FS#289 - 6in4: Routed /48 prefix mistakenly applied as /64

[aparcar]

ralfbergs:

I use LEDE Reboot (HEAD, r1953) with package "6in4" to make use of a tunnelbroker.net ipv6 tunnel.

My delegated prefix I receive from tunnelbroker.net is a /48, namely 2001:470:1234::/48

Still the prefix that is actually delegated to the LAN is the same net, but with a /64 mask: 2001:470:1234::1/64.

[aparcar]

jow-:

This is by design. Use "option ip6assign 48" on the LAN interface to redistribute the full /48.

[aparcar]

ralfbergs:

Wow, that was fast... :-)

Indeed I missed this option. But even if I set it via LuCI, the mask still shows up as /64 in "ifconfig -a" output.

Is this intended?

[aparcar]

jow-:

Yes it is. The interface will use a /64 for itself but make the entire /48 available for downstream DHCPv6-PD.

You can use ifstatus lan to see the reserved IPv6 pool for PD.

[aparcar]

ralfbergs:

Yup, correct.

Thanks very much for taking the time to explain!

[aparcar]

jow-:

You're welcome.

[aparcar]

ralfbergs:

Wait a minute... Just noticed by chance that my Mac also says it's /64... (latest Sierra beta build 10.12.2 Beta (16C48b))

inet6 2001:470:1234::1c8f:673b:ec6a:4a93 prefixlen 64 autoconf secured
inet6 2001:470:1234::293d:63a2:a18a:3f8e prefixlen 64 autoconf temporary

What gives?!

[aparcar]

jow-:

Stateless autoconfiguration always uses /64 prefixes. To obtain something > 64 you must use a DHCPv6 client.

[aparcar]

ralfbergs:

Cool. Another thing learnt... :-)

Thanks again!

[aparcar]

jow-:

OS X might prefer SLAAC if the router offers both SLAAC and DHCPv6 so you can try to force DHCPv6 only in LuCI: {{https://ibin.co/32PhfMoBSZXI.png}}

There is conflicting information on the internet whether OS X supports DHCPv6 at all so ymmv.

Even if the OS is using DHCPv6 it will most likely only request a /128 (a single IP) out of the /48 pool of the router. This is normal since ordinary clients usually do not explicitely request a prefix via DHCPv6 but only a single IP for themselves, similar to how IPv4 DHCP works.

You can try hook up a Linux VM or virtual LEDE to your LAN, then make its WAN6 interface forcibly request a prefix: {{https://ibin.co/32PjA5zXEBNk.png}}

This should confirm whether the prefix delegation works properly.

So to summarize; having a /48 available for redelegation (downstream routing) does not mean that involved interfaces will use a /48 netmask. The IPv6 stateless autoconfig (as performed via router discovery / router advertisements) will always use a /64 out of the available /48 and simple (non-router) DHCPv6 clients will only request a /128 out of the available upstream pool.

Think of the /48 as a kind of "subnet pool" where DHCPv6-PD clients can lease parts from; one /48 could for example offer 16 x /52 to 16 different downstream routers which in turn could re-delegate their /52 in the form of 16 different /56 to the next tier of downstream routers and so on until the subnet slice size falls below /64 which would make SLAAC impossible.

The only clients that can make use of (parts of) the /48 are DHCPv6 clients with prefix delegation support which are configured to actually request a subnet for downstream use. I am not aware of such a client for OS X but you can find them for Linux and BSD, e.g. Dibbler or ISC DHCP6.

[aparcar]

ralfbergs:

Wow, nice lecture... :-)

Thanks a lot... I should open more tickets here, very instructive... ;-)

Seriously now, I changed my LEDE router to "stateful only", which to my understanding means it only hands out IPv6 addresses via DHCPv6 as you described above. Still my Mac immediately got an IPv6 address (/64!) after I pulled out and reconnected my Ethernet cable.

Anyway, I do have Linux machines in my LAN, so I could do some further testing. I tried to find out how to "forcibly request a prefix ['of given length', I suppose?!]", but I couldn't.

Can you please share an example how to do it in Linux? (I use Debian and Ubuntu...)

Thanks!

[aparcar]

NeoRaider:

You getting a /64 on your Mac is correct, larger prefixes are generally not used directly, but only for redelegation, so you can provide multiple subnets with their own /64. You should never see an address with a larger prefix directly set on an interface (well, you can set it manually, but this is probably not what you want).

In any case, please ask further questions in our shiny new forum: https://forum.lede-project.org/