IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment

bfisher

Is there any way to configure pfSense to both track my WAN interface and have Kea assign ULA addresses to my clients?

Current Configuration:

WAN Interface:

• IPv6 Configuration Type: DHCPv6
• DHCPv6 Prefix Delegation Size: /56
• Send IPv6 Prefix Hint: Enabled
• Do not wait for RA: Enabled

LAN Interface:

• IPv6 Configuration Type: Track Interface
• IPv6 Interface: WAN
• IPv6 Prefix ID: 4

System -> Advanced -> Networking:

• Do not allow PD/Address release: Enabled

My clients are able to generate addresses using SLAAC and I am able to access the internet using IPv6. However, SLAAC Temporary Addresses make it exceedingly difficult to author firewall rules targeting a specific host for outbound connections (including connections between 2 local interfaces).

I'm looking for the ability to:

1. Use Kea to assign stable ULA addresses to clients so that I don't have to manually assign static IPs.
2. Continue using SLAAC to generate stable and temporary GUA addresses for internet access.
3. Continue using Track Interface so that I don't have issues when my ISP decides to change my Prefix Delegation.

This seems like a good use case for ULA. Any ideas how I can get this working?

JKnott

@bfisher said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

Is there any way to configure pfSense to both track my WAN interface and have Kea assign ULA addresses to my clients?

Why would you want to assign ULA to clients, unless you don't want them to use the Internet?

bfisher

@JKnott said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

Why would you want to assign ULA to clients, unless you don't want them to use the Internet?

I'm actually interested in assigning both to each client, GUAs (with Privacy Extensions) for internet bound requests and ULAs (without Privacy Extensions) for local traffic.

I'm mainly looking for a way to uniquely identify local traffic so that I can write rules of the form:

1. Allow Host A1 on Network A to access Host B1 on Network B
2. Do NOT Allow Host A2 on Network A to access Host B1 on Network B

I'd rather use ULAs to target local traffic so that I don't need to worry about those rules breaking if (and when) my ISP decides to change my prefix.

Bob.Dig

@bfisher said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

I'd rather use ULAs to target

Use IPv4 for that, problem solved?

bfisher

@Bob.Dig said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

Use IPv4 for that, problem solved?

Already up and running. This is more of a technical curiosity for me, and a potential reality for anyone looking to go full native IPv6. I'm pretty sure this is a supported use case for IPv6.

Bob.Dig

@bfisher said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

This is more of a technical curiosity for me

You can configure Services>Router Advertisement to also use an ULA prefix (RA Subnet(s)) and add a ULA as a VIP for a pfSense interface.

bfisher

@Bob.Dig said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

You can configure Services>Router Advertisement to also use an ULA prefix (RA Subnet(s)) and add a ULA as a VIP for a pfSense interface.

Yes, I've played around with this a bit. I was able to satisfy some of my requirements, but not all. I could either support GUA and ULA with SLAAC, or ULA only with Managed, but couldn't figure out how to support GUA with SLAAC and ULA with Managed. Under the ULA only scenario, I used NPt to translate using the interface tracked prefix (though I noticed that the Internal Prefix on the NPt dialog wouldn't actually accept a prefix, but kept reverting /64 to /128 on save until I specified an IP with a /64 subnet).

I think I need the ability to toggle the AdvAutonomous capability on the Router Advertisement per prefix. I think I also need a variable for the interface tracked prefix in order to correctly configure kea. Configuring kea to manage ULA leases while the WAN is tracked on an interface seemed like a pretty big hack. I needed to create a client-class [never-match] and override the client-class for the auto-generated subnet.

Bob.Dig

@bfisher SLAAC with ULA is static, why do you need more.

bfisher

@Bob.Dig said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

SLAAC with ULA is static, why do you need more.

I'm trying to maintain Private Extensions for traffic destined for the internet. Temporary Addresses are suitable for GUA, but devices using Temporary Addresses will use those addresses for all outbound connections (at least this is my current understanding). This makes it impossible to target a specific device on a subnet when writing rules for local traffic. I considered disabling Private Extensions just for ULA, but it seems that it's an all or nothing kind of deal. If I disable Private Extensions on the host then I lose temporary addresses for both GUA and ULA.

I could be overlooking something obvious. I've only been playing with IPv6 for a couple days.

JKnott

@bfisher said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

I'm actually interested in assigning both to each client, GUAs (with Privacy Extensions) for internet bound requests and ULAs (without Privacy Extensions) for local traffic.

You can use SLAAC to do that. That's what I have here.

JKnott

@bfisher said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

This is more of a technical curiosity for me

I have GUA, ULA and IPv4 on my main LAN. It's very easy to do with SLAAC.

bfisher

@JKnott said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

I have GUA, ULA and IPv4 on my main LAN.

And your LAN devices are generating both Stable and Temporary addresses for the GUA Prefix but only Stable addresses for the ULA Prefix? That sounds like exactly what I'm looking for. Did you need to do anything special on the clients? I was able to get both GUA and ULA up and running when I added the ULA Prefix as an additional prefix to the Router Advertisement, but the first thing my clients did was generate both Stable and Temporary addresses for both GUA and ULA prefixes.

tinfoilmatt

IPv6 can be NAT'ed.

bfisher

@tinfoilmatt said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

IPv6 can be NAT'ed.

I'm aware. But NAT-ing (apart from NPt) defeats the purpose of Temporary Addresses.

tinfoilmatt

I was replying to @JKnott.

JKnott

@bfisher said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

And your LAN devices are generating both Stable and Temporary addresses for the GUA Prefix but only Stable addresses for the ULA Prefix?

The ULA behaves exactly like the GUA. That is one stable address and up to seven temporary addresses.

JKnott

@tinfoilmatt said in IPv6 Dynamic Prefix Delegation -> Stable ULA Assignment:

IPv6 can be NAT'ed.

Why???

NAT was developed as a means to stretch out the IPv4 addresses. There is no need for it in IPv6.

tinfoilmatt

This thread identifies one possible legitimate use case: ULA-addressed LAN clients requiring Internet access.

dennypage

While I view SLAAC as a potentially useful approach for a completely unmanaged network, such as a Starbucks, in a managed network it is a curse.

tinfoilmatt

It's true. While temporary addresses resolve some privacy concerns about SLAAC that have been understood for a while now, the 'fingerprintable' subnet size that can be derived from them is definitely concerning.

The only way to actually manage SLAAC is to manually subnet a SLAAC prefix on the LAN side, which sort of defeats the purpose of SLAAC in the first place. (And even then, managing individual clients that employ temporary addresses is impossible.)