[GLLUG] basic IPv6 questions

Andy Smith andy at bitfolk.com
Mon Oct 4 17:05:29 UTC 2021


Hi,

On Sun, Oct 03, 2021 at 09:12:46PM +0200, Carles Pina i Estany wrote:
> If the Raspberry pi + BT router used SLAAC is this more or less what
> happens?
> -Raspberry pi sends a broadcast using NDP probably type "Router
> Solicitation (Type 133)"
> (https://www.rfc-editor.org/rfc/rfc4861.html#section-4.1)
> -Router probably answers with a "Router Advertisement (Type 134)"
> (https://www.rfc-editor.org/rfc/rfc4861.html#section-4.2)
> 
> The Router Advertisement includes the IP of the router (in the "Source
> Address"?)

On your network where the raspberry pi is located, if you do a
tcpdump you should see the periodic router advertisements from the
BT router:

# tcpdump -vni eth0 'icmp6 and ip6[40] == 134'

(change "eth0" for whatever interface name is the one that's on the
same network as the BT router)

All RA packets are ICMP (v6) and the type byte is at position 40
which is 134 as you mentioned above.

Use more -v or a -X to see full packet contents.

> When I had to setup a Linux box in a LAN I sometimes use
> isc-dhcp-server. If I wanted to setup ipv6 devices with SLAAC: what
> would be the way to go?

I'm afraid I don't have any experience with DHCPv6 as I've been
satisfied with SLAAC and static config, but I believe:

- SLAAC is only going to give you default gateway and
  auto-configuration of client's own address (client decides whether
  based on MAC or not)

- DHCPv6 is still needed if you need to learn nameservers or a
  static IPv6 address or any of the other things you usually put in
  DHCP

- There are extensions to DHCPv6 to also learn routes/gateway so it
  is possible to ignore SLAAC

> For example, the last time that I had to do this I used isc-dhcp-server
> for very basic things like:
> -Setup the DNS of the clients
> -For some of the clients a static assigned IP (e.g. host with MAC
> address X is always the IP Y)
> -Setup the gateway of the clients (some clients didn't have a gateway,
> some had a gateway)
> 
> Is this something that could be done using SLAAC? Or should be done with
> a DHCPv6 server?

Routing is for SLAAC (or static), everything else DHCPv6. This
article may be out of date now (4 years old) but it covers using
isc-dhcpd for v6 on a rapsberry pi:

    https://blog.netpro.be/dhcpv6-configuration-isc-dhcp-server/

It seems to be saying that the binary supports EITHER v4 or v6 so yu
have to run two copies, copy the initscript etc. Possibly there's a
more elegant solution now.

If you are choosing IPv6 addresses then I think you need to either
do it by DHCPv6 or else statically configure it, as SLAAC can only
give you a stable but not customisable address. Addresses generated
by SLAAC are either:

- Stable but based on MAC

- Temporary, constantly changing

- Stable but based on local secret so not predictable

If you wanted to do something cute like say "the interface with mac
b8:27:eb:b0:9d:76 should also have IPv6 address
2a00:23c6:2c01:b801::443/64 because I will use it for a web server"
then I think you're going to either have to use DHCPv6 for that or
else configure it locally on that machine.

> To confirm:
> 
> Link local address: a private address like 192.168.0.0/24 (starting with
> fe80:: in ipv6). Valid only in the network segment, not routeable

Not quite, but you're close. There's a difference between link-local
addresses and private addresses.

In IPv4, 192.168.0.0/16 is one of the ranges reserved by RFC1918 for
private use. They are actually routable and can be used as private
intranet between multiple organisations in any way they like. Some
large organisations have multi-continent backbone all on private
IPv4 addresses.

IPv6 also has the concept of private-but-routable addresses, and
fc00::/7 is reserved for this:

    https://en.wikipedia.org/wiki/Unique_local_address

It doesn't see much use because IPv6 is so plentiful that you may as
well use part of your globally routable assignment for this purpose.

So in IPv6 fc00::/7 would be the equivalent of the RFC1918 IPv4
reservations like 192.168/16, 172.16/12 or 10/8.

fe80::/10 by contrast is a *link-local* address. It is not routable,
so packets can only go to other devices on the same network segment.

IPv4 also has link-local addresses; they were defined in RFC6890 and
have the range 169.254/16. Some platforms do assign an IPv4
link-local address in the event that there is no DHCP and no static
configuration. It isn't seen very often. They similarly are meant to
be locally unique and not routable.

> > Your IID on your pi clearly isn't that, but it also doesn't have the
> > ff:fe or the flipped 7th bit, so it's not EUI-64. Looking at "ip -6
> > a" (short hand for "ip address show") might tell you some more info;
> > it will at least say whether the address is temporary or not.
> 
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>     link/ether b8:27:eb:b0:9d:76 brd ff:ff:ff:ff:ff:ff
>     inet6 2a00:23c6:2c01:b801:2817:ffe3:d3aa:5d8c/64 scope global dynamic mngtmpaddr noprefixroute 
>        valid_lft 287sec preferred_lft 107sec
>     inet6 fe80::56d8:5a6c:fc11:16f1/64 scope link 
>        valid_lft forever preferred_lft forever
> 
> does "dynamic" imply "temporary"?

No, I believe it means learned by SLAAC or DHCP.

> > Sometimes only the global scope addresses use the private
> > identifiers but some implementations derive the link scope address
> > this way too, as it is possible for your link address to be
> > published outside, e.g. in email headers. I think this is what is
> > happening here but perhaps you can confirm by inspecting your local
> > configuration.
> 
> Does the "ip a" that I showed answer the question? (else I'll dig more)

Not from what I can see. The "mngtmpaddr" might be a hint that
stable privacy addresses are in use but it looks like you'll have to
look into how your network is being configured to tell for certain.

This article:

    https://newbedev.com/how-to-avoid-exposing-my-mac-address-when-using-ipv6

says that if you're using network-manager then the feature is active
by default and it might be visible in "nmcli con show" as you set it
e.g with:

    # nmcli con modify "<profilename>" ipv6.addr-gen-mode stable-privacy

And kernel SLAAC might be doing it if

$ sysctl net.ipv6.conf.<ifname>.addr_gen_mode

says "2" or if

$ ip -d link

says "addrgenmode stable_secret"

> > > pi at raspberrypi:~ $ traceroute -n -6 google.com
> > > traceroute to google.com (2a00:1450:4009:817::200e), 30 hops max, 80 byte packets
> > >  1  2a00:23c6:2c01:b801:ee6c:9aff:fea3:a231  5.056 ms  4.732 ms  4.549 ms
> > > 
> > > I'm not quite matching the first hop with the routing table. Why not?
> > 
> > This is down to how traceroute works. Traceroute relies on receiving
> > an ICMP packet from each hop. It only knows the name of the hop based
> > on the source address of the ICMP packet. Even though you talk to
> > fe80::ee6c:9aff:fea3:a231 as your default gateway, it generates an
> > ICMP packet with its global address in it
> > (2a00:23c6:2c01:b801:ee6c:9aff:fea3:a231) because the packet that
> > caused this ICMP to be generated had source address
> > 2a00:23c6:2c01:b801:2817:ffe3:d3aa:5d8c.
> 
> So, if I had a different ipv6 device in this network (when I'm there in
> 10 days I will test it): the traceroute first hop will be different
> depending on the device that I initiate the ipv6?

No, I mean that even though your default gateway is
fe80::ee6c:9aff:fea3:a231, your gateway also has an IP
on that same interface of 2a00:23c6:2c01:b801:ee6c:9aff:fea3:a231 so
when your gateway itself wants to generate a packet destined for
2a00:23c6:2c01:b801:2817:ffe3:d3aa:5d8c it will choose to do so from
its IP 2a00:23c6:2c01:b801:ee6c:9aff:fea3:a231 not from its IP
fe80::ee6c:9aff:fea3:a231. It will always choose to source packets
from 2a00:23c6:2c01:b801:ee6c:9aff:fea3:a231 for any destination
in 2a00:23c6:2c01:b801::/64

You can force it not to, as in theory every device that is in
2a00:23c6:2c01:b801::/64 is also in the same link reachable from
your gateway's fe80::ee6c:9aff:fea3:a231.

> BTW, in the Raspberry pi:
> pi at raspberrypi:~ $ ip a
> [...]
> inet6 2a00:23c6:2c01:b801:2817:ffe3:d3aa:5d8c/64 scope global dynamic mngtmpaddr noprefixroute
> [...]
> 
> Do I have all this IPs:
> $ sipcalc 2a00:23c6:2c01:b801:2817:ffe3:d3aa:5d8c/64
> 
> Network range		- 2a00:23c6:2c01:b801:0000:0000:0000:0000 -
> 			  2a00:23c6:2c01:b801:ffff:ffff:ffff:ffff
> 
> So I can just assign more IPs if I want to the eth0 and ping to other
> IPs from other devices in the network? (and outside the network if the
> firewall allowed it?)

Yes.

You might have bigger than a /64. A /48 is usual for an end user but
most ISPs are shying away from this for consumers and are giving /56
or even /64. In IPv6 you are meant to use /64 for each network, and
many people have more than one network at home. You'll probably have
to look in the router's config to see what it's doing here.

All you know from outside is that it's advertising that
directly-connected devices should choose from the
18,446,744,073,709,551,616 addresses┬╣ in 2a00:23c6:2c01:b801::/64.

A /56 would be 256 of those, and a /48 would be 65,536 of those.

Cheers,
Andy

┬╣ Not quite this many as a small subset in each network is reserved
  for multicast etc.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting



More information about the GLLUG mailing list