specifically enabled, SLAAC is always configured if the server receives an router advertisement.
 +
* An temporary address, automatically configured based on the router advertisement, but not based on the MAC address for enhanced privacy (<tt>2001:db8:637:2a:acfe:e43b:2c35:d387</tt>)
 +
* A link-local address based on the MAC address and interface name (recognisable by the <tt>fe80</tt> prefix and the interface appendix after the <tt>%</tt> sign: <tt>fe80::223:dfff:fe97:9038%en0</tt>)
 +
 +
You can disable respectively SLAAC and link-local address with the following kernel parameters.
 +
 +
For Linux kernels:
 +
sysctl net.ipv6.conf.all.accept_ra_defrtr=0
 +
sysctl net.ipv6.conf.default.accept_ra_defrtr=0
 +
sysctl net.ipv6.conf.all.autoconf=0
 +
sysctl net.ipv6.conf.default.autoconf=0
 +
 +
For BSD kernels:
 +
sysctl net.inet6.ip6.accept_rtadv=0
 +
sysctl net.inet6.ip6.auto_linklocal=0
 +
 +
For my FreeBSD 9.0 host, setting <tt>auto_linklocal</tt> to <tt>0</tt> had no effect. In addition, the [http://www.freebsd.org/cgi/man.cgi?query=ifconfig&sektion=8 man page for ifconfig] explicitly states that removing the link-local IPv6 address may result in unexpected behaviour. Hence, I recommend to leave the link-local interfaces in place, and configure the router advertisement daemon, as described in the previous section.
  
[[Category:Network Configuration]]
 
 
[[Category:IPv6]]
 
[[Category:IPv6]]

Latest revision as of 12:47, 8 November 2012

IPv6 uses router advertisements (part of the Neighbour Discovery protocol of ICMPv6) to announce the default gateway. Hosts send a router solicitation message, and routers respond with a router advertisement message. This is unlike IPv4 where gateways are typically specified as part of the DHCP messages. Another difference is that IPv6 router advertisements use multicast (IPv6 ff02::1 and MAC address 33:33:00:00:00:01 for router advertisements; IPv6 ff02::2 and MAC address 33:33:00:00:00:02 for router solicitations).

Link-local addresses

Another striking feature of IPv6 is that is uses link-local IP addresses for local communication. Since neighbour discovery is local in scope, this means that the router sends the router solicitation with a link-local IPv6 ad the source address.

RFC 4861 explicitly states:

[The] Source Address must be the link-local address assigned to the interface from which this message is sent."

By default, a host stores the source IP address and source MAC address in the routing table. Hence, you will see IPv6 link local addresses in the IPv6 routing table: 

% netstat -rn -f inet6
Destination        Gateway                         Flags       Netif
default            fe80::200:24ff:fece:69ef%en0    UGcI        eth0
::1                link#1                          UHL         lo0
....

This is unlike what most users expect. For example, if the host has IPv6 address 2001:0db8:637:2a:200:26ff:fea3:817d, most users would expect 2001:0db8:637:2a::1 as the gateway: 

% netstat -rn -f inet6
Destination        Gateway                         Flags       Netif
default            2001:0db8:637:2a::1%eth0        UGcI        eth0
::1                link#1                          UHL         lo0
....

In reality, the IPv6 address of the gateway is irrelevant, as a packet on the wire would only contain the MAC destination address of the gateway. The IPv6 destination address contains the address of the final destination, not of the gateway.

Specify Global IPv6 Address for the Gateway

For easier debugging, network administrators may prefer to see a global IPv6 address as the gateway in hosts, instead of a link-local IPv6 address. Technically, it is possible to accomplish this in two ways.

  • Use the global scope IPv6 address in the router advertisement
  • Disable link-local IPv6 addresses on the gateway. This is not recommended.

The recommended method is to use the radvd (thus not rtadvd) router advertisement daemon, and set the parameter: 

AdvRouterAddr on;

Unfortunately, not all clients support this option.

Use global scope IPv6 address in the router advertisement

Let's dive into the actual router advertisement message for a minute.

 0   1   2   3   4   5   6   7   8   9   A   B   C   D   E   F 
Ethernet header 0 preamble
2
4
6
8 destination MAC
10
12
14 source MAC
16
18
20 type
IP header 22 version traffic class flow ...
24 .. label
26 payload length
28 next header hop limit
30 source IP
32
34
36
38
40
42
44
46 destination IP
48
50
52
54
56
58
60
ICMPv6 Router Advertisement header 62 Type (134 = RA) Code
64 Checksum
66 hop limit flags
68 router lifetime
70 reachable time
72
74 retrans timer
76
Link-layer option 78 type (1=link layer) length (1 = 8 bytes)
80 source MAC
82
84
Prefix option 86 type (3=prefix) length (4 = 32 bytes)
88 prefix length L A R reserved
90 valid lifetime
92
94 reserved
96
98 prefix IP
100
100
102
104
106
108
110
Ethernet footer 112 Checksum
114

As you can see, a router advertisement contains two options: one to specify the router MAC address and one to specify the IP prefix of the subnet. The prefix is used for stateless automatic address configuration (SLAAC).

This original specification did not contain the IP address of the router. The router address had to be derived from the source IP address in the IPv6 header. Since this is the link-local IPv6 address, the host will use the link-local IPv6 address of the router.

The original specification (RFC 4861) of the Prefix Information specified two flags:

L
on-link flag.
A
autonomous address-configuration flag. Specifies that the prefix can be used for stateless auto-configuration.

The specification was later changed (in RFC 6275) to include a third flag:

R
router address flag. Signals that the prefix IP contains the complete IP address assigned to the sending router.

If this R-flag is set, the host uses the global IP address of the router instead of the link-local IP address. This global address is specified in the IP prefix field, which is changed not to contain the IP prefix, but the IP address of the router (since this is an address within the prefix range, the prefix can be derived by using this field and the prefix length field.)

The radvd software, distributed with Linux, can set the R flag using the AdvRouterAddr on. Be sure to set the global IP address of the router in the prefix field: 

% cat /etc/radvd.conf 
interface eth0
{
     AdvSendAdvert on;
     AdvManagedFlag off;
     AdvOtherConfigFlag off;
     prefix 2001:0db8:637:2a::1/64
     {
         AdvOnLink on;
         AdvAutonomous on;
         AdvRouterAddr on;
     };
};

The rtadvd software, distributed with BSD, is not able to set the R flag, even though it is able to set the prefix to the router IP.

The following two configuration settings do not work. rtadvd specified the IP prefix flags in the pinfoflags field. Note that this field does not understand hexadecimal, though it does understand letter flags (L + A + R = 0x80 + 0x40 + 0x20 = 0xE0 = 224). 

% cat /etc/rtadvd.conf 
eth0:\
    :addr="2001:0db8:637:2a::1":prefixlen#64:pinfoflags#224:

% cat /etc/rtadvd.conf 
eth0:\
    :addr="2001:0db8:637:2a::1":prefixlen#64:pinfoflags="lar":

(in both cases, the L and A flag are set, but the R flag is unset on FreeBSD 9.0)

If you run FreeBSD, and like to see the global IPv6 address in router advertisements, I recommend to install the radvd package.

There is also rtadvd software written by HP, which is unrelated to the rtadvd software above (which was written in the KAME project). I have not tested the HP software.

Even if the router IPv6 address is advertised, not all clients support this feature. For example, Mac OS X.7 still uses the link-local address.

Disable link-local IPv6 addresses on the gateway

An interface typically has one IPv4 address, but multiple IPv6 addresses. Consider the following example: 

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=27<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
    ether 00:23:df:97:90:38
    inet 192.0.2.3 netmask 0xffffff00 broadcast 192.0.2.255
    inet6 2001:db8:637:2a::3 prefixlen 64
    inet6 2001:db8:637:2a:223:dfff:fe97:9038 prefixlen 64 autoconf
    inet6 2001:db8:637:2a:acfe:e43b:2c35:d387 prefixlen 64 autoconf temporary
    inet6 fe80::223:dfff:fe97:9038%en0 prefixlen 64 scopeid 0x4

This host has four IPv6 addresses:

  • A manually configured or DHCPv6 assigned address (2001:db8:637:2a::3)
  • A SLAAC (Stateless Address Auto Configuration) address based on the router advertisement and the MAC address of the interface (this can be identified by the ff:fe part of the IPv6 address: 2001:db8:637:2a:223:dfff:fe97:9038 ). Note that SLAAC is enabled in the kernel by default. Unlike IPv4 DHCP which need to be specifically enabled, SLAAC is always configured if the server receives an router advertisement.
  • An temporary address, automatically configured based on the router advertisement, but not based on the MAC address for enhanced privacy (2001:db8:637:2a:acfe:e43b:2c35:d387)
  • A link-local address based on the MAC address and interface name (recognisable by the fe80 prefix and the interface appendix after the % sign: fe80::223:dfff:fe97:9038%en0)

You can disable respectively SLAAC and link-local address with the following kernel parameters.

For Linux kernels: 

sysctl net.ipv6.conf.all.accept_ra_defrtr=0
sysctl net.ipv6.conf.default.accept_ra_defrtr=0
sysctl net.ipv6.conf.all.autoconf=0
sysctl net.ipv6.conf.default.autoconf=0

For BSD kernels: 

sysctl net.inet6.ip6.accept_rtadv=0
sysctl net.inet6.ip6.auto_linklocal=0

For my FreeBSD 9.0 host, setting auto_linklocal to 0 had no effect. In addition, the man page for ifconfig explicitly states that removing the link-local IPv6 address may result in unexpected behaviour. Hence, I recommend to leave the link-local interfaces in place, and configure the router advertisement daemon, as described in the previous section.

Retrieved from "http://www.macfreek.nl/memory/index.php?title=Non-Local_IPv6_Router_Advertisement&oldid=5393"