Wrong prefix length is advertised

Hello!

I am running ISC dhcpd Version 4.2.6-7.3 on SLES 12.


I have a very simply IPv6-Config. All other values
are default. I have changed nothing.


....

subnet6 fda0:65da:e55a:1::/64 {
        range6 fda0:65da:e55a:1::0010 fda0:65da:e55a:1::0100;
}


My problem is. The clients (Windows 7 and Linux) get a IPv6-Address, but
when I ping between them, nothing happens.

Reason:

If if type 'ip -6 addr' on Linux, I can see that the prefix length is
/128. Same effect on Windows.

e.g fda0:65da:e55a:1::20/128



Has anyone seen such an effect? Maybe I am doing something wrong.



By the way. If I advertise the same prefix with 'radvd' everything works
as expected. :-)

Any hint may help!


Thank you.


Greetings,
   Juergen
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Juergen Bachsteffel <[hidden email]> wrote:

What do "ip -f inet6 route" and "ip -f inet6 neigh" show ?

At the risk of starting off the whole "discussion" again, IPv6 needs some of the "old rules" to be un-learned - especially in terms of what constitutes a neighbour ! You might want to sit down with a fresh cup of tea while you try and get your head round it - it took me a while and after having been in the "that's nuts" camp, it suddenly turned into one of those "ah, that makes sense" moments.

In IPv4, who is a "neighbour" is intimately linked with subnets and subnet masks (prefix lengths). So if your address is 192.168.1.57/24 and my address is 192.168.1.123/24, then we are neighbours (assuming we are on the same physical network of course).
Of course, you may also have the address 192.168.1.69/24 - so now we have duplicate information stored.
And we are used to every IP address having an associated subnet mask.

I don't know if you've ever worked with a multi-subnet network (where, usually because one got filled up, there are two IP subnets sharing one "bit of wire"), but if you have then you'll know that for hosts in the two subnets to communicate then they either have to be told explicitly about the "other" subnet(s), or they have to communicate via a router.


With IPv6 things are different. IP addresses are distinctly separated from routing and the concept of who is a neighbour. An IP address does not have a prefix length, it is just an address. But, because of the way the network code (at least in the Linux world) has been built with this intimate linking of IP address and subnet mask - the IPv6 code "needs" a prefix length to be specified so that the value can be filled in in the internal data structures. In principle, whatever value is supplied, /128 should be used internally.

You're probably, like I was, thinking this is nuts - so how does a host determine what else is on the network ?
This is where routing advertisements come into play. A router will advertise to nodes a number of key information. There are some flags (such as whether nodes should auto-configure or look to something else such as a DHCP server for addressing), but one key thing is a list of prefixes used on the local network that should be considered local.

So, taking your example address above, the host has obtained the address fda0:65da:e55a:1::20 (ignore the /128, that's just there because of this historical baggage in the code). That tells it nothing about what hosts it can talk to.
The router should have sent out an advertisement stating that the prefix fda0:65da:e55a:1::/64 is in use AND that hosts can use neighbour discovery to find others in this subnet. It should be immediately obvious at this point that the router could advertise more than one prefix, and then hosts could automatically find and talk directly to neighbours in the other prefix(es).

Why this emphasis on whether neighbour discovery can be used by the host ?
For those brought up with broadcast networks like ethernet then it's probably a good question. There are some network types which from an addressing POV look the same, but don't support "broadcast" between different clients - AIUI many radio systems are like this. So if the host fda0:65da:e55a:1::20 wants to talk to fda0:65da:e55a:1::21 it cannot do so directly. So even though fda0:65da:e55a:1::20 and fda0:65da:e55a:1::21 are in the same prefix, they cannot directly talk to each other - instead they must send the packets up to the router.

So while in the IPv4 world we (without configuration fudges) have only two combinations of same|different subnet and neighbours|not-neighbours. In the IPv6 world we have all 4 combinations possible - as well as the two obvious combination we can have hosts that are in the same prefix but are not neighbours, and hosts that are in different prefixes which are neighbours.

Hope that helps a bit !

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Just to point out that while in IP4 the DHCP gives all info needed, in IP6 both DHCP and RADV are needed to have the full picture.

It is between the lines in Simon's description below, but is one point that took me some time to realise.

Juergen Bachsteffel [hidden email] wrote:

subnet6 fda0:65da:e55a:1::/64 {
	range6 fda0:65da:e55a:1::0010 fda0:65da:e55a:1::0100;
}


My problem is. The clients (Windows 7 and Linux) get a IPv6-Address, but
when I ping between them, nothing happens.

Reason:

If if type 'ip -6 addr' on Linux, I can see that the prefix length is
/128. Same effect on Windows.

e.g fda0:65da:e55a:1::20/128

What do "ip -f inet6 route" and "ip -f inet6 neigh" show ?

At the risk of starting off the whole "discussion" again, IPv6 needs some of the "old rules" to be un-learned - especially in terms of what constitutes a neighbour ! You might want to sit down with a fresh cup of tea while you try and get your head round it - it took me a while and after having been in the "that's nuts" camp, it suddenly turned into one of those "ah, that makes sense" moments.

In IPv4, who is a "neighbour" is intimately linked with subnets and subnet masks (prefix lengths). So if your address is 192.168.1.57/24 and my address is 192.168.1.123/24, then we are neighbours (assuming we are on the same physical network of course).
Of course, you may also have the address 192.168.1.69/24 - so now we have duplicate information stored.
And we are used to every IP address having an associated subnet mask.

I don't know if you've ever worked with a multi-subnet network (where, usually because one got filled up, there are two IP subnets sharing one "bit of wire"), but if you have then you'll know that for hosts in the two subnets to communicate then they either have to be told explicitly about the "other" subnet(s), or they have to communicate via a router.


With IPv6 things are different. IP addresses are distinctly separated from routing and the concept of who is a neighbour. An IP address does not have a prefix length, it is just an address. But, because of the way the network code (at least in the Linux world) has been built with this intimate linking of IP address and subnet mask - the IPv6 code "needs" a prefix length to be specified so that the value can be filled in in the internal data structures. In principle, whatever value is supplied, /128 should be used internally.

You're probably, like I was, thinking this is nuts - so how does a host determine what else is on the network ?
This is where routing advertisements come into play. A router will advertise to nodes a number of key information. There are some flags (such as whether nodes should auto-configure or look to something else such as a DHCP server for addressing), but one key thing is a list of prefixes used on the local network that should be considered local.

So, taking your example address above, the host has obtained the address fda0:65da:e55a:1::20 (ignore the /128, that's just there because of this historical baggage in the code). That tells it nothing about what hosts it can talk to.
The router should have sent out an advertisement stating that the prefix fda0:65da:e55a:1::/64 is in use AND that hosts can use neighbour discovery to find others in this subnet. It should be immediately obvious at this point that the router could advertise more than one prefix, and then hosts could automatically find and talk directly to neighbours in the other prefix(es).

Why this emphasis on whether neighbour discovery can be used by the host ?
For those brought up with broadcast networks like ethernet then it's probably a good question. There are some network types which from an addressing POV look the same, but don't support "broadcast" between different clients - AIUI many radio systems are like this. So if the host fda0:65da:e55a:1::20 wants to talk to fda0:65da:e55a:1::21 it cannot do so directly. So even though fda0:65da:e55a:1::20 and fda0:65da:e55a:1::21 are in the same prefix, they cannot directly talk to each other - instead they must send the packets up to the router.

So while in the IPv4 world we (without configuration fudges) have only two combinations of same|different subnet and neighbours|not-neighbours. In the IPv6 world we have all 4 combinations possible - as well as the two obvious combination we can have hosts that are in the same prefix but are not neighbours, and hosts that are in different prefixes which are neighbours.

Hope that helps a bit !

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi!

Simon Hobson <[hidden email]> wrote:

Thank you for yourexplanations. Yes, that helped a bit!

>What do "ip -f inet6 route" and "ip -f inet6 neigh" show ?

ip -f inet route:
fda0:65da:e55a:1::200 dev enp0s25  proto kernel  metric 256
fe80::/64 dev enp0s25  proto kernel  metric 256

ip -f inet neigh:
fe80::224:7eff:fedf:b4b3 dev enp0s25 lladdr 00:24:7e:df:b4:b3 router STALE
fda0:65da:e55a:1::3 dev enp0s25 lladdr 00:24:7e:df:b4:b3 router STALE

(please read further)


Sten Carlsen <[hidden email]> wrote:

>Just to point out that while in IP4 the DHCP gives all info needed, in
>IP6 both DHCP and RADV are needed to have the full picture.

Yes, I know that for the default gateway. There is no option
for the default gateway in DHCPv6. It is advertised through radvd and
normally is the link-local-address from a router.

radvd.conf is:
interface eth0
{
AdvSendAdvert on;
AdvDefaultLifetime 0;
prefix fda0:65da:e55a:0001::/64
{
};
};

Both radvd and dhcpd6 are a running.


On my Linux-Client with Network-Manager I have two options for IPv6.
"Automatic" and "Automatic, DHCP only".


WORKING:
With 'Automatic' the client gets a IP-address from radvd and there is an
entry when I type: ip -f inet6 route

fda0:65da:e55a:1::/64 dev enp0s25  proto kernel  metric 256  expires
86375sec


NOT WORKING:
With 'Automatic, DHCP only' the client gets an IP-address from the
DHCP-Server and the entry is missing! (See the first output of ip -6 route).

When I understand your explanations right this could be the reason,
why it isn't working. The client needs an route entry to know, who his
neighbors are, right?

And, I have to find out why the entry is missing.


Greetings,
      Juergen










_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

You will get both the gateway and the prefix from the RADV. If I understand correctly. You may have multiple prefixes.



_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Juergen Bachsteffel <[hidden email]> wrote:

> Thank you for yourexplanations. Yes, that helped a bit!

Ah good, it's a relief that it made sense ;-)

> On my Linux-Client with Network-Manager I have two options for IPv6.
> "Automatic" and "Automatic, DHCP only".
>
>
> WORKING:
> With 'Automatic' the client gets a IP-address from radvd

Being pedantic, it'll get a prefix from radvd - but it doesn't get an address from it. The address will come from autoconfiguration or a managed process like DHCP.

> and there is an
> entry when I type: ip -f inet6 route
>
> fda0:65da:e55a:1::/64 dev enp0s25  proto kernel  metric 256  expires
> 86375sec

Right, so it's got a local prefix.

> NOT WORKING:
> With 'Automatic, DHCP only' the client gets an IP-address from the
> DHCP-Server and the entry is missing! (See the first output of ip -6 route).

OK, so it's not configured any local prefixes. To me, "DHCP only" implies just that - so perhaps it's ignoring radvd with that setting.

Now, bearing in mind that I'm very much not an expert, and have quite limited experience ...
From memory there's a flag in RAs which if set tells the clients that the network is managed - ie there's an address management process (eg DHCP) running and that the client shouldn't autoconfigure it's address.
Just checking an radvd server I have running, I have these in the config file (I'm using auto config on that network) :
# AdvManagedFlag on;
# AdvOtherConfigFlag on;
# AdvAutonomous off;

I'd suggest checking the manual for those options.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users