[Resolved] IPv6 /48 routed trough /64 interconnection

JKnott

@fabienfs:

When you said
@JKnott:

the link local address can be locally assigned.  For example, with pfsense, on my local LAN, the default gateway is fe80::1:1.

do you mean that you have manually chosen and set this link-local address?

if yes, can it be a problem for the ISP if someone did like you and chose the same address?

No, I didn't choose it, pfsense did.  Also, that's on the LAN side, so the ISP wouldn't see it.  However, even on the WAN side it might not be a problem, as the link local address needs to be unique only on a given link.  There's no reason why it can't be used on another one.

fabienfs

Yes… that’s right
Thanks :-)

fabienfs

One last question:
ISPs use one interface by customer then?

Derelict

A Router Advertisement will likely results in a destination route to a link-local address, but an ISP static route probably should not since the link-local address for the route destination is un-knowable.

Happy to be educated to the contrary.

Derelict

@fabienfs:

One last question:
ISPs use one interface by customer then?

Question for your ISP.

JKnott

@fabienfs:

One last question:
ISPs use one interface by customer then?

That would depend on the ISP and connection type.  I have a cable modem and the segment is shared by others.  So, the link local address would have to be unique on the segment, but not elsewhere.

Derelict

Right but I'm talking static routing. Or a routing protocol. Not anything dynamic like DHCP/PDs.

JKnott

@Derelict:

A Router Advertisement will likely results in a destination route to a link-local address, but an ISP static route probably should not since the link-local address for the route destination is un-knowable.

Happy to be educated to the contrary.

With routing, the task is to determine what interface to use to reach a destination.  This is done with routing tables that point to the appropriate interface.  It makes no difference whether static or routing protocol, such as OSPF is used.  A multipoint link requires the IP address of the next router and link local is fine for that.  A point to point link doesn't even need that, as there is only one possible destination.  When routing to a destination, only the end point IP address is relevant.  Any address in between is not, so long as the router knows which interface to use.

Bottom line, routing over the entire Internet, using only link local addresses is possible.  Global addresses are needed only for management and diagnostics.

Here is the default route for my pfsense firewall:
default            fe80::217:10ff:fe9 UGS        re0

It lists the link local address for my ISP's router and the interface it's found on.

JKnott

@Derelict:

Right but I'm talking static routing. Or a routing protocol. Not anything dynamic like DHCP/PDs.

It looks like we crossed in our posts.  However, a router only needs to know the interface to send the packets out of to reach the next hop.  This can be any valid IPv6 address or, in the case of point to point links, just the interface.  Every route in a routing table eventually works it way down to an exit interface.  The routes in a routing table can be entered manually or via routing protocol.  It makes no difference.  All that matters is the exit interface to the next hop.

Derelict

I agree, but Q: How does upstream know the downstream link-local address for a static route? A: It doesn't and can't.

Here is the default route for my pfsense firewall:
default            fe80::217:10ff:fe9 UGS        re0

It lists the link local address for my ISP's router and the interface it's found on.

Right. But that is downstream-to-upstream which is discovered using an RA.

JKnott

I agree, but Q: How does upstream know the downstream link-local address for a static route? A: It doesn't and can't.

It doesn't need it.  All it needs to know is which direction takes a packet closer to the destination, that is the exit interface.  Then, at the next router, the same thing happens again, which exit interface to get the packet closer to the destination.  This can keep on happening for as many hops as necessary, until the packet reaches the destination network, where it's finally delivered.  None of the routers along the path needs to know the WAN address of the destination router, only the way to get to the destination network.

Think about what happens on IPv4.  Do all the routers know the WAN address of the destination network?  Or do they just know the way to the next hop, according to routing tables?  If you assume that the WAN IP address must be known, then the IP address of all the routers must also be known and with complex networks, that's not likely to happen.

Go to the command prompt and enter netstat -r and you'll see the routing table listing which interface is used for the known addresses and the default route for any unknown addresses.

Derelict

It doesn't need it.  All it needs to know is which direction takes a packet closer to the destination, that is the exit interface.  Then, at the next router, the same thing happens again, which exit interface to get the packet closer to the destination.  This can keep on happening for as many hops as necessary, until the packet reaches the destination network, where it's finally delivered.  None of the routers along the path needs to know the WAN address of the destination router, only the way to get to the destination network.

Right. but that requires interface routes. You are mixing things up. There needs to be a next hop address. There is no way to know the link-local address of the next hop in this case.

JKnott

There needs to be a next hop interface.  Point to point links don't need an address at all and multipoint need the interface and next hop address.  That next hop address is usually link local on IPv6.  Any router address beyond the next hop is irrelevant.  As for the IPv6 address at the other end of a link, why is there any difference between GUA and link local?  If doing manual configuration, you'd need to know the address either way.  If using a routing protocol, such as OSPF, it's all worked out automatically.

Here's something from the Cisco book IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6, 2nd ed., page 425:

ipv6-address: The IPv6 address of the next hop that can be used to reach the specified
network. The IPv6 address of the next hop need not be directly connected;
recursion is done to find the IPv6 address of the directly connected next hop. When
an interface type and interface number are specified, you can optionally specify
the IPv6 address of the next hop to which packets are output. Note that you must
specify an interface type and an interface number when using a link-local address as
the next hop. (The link-local next hop must also be an adjacent router.) This argument
must be in the form documented in RFC 4291, where the address is specified
in hexadecimal, using 16-bit values between colons.

Notice they say a link local address can be used.

Derelict

Of course it can. If you know it.

Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.
Of course you can route to a link-local address.

We are talking about a specific case where the ISP needs to route a /48 to a WAN interface at the customer.

The ISP does not know the WAN link-local address.

See Also: HE.NET GIF interfaces. Same thing.

JKnott

We are talking about a specific case where the ISP needs to route a /48 to a WAN interface at the customer.

No matter what it's routing, it needs an IP address on a multipoint link.  That can be link local.  I provided my default gateway earlier, but here it is again:
default            fe80::217:10ff:fe9 UGS        re0

Notice that it's link local.  This is on a cable modem connection, with the modem in bridge mode.  Using Wireshark, I discovered that my IPv6 gateway has the same MAC as shown for IPv4 in the arp cache.  So, I am using a link local address for the gateway.  Don't forget, IPv6 can use things like neighbour advertisements to announce their IPv6 address and I can see those on the WAN link.  As mentioned, I am on a cable modem.  It uses DHCPv6 to get it's WAN global address.  But DHCPv6 uses ICMPv6, using the link local address to reach the server.  So, with that mechanism, the server has the MAC address and link local address.  It will also have the DUID, as provided by the DHCPv6 client.  The ISP now has the link local address to use to forward the /48.

See Also: HE.NET GIF interfaces. Same thing.

He.net uses a point to point tunnel to carry IPv6 and therefore does not need any IP address.  However, this is a bit different situation, where the link has to be configured over IPv4.  The configuration tells the he.net router which link to use for the /48.

This is one of the areas where IPv6 is different from IPv4.  It has the link local address which is used for so much in configuring networks etc.  No need for ARP.  DHCP is often used to provide addresses other than for an interface, though that can happen too.  It also has things like router and neighbour advertisements and requests and so much more.  It makes some things a lot easier than IPv4.

BTW, I just used Packet Capture to look at my WAN interface.  I see neighbour solicitations and advertisements using link local addresses, not global, even though that interface has a global address.

Also, how do you display the neighbour MAC addresses for IPv6 addresses in pfsense.  With Linux, the command ip -6 neigh show does it and with FreeBSD it should be npd -a, but that command is not available with pfsense.

Derelict

Now reverse the roles. You are the ISP who needs to route a static /48 to a user. Do you route it to  fe80::217:10ff:fe9 Or do you assign the end user a unicast address on their WAN interface and route to that? You cannot use DHCP6 and you cannot use SLAAC. What do you do?

johnpoz

Ding Ding Ding - and we have a winner ;)

Derelict

Internet-Draft             IPv6 Design Choices              October 2016

2.3.  Static Routes

2.3.1.  Link-Local Next-Hop in a Static Route?

   For the most part, the use of static routes in IPv6 parallels their
   use in IPv4.  There is, however, one exception, which revolves around
   the choice of next-hop address in the static route.  Specifically,
   should an operator:

   a.  Use the far-end's link-local address as the next-hop address, OR

   b.  Use the far-end's GUA/ULA address as the next-hop address?

   Recall that the IPv6 specs for OSPF [RFC5340] and ISIS [RFC5308]
   dictate that they always use link-locals for next-hop addresses.  For
   static routes, [RFC4861] section 8 says:

      A router MUST be able to determine the link-local address for each
      of its neighboring routers in order to ensure that the target
      address in a Redirect message identifies the neighbor router by
      its link-local address.  For static routing, this requirement
      implies that the next-hop router's address should be specified
      using the link-local address of the router.

   This implies that using a GUA or ULA as the next hop will prevent a
   router from sending Redirect messages for packets that "hit" this
   static route.  All this argues for using a link-local as the next-hop
   address in a static route.

   However, there are two cases where using a link-local address as the
   next-hop clearly does not work.  One is when the static route is an
   indirect (or multi-hop) static route.  The second is when the static
   route is redistributed into another routing protocol.  In these
   cases, the above text from RFC 4861 notwithstanding, either a GUA or
   ULA must be used.

   Furthermore, many network operators are concerned about the
   dependency of the default link-local address on an underlying MAC
   address, as described in the previous section.

   **Today most operators use GUAs as next-hop addresses.**

Matthews & Kuarsingh       Expires May 1, 2017                  [Page 8]

JKnott

@Derelict:

Now reverse the roles. You are the ISP who needs to route a static /48 to a user. Do you route it to  fe80::217:10ff:fe9 Or do you assign the end user a unicast address on their WAN interface and route to that? You cannot use DHCP6 and you cannot use SLAAC. What do you do?

Routing is always to the next hop.  The routing tables point to the next closest router to the destination, always.  No exception.  The router simply needs to know the exit interface.  The address in the routing table is simply used to determine which interface that is.  Always.

The ISP has the link local and MAC address of the end user and may have an IPv6 WAN address.  When a packet for the end user network arrives, the router looks up the interface to send it out to go to that network.  It uses an IP address, could be either link local or global address to determine the interface.  The packet is then sent out that interface to the customer's router, where it will be forwarded to the local LAN.  This is how routing works at every single step of the way.  The packets are simply sent out the interface that will take it closer to the destination.  It makes no difference whether it's another router that's directly connected, a router connected via cable modem or DSL etc.  It's just pushing packets out the correct interface and the addresses of all the routers in between are irrelevant.  They do not appear in the routing tables.  And no, the link local address is not routed and I've never claimed that.  It's just irrelevant, except when used to determine the exit interface.  Let's take this a step further and include MAC addresses.  That's what IP addresses eventually resolve to on directly connected links.  Do you route according to MAC address when sending to a network several hops away?  No you don't.  You also don't route to any router IP address along the way.  You simply follow a route hop by hop to the destination network, as determined by the routing table.  As I've mentioned, you don't even need an IP or even MAC address, if using a point to point link, as the interface alone is enough to get the right direction.

Would you like me to suggest some books from Cisco that cover all this?

JKnott

However, there are two cases where using a link-local address as the
  next-hop clearly does not work.  One is when the static route is an
  indirect (or multi-hop) static route.  The second is when the static
  route is redistributed into another routing protocol.  In these
  cases, the above text from RFC 4861 notwithstanding, either a GUA or
  ULA must be used.

I assume this is the relevant section you're referring to.  It lists exception to the rule.  The 2nd would seem to apply to something like converting between IPv4 and IPv6,  The other is simply recursive routing, where you have to go through the same processes repeatedly, until you work down to the next hop.

Furthermore, many network operators are concerned about the
  dependency of the default link-local address on an underlying MAC
  address, as described in the previous section.

For this, you'd need to know what the issues are.  It does not say link local cannot be used, but might not.