[Resolved] IPv6 /48 routed trough /64 interconnection



  • Hello,

    I think it’s a topic that comes up regularly, I read a lot of the forum and I can not find a solution.

    My IPv6 WAN connection is interconnected to the ISP with a /64. My WAN interface is successfully pinging Internet IPv6 addresses.

    In addition to that, my ISP route an IPv6 /48 prefix “2a0a:xxxx:50::/48”. So, I split this /48 in /64 on my different LAN interfaces.

    Exemple :
    LAN1 : 2a0a:xxxx:50:10::/64
    LAN2 : 2a0a:xxxx:50:20::/64

    But I can not reach the Internet through these LANs interfaces.

    WAN interface:
        IPv6 Static : 2a0a:xxxx:fab:50::1/64
        IPv6 default gateway : 2a0a:xxxx:fab:50::/64

    LAN1 interface:
        IPv6 Static : 2a0a:xxxx:50:10::/64

    Even if I try to ping the default gateway from my LAN1 interface, I have no answer.

    In the firewall, IPv6 is allowed on all interfaces.

    What’s also weird is when I make a traceroute from LAN1 to the default gateway, I only have * * *

    It seems that via my LAN1 interface, it does not know or transfer the packets. So should he follow the default gateway ?!

    On the side of the ISP, the configuration in their pfSense is as follows: a “Customer” interface with static IPv6 address 2a0a:xxxx:fab:50::/64 and for routed /48 subnet : an Virtual IPs > IP Alias linked with “Customer” interface, IP Adresses : 2A0A:xxxx:50::/48.

    Thanks for your help 🙂


  • Netgate

    an Virtual IPs > IP Alias linked with “Customer” interface, IP Adresses : 2A0A:xxxx:50::/48.

    No idea what they’re doing there.

    They should create a gateway with your IPv6 wan interface address on it then a static route for the /48 to that. Zero reason for any VIPs.

    Yet Another Clueless ISP.



  • @Derelict:

    They should create a gateway with your IPv6 wan interface address on it then a static route for the /48 to that. Zero reason for any VIPs.

    Thanks! It’s work with this solution! 🙂



  • @Derelict:

    an Virtual IPs > IP Alias linked with “Customer” interface, IP Adresses : 2A0A:xxxx:50::/48.

    No idea what they’re doing there.

    They should create a gateway with your IPv6 wan interface address on it then a static route for the /48 to that. Zero reason for any VIPs.

    Yet Another Clueless ISP.

    That assigned WAN adress is likely not used for routing.  On IPv6, routing is normally done via the link local address.  Go to a command prompt and enter netstat -r.  You’ll likely see the IPv6 default route is a link local address, not the WAN ULA.



  • @JKnott:

    That assigned WAN adress is likely not used for routing.  On IPv6, routing is normally done via the link local address.  Go to a command prompt and enter netstat -r.  You’ll likely see the IPv6 default route is a link local address, not the WAN ULA.

    Thanks JKnott,
    Indeed, before your message, I used a global address to do routing, instead of just using the link-local adress. I reconfigured my WAN interface by putting “IPv6 Configuration Type: None” and now when I’m doing a netstat -r, I see that the default GW for IPv6 is the link-local address. it saves a prefix /64 that was not useful!

    no risk that my link-local IPv6 address changes?
    Thanks



  • @fabienfs:

    no risk that my link-local IPv6 address changes?
    Thanks

    Given that it’s normally based on the MAC address, no chance unless you change the hardware.  In some instance, such as routers, the link local address can be locally assigned.  For example, with pfsense, on my local LAN, the default gateway is fe80::1:1.



  • When you said
    @JKnott:

    the link local address can be locally assigned.  For example, with pfsense, on my local LAN, the default gateway is fe80::1:1.

    do you mean that you have manually chosen and set this link-local address?

    if yes, can it be a problem for the ISP if someone did like you and chose the same address?



  • @fabienfs:

    When you said
    @JKnott:

    the link local address can be locally assigned.  For example, with pfsense, on my local LAN, the default gateway is fe80::1:1.

    do you mean that you have manually chosen and set this link-local address?

    if yes, can it be a problem for the ISP if someone did like you and chose the same address?

    No, I didn’t choose it, pfsense did.  Also, that’s on the LAN side, so the ISP wouldn’t see it.  However, even on the WAN side it might not be a problem, as the link local address needs to be unique only on a given link.  There’s no reason why it can’t be used on another one.



  • Yes… that’s right
    Thanks 🙂



  • One last question:
    ISPs use one interface by customer then?


  • Netgate

    A Router Advertisement will likely results in a destination route to a link-local address, but an ISP static route probably should not since the link-local address for the route destination is un-knowable.

    Happy to be educated to the contrary.


  • Netgate

    @fabienfs:

    One last question:
    ISPs use one interface by customer then?

    Question for your ISP.



  • @fabienfs:

    One last question:
    ISPs use one interface by customer then?

    That would depend on the ISP and connection type.  I have a cable modem and the segment is shared by others.  So, the link local address would have to be unique on the segment, but not elsewhere.


  • Netgate

    Right but I’m talking static routing. Or a routing protocol. Not anything dynamic like DHCP/PDs.



  • @Derelict:

    A Router Advertisement will likely results in a destination route to a link-local address, but an ISP static route probably should not since the link-local address for the route destination is un-knowable.

    Happy to be educated to the contrary.

    With routing, the task is to determine what interface to use to reach a destination.  This is done with routing tables that point to the appropriate interface.  It makes no difference whether static or routing protocol, such as OSPF is used.  A multipoint link requires the IP address of the next router and link local is fine for that.  A point to point link doesn’t even need that, as there is only one possible destination.  When routing to a destination, only the end point IP address is relevant.  Any address in between is not, so long as the router knows which interface to use.

    Bottom line, routing over the entire Internet, using only link local addresses is possible.  Global addresses are needed only for management and diagnostics.

    Here is the default route for my pfsense firewall:
    default            fe80::217:10ff:fe9 UGS        re0

    It lists the link local address for my ISP’s router and the interface it’s found on.



  • @Derelict:

    Right but I’m talking static routing. Or a routing protocol. Not anything dynamic like DHCP/PDs.

    It looks like we crossed in our posts.  However, a router only needs to know the interface to send the packets out of to reach the next hop.  This can be any valid IPv6 address or, in the case of point to point links, just the interface.  Every route in a routing table eventually works it way down to an exit interface.  The routes in a routing table can be entered manually or via routing protocol.  It makes no difference.  All that matters is the exit interface to the next hop.


  • Netgate

    I agree, but Q: How does upstream know the downstream link-local address for a static route? A: It doesn’t and can’t.

    Here is the default route for my pfsense firewall:
    default            fe80::217:10ff:fe9 UGS        re0

    It lists the link local address for my ISP’s router and the interface it’s found on.

    Right. But that is downstream-to-upstream which is discovered using an RA.



  • I agree, but Q: How does upstream know the downstream link-local address for a static route? A: It doesn’t and can’t.

    It doesn’t need it.  All it needs to know is which direction takes a packet closer to the destination, that is the exit interface.  Then, at the next router, the same thing happens again, which exit interface to get the packet closer to the destination.  This can keep on happening for as many hops as necessary, until the packet reaches the destination network, where it’s finally delivered.  None of the routers along the path needs to know the WAN address of the destination router, only the way to get to the destination network.

    Think about what happens on IPv4.  Do all the routers know the WAN address of the destination network?  Or do they just know the way to the next hop, according to routing tables?  If you assume that the WAN IP address must be known, then the IP address of all the routers must also be known and with complex networks, that’s not likely to happen.

    Go to the command prompt and enter netstat -r and you’ll see the routing table listing which interface is used for the known addresses and the default route for any unknown addresses.


  • Netgate

    It doesn’t need it.  All it needs to know is which direction takes a packet closer to the destination, that is the exit interface.  Then, at the next router, the same thing happens again, which exit interface to get the packet closer to the destination.  This can keep on happening for as many hops as necessary, until the packet reaches the destination network, where it’s finally delivered.  None of the routers along the path needs to know the WAN address of the destination router, only the way to get to the destination network.

    Right. but that requires interface routes. You are mixing things up. There needs to be a next hop address. There is no way to know the link-local address of the next hop in this case.



  • There needs to be a next hop interface.  Point to point links don’t need an address at all and multipoint need the interface and next hop address.  That next hop address is usually link local on IPv6.  Any router address beyond the next hop is irrelevant.  As for the IPv6 address at the other end of a link, why is there any difference between GUA and link local?  If doing manual configuration, you’d need to know the address either way.  If using a routing protocol, such as OSPF, it’s all worked out automatically.

    Here’s something from the Cisco book IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6, 2nd ed., page 425:

    ipv6-address: The IPv6 address of the next hop that can be used to reach the specified
    network. The IPv6 address of the next hop need not be directly connected;
    recursion is done to find the IPv6 address of the directly connected next hop. When
    an interface type and interface number are specified, you can optionally specify
    the IPv6 address of the next hop to which packets are output. Note that you must
    specify an interface type and an interface number when using a link-local address as
    the next hop. (The link-local next hop must also be an adjacent router.) This argument
    must be in the form documented in RFC 4291, where the address is specified
    in hexadecimal, using 16-bit values between colons.

    Notice they say a link local address can be used.


  • Netgate

    Of course it can. If you know it.

    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.

    We are talking about a specific case where the ISP needs to route a /48 to a WAN interface at the customer.

    The ISP does not know the WAN link-local address.

    See Also: HE.NET GIF interfaces. Same thing.



  • We are talking about a specific case where the ISP needs to route a /48 to a WAN interface at the customer.

    No matter what it’s routing, it needs an IP address on a multipoint link.  That can be link local.  I provided my default gateway earlier, but here it is again:
    default            fe80::217:10ff:fe9 UGS        re0

    Notice that it’s link local.  This is on a cable modem connection, with the modem in bridge mode.  Using Wireshark, I discovered that my IPv6 gateway has the same MAC as shown for IPv4 in the arp cache.  So, I am using a link local address for the gateway.  Don’t forget, IPv6 can use things like neighbour advertisements to announce their IPv6 address and I can see those on the WAN link.  As mentioned, I am on a cable modem.  It uses DHCPv6 to get it’s WAN global address.  But DHCPv6 uses ICMPv6, using the link local address to reach the server.  So, with that mechanism, the server has the MAC address and link local address.  It will also have the DUID, as provided by the DHCPv6 client.  The ISP now has the link local address to use to forward the /48.

    See Also: HE.NET GIF interfaces. Same thing.

    He.net uses a point to point tunnel to carry IPv6 and therefore does not need any IP address.  However, this is a bit different situation, where the link has to be configured over IPv4.  The configuration tells the he.net router which link to use for the /48.

    This is one of the areas where IPv6 is different from IPv4.  It has the link local address which is used for so much in configuring networks etc.  No need for ARP.  DHCP is often used to provide addresses other than for an interface, though that can happen too.  It also has things like router and neighbour advertisements and requests and so much more.  It makes some things a lot easier than IPv4.

    BTW, I just used Packet Capture to look at my WAN interface.  I see neighbour solicitations and advertisements using link local addresses, not global, even though that interface has a global address.

    Also, how do you display the neighbour MAC addresses for IPv6 addresses in pfsense.  With Linux, the command ip -6 neigh show does it and with FreeBSD it should be npd -a, but that command is not available with pfsense.


  • Netgate

    Now reverse the roles. You are the ISP who needs to route a static /48 to a user. Do you route it to  fe80::217:10ff:fe9 Or do you assign the end user a unicast address on their WAN interface and route to that? You cannot use DHCP6 and you cannot use SLAAC. What do you do?


  • Rebel Alliance

    Ding Ding Ding - and we have a winner 😉


  • Netgate

    
    Internet-Draft             IPv6 Design Choices              October 2016
    
    2.3.  Static Routes
    
    2.3.1.  Link-Local Next-Hop in a Static Route?
    
       For the most part, the use of static routes in IPv6 parallels their
       use in IPv4.  There is, however, one exception, which revolves around
       the choice of next-hop address in the static route.  Specifically,
       should an operator:
    
       a.  Use the far-end's link-local address as the next-hop address, OR
    
       b.  Use the far-end's GUA/ULA address as the next-hop address?
    
       Recall that the IPv6 specs for OSPF [RFC5340] and ISIS [RFC5308]
       dictate that they always use link-locals for next-hop addresses.  For
       static routes, [RFC4861] section 8 says:
    
          A router MUST be able to determine the link-local address for each
          of its neighboring routers in order to ensure that the target
          address in a Redirect message identifies the neighbor router by
          its link-local address.  For static routing, this requirement
          implies that the next-hop router's address should be specified
          using the link-local address of the router.
    
       This implies that using a GUA or ULA as the next hop will prevent a
       router from sending Redirect messages for packets that "hit" this
       static route.  All this argues for using a link-local as the next-hop
       address in a static route.
    
       However, there are two cases where using a link-local address as the
       next-hop clearly does not work.  One is when the static route is an
       indirect (or multi-hop) static route.  The second is when the static
       route is redistributed into another routing protocol.  In these
       cases, the above text from RFC 4861 notwithstanding, either a GUA or
       ULA must be used.
    
       Furthermore, many network operators are concerned about the
       dependency of the default link-local address on an underlying MAC
       address, as described in the previous section.
    
       **Today most operators use GUAs as next-hop addresses.**
    
    Matthews & Kuarsingh       Expires May 1, 2017                  [Page 8]
    
    


  • @Derelict:

    Now reverse the roles. You are the ISP who needs to route a static /48 to a user. Do you route it to  fe80::217:10ff:fe9 Or do you assign the end user a unicast address on their WAN interface and route to that? You cannot use DHCP6 and you cannot use SLAAC. What do you do?

    Routing is always to the next hop.  The routing tables point to the next closest router to the destination, always.  No exception.  The router simply needs to know the exit interface.  The address in the routing table is simply used to determine which interface that is.  Always.

    The ISP has the link local and MAC address of the end user and may have an IPv6 WAN address.  When a packet for the end user network arrives, the router looks up the interface to send it out to go to that network.  It uses an IP address, could be either link local or global address to determine the interface.  The packet is then sent out that interface to the customer’s router, where it will be forwarded to the local LAN.  This is how routing works at every single step of the way.  The packets are simply sent out the interface that will take it closer to the destination.  It makes no difference whether it’s another router that’s directly connected, a router connected via cable modem or DSL etc.  It’s just pushing packets out the correct interface and the addresses of all the routers in between are irrelevant.  They do not appear in the routing tables.  And no, the link local address is not routed and I’ve never claimed that.  It’s just irrelevant, except when used to determine the exit interface.  Let’s take this a step further and include MAC addresses.  That’s what IP addresses eventually resolve to on directly connected links.  Do you route according to MAC address when sending to a network several hops away?  No you don’t.  You also don’t route to any router IP address along the way.  You simply follow a route hop by hop to the destination network, as determined by the routing table.  As I’ve mentioned, you don’t even need an IP or even MAC address, if using a point to point link, as the interface alone is enough to get the right direction.

    Would you like me to suggest some books from Cisco that cover all this?



  • However, there are two cases where using a link-local address as the
      next-hop clearly does not work.  One is when the static route is an
      indirect (or multi-hop) static route.  The second is when the static
      route is redistributed into another routing protocol.  In these
      cases, the above text from RFC 4861 notwithstanding, either a GUA or
      ULA must be used.

    I assume this is the relevant section you’re referring to.  It lists exception to the rule.  The 2nd would seem to apply to something like converting between IPv4 and IPv6,  The other is simply recursive routing, where you have to go through the same processes repeatedly, until you work down to the next hop.

    Furthermore, many network operators are concerned about the
      dependency of the default link-local address on an underlying MAC
      address, as described in the previous section.

    For this, you’d need to know what the issues are.  It does not say link local cannot be used, but might not.



  • @JKnott:

    @Derelict:

    Now reverse the roles. You are the ISP who needs to route a static /48 to a user. Do you route it to  fe80::217:10ff:fe9 Or do you assign the end user a unicast address on their WAN interface and route to that? You cannot use DHCP6 and you cannot use SLAAC. What do you do?

    Routing is always to the next hop.  The routing tables point to the next closest router to the destination, always.  No exception.  The router simply needs to know the exit interface.  The address in the routing table is simply used to determine which interface that is.  Always.

    The ISP has the link local and MAC address of the end user and may have an IPv6 WAN address.  When a packet for the end user network arrives, the router looks up the interface to send it out to go to that network.  It uses an IP address, could be either link local or global address to determine the interface.  The packet is then sent out that interface to the customer’s router, where it will be forwarded to the local LAN.  This is how routing works at every single step of the way.  The packets are simply sent out the interface that will take it closer to the destination.  It makes no difference whether it’s another router that’s directly connected, a router connected via cable modem or DSL etc.  It’s just pushing packets out the correct interface and the addresses of all the routers in between are irrelevant.  They do not appear in the routing tables.  And no, the link local address is not routed and I’ve never claimed that.  It’s just irrelevant, except when used to determine the exit interface.  Let’s take this a step further and include MAC addresses.  That’s what IP addresses eventually resolve to on directly connected links.  Do you route according to MAC address when sending to a network several hops away?  No you don’t.  You also don’t route to any router IP address along the way.  You simply follow a route hop by hop to the destination network, as determined by the routing table.  As I’ve mentioned, you don’t even need an IP or even MAC address, if using a point to point link, as the interface alone is enough to get the right direction.

    Would you like me to suggest some books from Cisco that cover all this?

    All this assumes that everyone is using proper transfer networks that have no other hosts on them meaning they have an obvious “next hop” and the packets sent from the other end of the “pipe” have no other route to take other than the router at the other end. This doesn’t hold when you’re dealing with amateurs/hobbyists that like to be creative and don’t care about proper topology in their networks.


  • Netgate

    Dude. NOBODY is saying link-local cannot be used. What is your problem?



  • @Derelict:

    Dude. NOBODY is saying link-local cannot be used. What is your problem?

    You seemed to be implying that a routeable address was needed to reach the customer.

    Now reverse the roles. You are the ISP who needs to route a static /48 to a user. Do you route it to  fe80::217:10ff:fe9 Or do you assign the end user a unicast address on their WAN interface and route to that? You cannot use DHCP6 and you cannot use SLAAC. What do you do?

    BTW, to answer the question, beyond DHCPv6 and SLAAC, the customer would likely have their own prefix, which the ISP will route to.  This is often done using OSPF or at least knowing what’s at the other end of the connection.  I have set up several routers for business customers where all the info is provided.  The customer would then be connected to the ISP via fibre.  In this instance, it’s just a matter of configuring the routing, based on the info provided.  The ISP knows that the customer and only the customer is at the other end of the fibre.  They also know the customers prefix, either because they provided it or the customer advised them.  Also, in the case of a tunnel, as you mentioned, there is already some means to identify the customer.  With he.net, it’s account configuration.  With the provider I used to use, it was my login ID.  Also, as I mentioned, point to point links, such as he.net or VPN don’t even need an address.

    Don’t forget, routing is all about finding the next hop to a network.  All the router needs to know is the best way to get there.  It does not need to know the IP address of any router beyond the next one.  Now, at the ISP router, an IP address may be needed, as in the case of my cable modem.  Why is it necessary for that to be a routeable address, as you seem to imply, when it’s only going to be used over the link directly between the ISP’s and customer’s routers?  At that level, the IP address is resolved to a MAC address, to use over that link.  The IP address of the customer’s router is irrelevant beyond the ISP’s gateway router.

    Take a look at your default gateway and tell me what you see.  As I said before, mine’s a link local address.  The MAC for that link local address is the same as shown in the arp cache for the IPv4 default gateway.  And ultimately, it’s the MAC address that’s used to carry the traffic to the router.


  • Netgate

    @JKnott:

    You seemed to be implying that a routeable address was needed to reach the customer.

    What part of:

    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.
    Of course you can route to a link-local address.

    Did you not understand?



  • All this assumes that everyone is using proper transfer networks that have no other hosts on them meaning they have an obvious “next hop” and the packets sent from the other end of the “pipe” have no other route to take other than the router at the other end. This doesn’t hold when you’re dealing with amateurs/hobbyists that like to be creative and don’t care about proper topology in their networks.

    I’m not quite sure what you’re getting at, other than some users may be clueless about how networks work.  On point to point networks, all that’s needed is the interface, as there’s only one device beyond it.  On multipoint networks, such as Ethernet, a MAC address is needed to identify the individual devices on the shared network.  An IP address is only used to determine, via ARP or neighbour solicitation, the MAC address of the destination.

    In large networks, routers may have multiple interfaces and possibly multiple routes to a destination.  It uses the routing tables to determine the best interface to forward the packet over.  That’s all it does, find the best next hop to a destination.



  • Did you not understand?

    Please go back and look at the times when you said a link local address could not be used.  I quoted one of them. Perhaps I don’t understand because you said one thing at one time and something else at another.

    Here’s another quote:

    There is no way to know the link-local address of the next hop in this case.

    As I showed, there is what to know, whether it’s via DHCPv6 or manual configuration or whatever.  I also showed that my ISP has no problem working with a link local address.

    http://dilbert.com/strip/2018-05-22


  • Rebel Alliance

    “Please go back and look at the times when you said a link local address could not be used.”

    Where did Derelict ever say that link-local can never be used?

    He did clearly point out the RFC that clearly states 2 scenario’s where they do not work.

    “However, there are two cases where using a link-local address as the
      next-hop clearly does not work.  One is when the static route is an
      indirect (or multi-hop) static route.  The second is when the static
      route is redistributed into another routing protocol.  In these
      cases, the above text from RFC 4861 notwithstanding, either a GUA or
      ULA must be used.”

    I think this horse has been beaten enough 😉


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy