DUID-LL vs DUID-LLT



  • Hope I can explain this without making a fool out of myself. Here goes: My ISP (Telenet - a Belgian ISP) hands out static IPv6 addresses. All I have to do is supply my DUID on a web form (see pic), after which I get a static IPv6 address via DHCPv6.

    Now the DUID from pfSense is 32 hexadecimals, but my ISP only accepts DUID's with 20 hexadecimals.

    Apparently there are 3 types of DUID's formats:

    1. Link-layer address plus time (DUID-LLT)
    2. Vendor-assigned unique ID based on Enterprise Number
    3. Link-layer address (DUID-LL)

    I know pfSense uses the DUID-LLT format and if I'm not mistaken my ISP wants a DUID-LL format.

    Can I somehow transform or extract the link-layer address from the pfSense DUID-LLT (and hope that DHCPv6 will work with the DUID-LL format my ISP works with) ??

    Thanks in advance for any advice you guys can give me.


  • Galactic Empire

    Might be worth leaving IPv6 till 2.4 which isn't too far away.

    https://forum.pfsense.org/index.php?topic=129690.0



  • @NogBadTheBad:

    Might be worth leaving IPv6 till 2.4 which isn't too far away.

    https://forum.pfsense.org/index.php?topic=129690.0

    Yeah, the OP was probably as thrilled as me to see pfSense 2.4, but still no static IPv6 for us (at this moment at least).


  • Galactic Empire

    After looking at https://tools.ietf.org/html/rfc3315#section-9.1 try the following :-

    00:03:00:01:00:08:a2:0a:9d:cb where your mac address is the red value.

    Basically 00:03 = DUID-LL & 00:01 = Ethernet Hardware Type.

    It could be that their network equipment will allow for all 3 types of duid but their web page doesn't :)



  • pfSense will create a DUID-LLT, which is the link-layer plus time format. In 2.4, you will be able to enter a DUID. I've never tried entering a DUID-LL format, but it may not care if it's a bit shorter than the LLT format.



  • @bimmerdriver:

    pfSense will create a DUID-LLT, which is the link-layer plus time format. In 2.4, you will be able to enter a DUID. I've never tried entering a DUID-LL format, but it may not care if it's a bit shorter than the LLT format.

    Yes it will care, it checks the length.  8)

    So the ISP is saying it wants an LL Format DUID, which means they are using DHCP and handing out a reserved address depending on the DUID address, not really a static then. So you will still be using dhcp6 to get an address. pfSense uses dhcp6c, which creates and uses LLT format. I Think you need to ask your ISP to edit their web page. On the other hand you could just enter the DUID into pfSense 2.4 and use 00:00:00:00:00:00 as the leading six bytes, that MAY work.



  • @marjohn56:

    @bimmerdriver:

    pfSense will create a DUID-LLT, which is the link-layer plus time format. In 2.4, you will be able to enter a DUID. I've never tried entering a DUID-LL format, but it may not care if it's a bit shorter than the LLT format.

    Yes it will care, it checks the length.  8)

    So the ISP is saying it wants an LL Format DUID, which means they are using DHCP and handing out a reserved address depending on the DUID address, not really a static then. So you will still be using dhcp6 to get an address. pfSense uses dhcp6c, which creates and uses LLT format. I Think you need to ask your ISP to edit their web page. On the other hand you could just enter the DUID into pfSense 2.4 and use 00:00:00:00:00:00 as the leading six bytes, that MAY work.

    You would think if it really wants a DUID LL format it will also check the length. I guess another bell and whistle for pfsense would be to support multiple formats, at least DUID-LL and -LLT.



  • That would require some changes to dhcp6c as well as pfSense.

    Edit…

    However. I'm bored and need something to play with. No estimated timescale as I am busy with real work, but I'll take a look.



  • @ThreeEyedFish:

    Hope I can explain this without making a fool out of myself. Here goes: My ISP (Telenet - a Belgian ISP) hands out static IPv6 addresses. All I have to do is supply my DUID on a web form (see pic), after which I get a static IPv6 address via DHCPv6.

    Now the DUID from pfSense is 32 hexadecimals, but my ISP only accepts DUID's with 20 hexadecimals.

    Apparently there are 3 types of DUID's formats:

    1. Link-layer address plus time (DUID-LLT)
    2. Vendor-assigned unique ID based on Enterprise Number
    3. Link-layer address (DUID-LL)

    I know pfSense uses the DUID-LLT format and if I'm not mistaken my ISP wants a DUID-LL format.

    Can I somehow transform or extract the link-layer address from the pfSense DUID-LLT (and hope that DHCPv6 will work with the DUID-LL format my ISP works with) ??

    Thanks in advance for any advice you guys can give me.

    Had a closer look at this and the rfc states the following:

    A DUID consists of a two-octet type code represented in network byte order, followed by a variable number of octets that make up the actual identifier.  A DUID can be no more than 128 octets long (not including the type code).  The following types are currently defined:

    So a DUID can be up to 128 bytes long plus the type code, why they only allow 20 is a question you must ask them. However, looking at the DUID that pfSense 2.4 uses, and it's initially generated by dhcp6c, it's only 16 bytes long.

    Go into System->Advanced->Networking. Click on copy DUID then save. That will now store the DUID permanently in the pfSense config.

    The length is 16 bytes without the separators, Note,  the first two bytes are the length and as such are not part of the DUID itself, so remove them. Enter the remaining 14 bytes and try that.



  • That copy DUID doesn't seem to be in 2.3.4-RELEASE-p1.



  • It's not… 2.4 only as stated in an earlier message in this thread by bimmerdriver. I added it to 2.4, whether it will be back ported I've no idea, but I doubt it. I suspect 2.3.* will only get security updates once 2.4 gets full release, and that will be any day now.

    You would need to use 2.4 for this anyway. You need to be absolutely sure that your DUID will not change, only 2.4 can give that certainty.



  • Why would a DUID change, other than changing hardware?  Mine hasn't changed in the almost 1.5 years I've been using pfSense.  I used to have a problem with my IPv6 prefix changing, but that was fixed when the "Do not allow PD/Address release" option was added.



  • The do not allow release was one of the protections I added for Sky users, where the DUID would change when dhcp6c exited, it sent a release to the BNG, and some, not all, BNG's ( e.g. Sky ) would then issue a new prefix on the next solicit. That was not related to a fixed DUID but to the release of the address/prefix. The next issue was that if you were using a RAM drive, the DUID file which is what dhcp6c reads on startup would be lost on a reboot, a new DUID would be generated and you would get a new address/prefix. Although there was a script that could be run to back up and restore the DUID file it was not the best way of doing things so the addition of a function to store the DUID in the config file was added.

    Now it's totally stable and will never change, unless of course you change it yourself.



  • A DUID-LL in theory should never change, since it's derived from the MAC of the interface. The DUID-LLT format is the LL plus time, so if for some reason you need it to change, you can generate another one. Maybe you decide one day that you want a different prefix. Then generate a new DUID-LLT.

    Another use case would be if the dhcp server would not grant a lease for some unspecified reason. Should that happen? Probably no, but from what I've seen of the way the dhcp server used by my ISP works, it's quite possible. (My ISP uses Nokia edge routers configured with a a dhcp relay and a centralized dhcp server. The relay looks at the MAC address of the node requesting a lease and if it already has a lease, it will be blocked, regardless of what the DUID is. If the request makes it past the relay, the server will attempt to grant the same prefix if the DUID is the same. Again, this is Nokia equipment.)

    Another situation, already mentioned, is if the interface is on a discrete interface card and the card has to be replaced.

    I'm somewhat surprised that the pfsense routers supplied by netgate don't use the enterprise format.



  • I'm somewhat surprised that the pfsense routers supplied by netgate don't use the enterprise format.

    Because dhcp6c does not support it.