Re: [gentoo-user] IPv6 troubles - gentoo-user - Gentoo Mailing List Archives

From:	Etaoin Shrdlu <shrdlu@×××××××××××××.org>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] IPv6 troubles
Date:	Thu, 19 Jul 2007 16:10:22
Message-Id:	`200707191809.47936.shrdlu@unlimitedmail.org`
In Reply to:	Re: [gentoo-user] IPv6 troubles by Mike Williams

1

On Thursday 19 July 2007 17:02, Mike Williams wrote:

2

3

> I hadn't configured the "subnet router anycast address", but I can

4

> still ping it. Again makes no difference if it's specified or not.

5

6

Ok, then probably the linux implementation recognizes it anyway. But it 

7

seems this is not the issue here.

8

9

> interface bond2

10

> {

11

>         AdvSendAdvert on;

12

>         prefix dead:beef:2:136::/64

13

>         {

14

>                 AdvOnLink on;

15

>                 AdvAutonomous on;

16

>         };

17

> };

18

19

Looks OK.

20

21

> As above, no difference. I've even tried using the link-local address

22

> of the upstream router for the default route out of the firewall.

23

24

> # ip -6 route show

25

> dead:beef:2::/64 dev bond0  metric 1  expires 21253232sec mtu 1500

26

> advmss 1440 hoplimit 4294967295

27

28

> dead:beef:2::/64 dev bond0  metric 256 expires 21254724sec mtu 1500

29

> advmss 1440 hoplimit 4294967295

30

31

> dead:beef:2:131::/64 dev bond1  metric 256  expires 21256488sec mtu

32

> 1500 advmss 1440 hoplimit 4294967295

33

34

> dead:beef:2:136::/64 dev bond2  metric 256  expires 21252676sec mtu

35

> 1500 advmss 1440 hoplimit 4294967295

36

37

> dead:beef:2:137::/64 dev bond4  metric 256  expires 21255086sec mtu

38

> 1500 advmss 1440 hoplimit 4294967295

39

40

> default via fe80::214:f600:b67e:b4db dev bond0 metric 1  expires

41

> 21334235sec mtu 1500 advmss 1440 hoplimit 4294967295

42

43

Ok, so fe80::214:f600:b67e:b4db *is* your provider's router interface.

44

45

You should also have, for each interface, a route to fe80::/64 and one to 

46

ff00::/8, eg something like

47

48

fe80::/64 dev bond1 ...

49

ff00::/8 dev bond1 ...

50

51

for each interface.

52

53

And at each internal host you should have a route to 

54

dead:beef:2:xxx::/64, one to fe80::/64, one to ff00::/8, and a default 

55

route pointing to the link-local address of the router interface on that 

56

link.

57

58

> firewall # ip -6 neigh

59

> fe80::214:f600:b67e:b4db dev bond0 lladdr 00:14:f6:7e:b4:db router

60

> STALE

61

> dead:beef:2:136:204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a

62

> REACHABLE

63

> fe80::204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a STALE

64

>

65

> host # ip -6 neigh

66

> dead:beef:2:136::11 dev bond0 lladdr 00:04:23:d7:f3:32 router

67

> REACHABLE

68

> fe80::204:23ff:fed7:f332 dev bond0 lladdr 00:04:23:d7:f3:32

69

> router REACHABLE

70

71

I assume you took this immediately after pinging the global firewall 

72

address (manually assigned, I supposed), otherwise the entry 

73

dead:beef:2:136::11 would have no reason to be there.

74

75

Everything seems ok so far.

76

The thing left to understand is why your provider's router, when it 

77

receives a packet coming from an internal host of yours, tries to do a 

78

neighbor discovery (similar to ARP) on that address.

79

80

I'd make sure that everything is configured correctly at the far side of 

81

the link. If you don't do dynamic routing with them (and if you are 

82

single-homed you probably don't), they should have a static route 

83

pointing to dead:beef:2::/48 via your firewall's bond0 link-local 

84

address. 

85

86

Their end of the link should definitely have a /64 (or longer) address, 

87

as should your end; the behaviour we are seeing /could/ mean that they 

88

have configured their end with a /48 address from the same pool, thus 

89

erroneously thinking that all the addresses belonging to your /48 block 

90

(ie, everything starting with dead:beef:2) belong to the link between 

91

you and them.

92

93

If neither of you needs said link to be pingable or otherwise reachable, 

94

you can also (like I do) avoid assigning global addresses to the link 

95

altogether and only use link-local addresses, thereby saving global 

96

addresses (not a concern with ipv6, but anyway...).

97

--

98

gentoo-user@g.o mailing list

1	On Thursday 19 July 2007 17:02, Mike Williams wrote:
2
3	> I hadn't configured the "subnet router anycast address", but I can
4	> still ping it. Again makes no difference if it's specified or not.
5
6	Ok, then probably the linux implementation recognizes it anyway. But it
7	seems this is not the issue here.
8
9	> interface bond2
10	> {
11	> AdvSendAdvert on;
12	> prefix dead:beef:2:136::/64
13	> {
14	> AdvOnLink on;
15	> AdvAutonomous on;
16	> };
17	> };
18
19	Looks OK.
20
21	> As above, no difference. I've even tried using the link-local address
22	> of the upstream router for the default route out of the firewall.
23
24	> # ip -6 route show
25	> dead:beef:2::/64 dev bond0 metric 1 expires 21253232sec mtu 1500
26	> advmss 1440 hoplimit 4294967295
27
28	> dead:beef:2::/64 dev bond0 metric 256 expires 21254724sec mtu 1500
29	> advmss 1440 hoplimit 4294967295
30
31	> dead:beef:2:131::/64 dev bond1 metric 256 expires 21256488sec mtu
32	> 1500 advmss 1440 hoplimit 4294967295
33
34	> dead:beef:2:136::/64 dev bond2 metric 256 expires 21252676sec mtu
35	> 1500 advmss 1440 hoplimit 4294967295
36
37	> dead:beef:2:137::/64 dev bond4 metric 256 expires 21255086sec mtu
38	> 1500 advmss 1440 hoplimit 4294967295
39
40	> default via fe80::214:f600:b67e:b4db dev bond0 metric 1 expires
41	> 21334235sec mtu 1500 advmss 1440 hoplimit 4294967295
42
43	Ok, so fe80::214:f600:b67e:b4db is your provider's router interface.
44
45	You should also have, for each interface, a route to fe80::/64 and one to
46	ff00::/8, eg something like
47
48	fe80::/64 dev bond1 ...
49	ff00::/8 dev bond1 ...
50
51	for each interface.
52
53	And at each internal host you should have a route to
54	dead:beef:2:xxx::/64, one to fe80::/64, one to ff00::/8, and a default
55	route pointing to the link-local address of the router interface on that
56	link.
57
58	> firewall # ip -6 neigh
59	> fe80::214:f600:b67e:b4db dev bond0 lladdr 00:14:f6:7e:b4:db router
60	> STALE
61	> dead:beef:2:136:204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a
62	> REACHABLE
63	> fe80::204:23ff:fed7:e86a dev bond2 lladdr 00:04:23:d7:e8:6a STALE
64	>
65	> host # ip -6 neigh
66	> dead:beef:2:136::11 dev bond0 lladdr 00:04:23:d7:f3:32 router
67	> REACHABLE
68	> fe80::204:23ff:fed7:f332 dev bond0 lladdr 00:04:23:d7:f3:32
69	> router REACHABLE
70
71	I assume you took this immediately after pinging the global firewall
72	address (manually assigned, I supposed), otherwise the entry
73	dead:beef:2:136::11 would have no reason to be there.
74
75	Everything seems ok so far.
76	The thing left to understand is why your provider's router, when it
77	receives a packet coming from an internal host of yours, tries to do a
78	neighbor discovery (similar to ARP) on that address.
79
80	I'd make sure that everything is configured correctly at the far side of
81	the link. If you don't do dynamic routing with them (and if you are
82	single-homed you probably don't), they should have a static route
83	pointing to dead:beef:2::/48 via your firewall's bond0 link-local
84	address.
85
86	Their end of the link should definitely have a /64 (or longer) address,
87	as should your end; the behaviour we are seeing /could/ mean that they
88	have configured their end with a /48 address from the same pool, thus
89	erroneously thinking that all the addresses belonging to your /48 block
90	(ie, everything starting with dead:beef:2) belong to the link between
91	you and them.
92
93	If neither of you needs said link to be pingable or otherwise reachable,
94	you can also (like I do) avoid assigning global addresses to the link
95	altogether and only use link-local addresses, thereby saving global
96	addresses (not a concern with ipv6, but anyway...).
97	--
98	gentoo-user@g.o mailing list

Gentoo Archives: gentoo-user