IPv6 on WAN only; DHCP errors, failed to parse DHCP options

Antonius ReichFest

The particular setup:

ISP <-> Inteno CPE <-> pfSense <-> (n * LAN segments)

pfSense works perfectly with IPv4, no issues over the years.

Technically, for IPv4 only, the client won't need that Linux based €100 Inteno CPE box.
However, Inteno box is mandatory to obtain the IPv6 connectivity (provisioning spells transferred via DHCP option 60). A random device won't ever get an IPv6 address from the ISP.

The ISP is rather realistic about at their HelpDesk unwillingness to support the full zoo of home (amateur) devices. They have named their output network as "lan"  ::) and expect to see an average home setup with no segmentation, with all PC's, WiFis and IoTs bound together  :-[ .

To satisfy the more demanding clients, the CPE firmware started to support Prefix Delegation last year. Client prefix is /56, Inteno effectively halving that for its service LAN (resulting /57 prefix) but for some technical and political reasons prefix /62 is offered to the client devices, if asked nicely. There are different firmware versions in the field, some of these permit manually changing the prefix size (tested all possibilities from 57 through 64).

With my network and adm experience, I have spent tens of hours if not more, reading blogs and forums and RFCs. So far no light in the end of tunnel, thus asking the community now.

The symptoms at pfSense (2.3.4-RELEASE-p1):

• WAN obtains an ipv4 address via DHCP4
• WAN obtains a global ipv6 address via DHCP6
    (correctly associated with a /64 prefix 2001:XXXX:YYYY:ZZ80::)
• LAN never obtains a global IP address (set to track WAN)
• according to pcap, IA is firmly offered by Inteno (2001:XXXX:YYYY:ZZ84::, etc) but that'll never materialise on pfSense interfaces. Tested with two CPE instances and two pfSence instances.
• DHCP debug log shows an anomaly - the Solicit/Advertise phase passes with "warnings" but the Request/Reply phase will fail fatally:

[tt]Jan 28 17:22:08 fw18 dhcp6c[86650]: reset a timer on bge0, state=INIT, timeo=0, retrans=383
Jan 28 17:22:08 fw18 dhcp6c[86650]: Sending Solicit
Jan 28 17:22:08 fw18 dhcp6c[86650]: a new XID (de97d4) is generated
Jan 28 17:22:08 fw18 dhcp6c[86650]: set client ID (len 14)
Jan 28 17:22:08 fw18 dhcp6c[86650]: set elapsed time (len 2)
Jan 28 17:22:08 fw18 dhcp6c[86650]: set option request (len 4)
Jan 28 17:22:08 fw18 dhcp6c[86650]: set IA_PD prefix
Jan 28 17:22:08 fw18 dhcp6c[86650]: set IA_PD
Jan 28 17:22:08 fw18 dhcp6c[86650]: send solicit to ff02::1:2%bge0
Jan 28 17:22:08 fw18 dhcp6c[86650]: reset a timer on bge0, state=SOLICIT, timeo=0, retrans=1088
Jan 28 17:22:08 fw18 dhcp6c[86650]: receive advertise from fe80::222:7ff:fe50:b2c1%bge0 on bge0
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option server ID, len 10
Jan 28 17:22:08 fw18 dhcp6c[86650]:  DUID: 00:03:00:01:00:22:07:50:b2:c1
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option client ID, len 14
Jan 28 17:22:08 fw18 dhcp6c[86650]:  DUID: 00:01:00:01:1e:14:2b:a3:00:04:23:09:12:98
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option opt_82, len 4
Jan 28 17:22:08 fw18 dhcp6c[86650]: unknown or unexpected DHCP6 option opt_82, len 4
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option DNS, len 16
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option domain search list, len 5
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option opt_20, len 0
Jan 28 17:22:08 fw18 dhcp6c[86650]: unknown or unexpected DHCP6 option opt_20, len 0
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option IA_PD, len 41
Jan 28 17:22:08 fw18 dhcp6c[86650]:  IA_PD: ID=0, T1=540, T2=864
Jan 28 17:22:08 fw18 dhcp6c[86650]: get DHCP option IA_PD prefix, len 25
Jan 28 17:22:08 fw18 dhcp6c[86650]:  IA_PD prefix: 2001:XXXX:YYYY:ZZ84::/62 pltime=1081 vltime=1081
Jan 28 17:22:08 fw18 dhcp6c[86650]: server ID: 00:03:00:01:00:22:07:50:b2:c1, pref=-1
Jan 28 17:22:08 fw18 dhcp6c[86650]: reset timer for bge0 to 0.997225
Jan 28 17:22:09 fw18 dhcp6c[86650]: picked a server (ID: 00:03:00:01:00:22:07:50:b2:c1)
Jan 28 17:22:09 fw18 dhcp6c[86650]: Sending Request
Jan 28 17:22:09 fw18 dhcp6c[86650]: a new XID (7ce2fa) is generated
Jan 28 17:22:09 fw18 dhcp6c[86650]: set client ID (len 14)
Jan 28 17:22:09 fw18 dhcp6c[86650]: set server ID (len 10)
Jan 28 17:22:09 fw18 dhcp6c[86650]: set elapsed time (len 2)
Jan 28 17:22:09 fw18 dhcp6c[86650]: set option request (len 4)
Jan 28 17:22:09 fw18 dhcp6c[86650]: set IA_PD prefix
Jan 28 17:22:09 fw18 dhcp6c[86650]: set IA_PD
Jan 28 17:22:09 fw18 dhcp6c[86650]: send request to ff02::1:2%bge0
Jan 28 17:22:09 fw18 dhcp6c[86650]: reset a timer on bge0, state=REQUEST, timeo=0, retrans=977
Jan 28 17:22:09 fw18 dhcp6c[86650]: receive reply from fe80::222:7ff:fe50:b2c1%bge0 on bge0
Jan 28 17:22:09 fw18 dhcp6c[86650]: get DHCP option server ID, len 10
Jan 28 17:22:09 fw18 dhcp6c[86650]:  DUID: 00:03:00:01:00:22:07:50:b2:c1
Jan 28 17:22:09 fw18 dhcp6c[86650]: get DHCP option client ID, len 14
Jan 28 17:22:09 fw18 dhcp6c[86650]:  DUID: 00:01:00:01:1e:14:2b:a3:00:04:23:09:12:98
Jan 28 17:22:09 fw18 dhcp6c[86650]: get DHCP option opt_82, len 4
Jan 28 17:22:09 fw18 dhcp6c[86650]: unknown or unexpected DHCP6 option opt_82, len 4
Jan 28 17:22:09 fw18 dhcp6c[86650]: get DHCP option DNS, len 16
Jan 28 17:22:09 fw18 dhcp6c[86650]: get DHCP option domain search list, len 5
Jan 28 17:22:09 fw18 dhcp6c[86650]: get DHCP option opt_20, len 0
Jan 28 17:22:09 fw18 dhcp6c[86650]: unknown or unexpected DHCP6 option opt_20, len 0 Jan 28 17:22:09 fw18 dhcp6c[86650]: get DHCP option authentication, len 28
Jan 28 17:22:09 fw18 dhcp6c[86650]:  proto: reconfig, alg: HMAC-MD5, RDM: mono counter, RD: 5a6e 06c1 0000 001f
Jan 28 17:22:09 fw18 dhcp6c[86650]: unsupported authentication protocol: 1
Jan 28 17:22:09 fw18 dhcp6c[86650]: failed to parse options

The bits (from a capture) that'll put pfSense off-road, are:

SOL_MAX_RT
    Option: SOL_MAX_RT (82)
    Length: 4
    Value: 0000003c

Reconfigure Accept
    Option: Reconfigure Accept (20)
    Length: 0

Authentication
    Option: Authentication (11)
    Length: 28
    Value: 0301<numbers>fe…
    Protocol: 3
    Algorithm: 1
    RDM: 0
    Replay Detection: 5a<morenumbers>01
    Authentication Information: 01<evenmorenumbers>65

I really appreciate a help. It seems to me, the Internet is full of those unsuccess stories due to Options 20 and 82.

A relevant PCAP slice is attached.
midnet-v6.pcap</evenmorenumbers></morenumbers></numbers>

Fesoj

Without going into the details, did you check that

• System / Advanced / Networking / Allow IPv6 is enabled?

• Interfaces / WAN / Request a IPv6 (global routing) prefix is checked?

• The Interfaces / WAN / DHCPv6 Prefix Delegation size is set to 56 (or whatever the ISP offers)?

• Interfaces / WAN / Send IPv6 prefix hint is checked?

• Services / DHCPv6 Server & RA / LAN / Router Advertisements / Router mode is set to unmanaged?

• Make sure that ICMP is allowed for IPv4 and IPv6 (though endpoints might still block IPv6 ICMP by default)

This is essentially a generic guide, initially written for German Telekom, and described with more details somewhere else.