Skip to main content

IPv6 PPP Link fails forwarding Router Advertisements into local LAN

itemprop="text">

A Debian Server having
eth0, eth1.
eth2, ppp0
devices:




2: eth0:
             mtu 1500 qdisc pfifo_fast state UP qlen
            1000
 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff
3: eth1:
             mtu 1500 qdisc pfifo_fast state UP qlen
            1000
 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff
4: eth2:
             mtu 1500 qdisc pfifo_fast state DOWN qlen
            1000
 link/ether xx:yy:zz:yy:xx:yy brd ff:ff:ff:ff:ff:ff
63: ppp0:
             mtu 1492 qdisc pfifo_fast state UNKNOWN
            qlen 3

            link/ppp



forwarding
is enabled
everywhere:



/proc/sys/net/ipv6/conf
            ~
 all/forwarding=1 default/forwarding=1
 eth0/forwarding=1
            eth1/forwarding=1
 eth2/forwarding=1
            ppp0/forwarding=1


and
autoconf is activated
too:




/proc/sys/net/ipv6/conf
            ~
 all/autoconf=1 default/autoconf=1
 eth0/autoconf=0
            eth1/autoconf=1
 eth2/autoconf=1
            ppp0/autoconf=1


further
RA (=Router Advertisement) is accepted on any device but setting
accept_ra=2
for at leat ppp0 and
eth1:




/proc/sys/net/ipv6/conf
            ~
 all/accept_ra=1 default/accept_ra=1 
 eth0/accept_ra=1
            eth1/accept_ra=2 
 eth2/accept_ra=0 lo/accept_ra=1 

            ppp0/accept_ra=2


PPP
connection is established successfully, having ipv6 ::dead:beef
option set in /etc/ppp/peer/myProvider config
file:



63: ppp0:
             mtu 1492 qlen 3


            inet6 2003:42:e67f:d3ca:6105:155:f2b3:71f0/64 scope global temporary dynamic 

            valid_lft 14266sec preferred_lft 1666sec
 inet6
            2003:42:e67f:d3ca::dead:beef/64 scope global dynamic 
 valid_lft 14266sec
            preferred_lft 1666sec
 inet6 fe80::dead:beef/10 scope link 

            valid_lft forever preferred_lft
            forever


and a default
route to a link-local address of the provider is
set:




2003:42:e67f:d3ca::/64
            dev ppp0 proto kernel metric 256 expires 13559sec
fe80::/64 dev ppp0 proto
            kernel metric 256 
fe80::/10 dev ppp0 metric 1 
fe80::/10 dev eth1
            proto kernel metric 256 
fe80::/10 dev ppp0 proto kernel metric 256
            
fe80::/10 dev eth0 metric 1024
default via fe80::90:1a10:1b2:b780
            dev ppp0 proto kernel metric 1024 expires
            1789sec


The public
2003:42:e67f:d3ca::/64 prefix has a route to the
ppp0 device.

radvd
installed and running, radvdump shows the
ppp0 IPv6 link sending
RAs



interface
            ppp0
{
 AdvSendAdvert on;
 # Note: {Min,Max}RtrAdvInterval
            cannot be obtained with radvdump
 AdvManagedFlag off;

            AdvOtherConfigFlag on;
 AdvReachableTime 0;
 AdvRetransTimer
            0;

 AdvCurHopLimit 0;
 AdvDefaultLifetime
            1800;
 AdvHomeAgentFlag off;
 AdvDefaultPreference
            medium;
 AdvLinkMTU 1492;

 prefix
            2003:42:e67f:d3ca::/64
 {
 AdvValidLifetime 14400;

            AdvPreferredLifetime 1800;

 AdvOnLink on;
 AdvAutonomous
            on;
 AdvRouterAddr off;
 }; # End of prefix
            definition

}; # End of interface
            definition


From the
server host i can ping6 a host from the internet
successfully.
Now when i try forcing a RA by soliciting a
router for ppp0 i
get:




Soliciting ff02::2
            (ff02::2) on ppp0...
Hop limit : undefined ( 0x00)
Stateful address
            conf. : No
Stateful other conf. : Yes
Router preference :
            medium
Router lifetime : 1800 (0x00000708) seconds
Reachable time :
            unspecified (0x00000000)
Retransmit time : unspecified (0x00000000)

            MTU : 1492 bytes (valid)

 Prefix :
            2003:42:e67f:d3ca::/64
 Valid time : 14400 (0x00003840) seconds

            Pref. time : 1800 (0x00000708)
            seconds


What i would
expect is that all nodes on eth1 get SLAAC configured but when
i try soliciting on eth1 i
get:



Soliciting ff02::2 (ff02::2)
            on eth1...
Timed out.
Timed out.

Timed
            out.
No
            response.



  • I
    don't want to use DHCPv6 but SLAAC via
    radvd

  • I'd like to avoid bash kung fu
    cutting the actual prefix from the provider (eg: from
    rdisc6
    output) to tweak the
    radvd.conf file on my own (eg: in an if-up
    event)

  • Bridging devices isn't a solution. PPP device is
    virtual and can't be
    bridged.




Somehow
forwarding RA packets from ppp0 to
eth1 (and to any other device) doesn't seem work at all.
Why?
As far as i understand any router with a DSL modem has to forward in some
way RAs from it's internal modem device to the physical LAN ports
attached otherwise any host connected there wouldn't get an IPv6 address,
right?
Now where is the difference between a router and my debian
box?
I would be grateful for any hint you may have.



Answer




Router advertisements are not supposed to be forwarded. So when you find that
they are not being forwarded, then at least that part is working as
intended.



You are supposed to be running your
own router advertisement daemon in your router, such that it advertises itself to the
LANs.




You should have three separate
/64 prefixes for your three LANs. So you need a routed /62 or shorter from your ISP.
This is no problem because your ISP is supposed to give you a shorter prefix for this
purpose (how short depends on who you ask, originally it was /48 but some would only
hand out a /56).



If there is a DHCPv6 server
available over the ppp link, then you can send a DHCPv6 request asking for a prefix to
be delegated to you. Otherwise you may have to actually talk to a
person.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more