Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE

  

 
nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


frnkblk at iname

Jan 10, 2011, 9:04 PM

Post #1 of 19 (3519 views)
Permalink
Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE
I'm trying to get our lab bench Cisco 7206VXR (running 12.2(33)SRE2) to
cooperate with me in regards to using an external DHCPv6 server (ISC v4.2)
to delegate IPv6 prefixes to CPE.

Here's the relevant config snippets from the 7206VXR:

interface Loopback0
ip address 192.168.99.1 255.255.255.0
ipv6 address 2607:FE28:40FF::1/64
ipv6 enable
!

interface Virtual-Template1
mtu 1492
ip unnumbered Loopback0
peer default ip address pool pool-lns
peer default ipv6 pool ipv6pool-lns
ipv6 address autoconfig
ipv6 enable
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp relay destination 2607:FE28:0:1000::7
ppp authentication pap
!
ip local pool pool-lns 192.168.99.100 192.168.99.150
!
ipv6 local pool ipv6pool-lns 2607:FE28:4000::/56 64

Our DHCP server is reporting the following:
Jan 10 17:17:13 node7 dhcpd: Relay-forward message from
2607:fe28:11:1000::1013 port 547, link address ::, peer address
fe80::9c0:e2eb:83e7:8467
Jan 10 17:17:13 node7 dhcpd: [L2 Relay] No link address in relay
packet assuming L2 relay and using receiving interface
Jan 10 17:17:13 node7 dhcpd: Unable to pick client prefix: no IPv6
pools on this shared network
Jan 10 17:17:13 node7 dhcpd: Sending Relay-reply to
2607:fe28:11:1000::1013 port 547

So the CPE is making a DHCPv6-PD request, but apparently the DHCPv6 request
is getting forwarded without a link address. I would have presumed the link
address would be from the 2607:FE28:4000::/56 address space. I've use both
a D-Link DIR-615 and Cisco 871W as CPE, but not getting any success.

Any ideas? Is anyone else doing this?!?

Frank


pelle at hemmop

Jan 10, 2011, 11:11 PM

Post #2 of 19 (3376 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Hi Frank.

> I'm trying to get our lab bench Cisco 7206VXR (running 12.2(33)SRE2) to
> cooperate with me in regards to using an external DHCPv6 server (ISC v4.2)
> to delegate IPv6 prefixes to CPE.
>
> Any ideas?  Is anyone else doing this?!?

I've got similar results in a somewhat different setup:

interface GigabitEthernet0/2.601
encapsulation dot1Q 601
ipv6 enable
ipv6 dhcp relay destination FD00:8C0:199::199

With this config the relay (7200/NPE-G2 running SRD/SRE) also sends
empty link addresses towards the DHCPv6 server (ISC 4.1 in my case).

The only way I managed to get DHCP-PD working was adding an IPv6
address on the interface + running SLAAC on the CPE.

Reading the RFC (http://tools.ietf.org/html/rfc3315#section-20.1.1)
this behaviour is expected. The Interface-Id option is populated, but
AFAIK ISC can't use that when selecting the scope.

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


frnkblk at iname

Jan 12, 2011, 8:39 PM

Post #3 of 19 (3362 views)
Permalink
RE: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Interesting. With PVI's I had no issue on the 7206VXR or 7609-S running
12.2(33)SRE2. I have you tried the "ipv6 dhcp relay source xxxx" option, so
that the source is specified?

BTW, I would recommend running ISC dhcp v4.2 or later. There's IPv6-related
items fixed/working in v4.2.

Frank

-----Original Message-----
From: Per Carlson [mailto:pelle [at] hemmop]
Sent: Tuesday, January 11, 2011 1:12 AM
To: frnkblk [at] iname
Cc: ipv6-ops [at] lists; ipv6-techsig [at] mailman
Subject: Re: Using an *external* DHCPv6 server for prefix-delegation in
conjunction with PPPoE

Hi Frank.

> I'm trying to get our lab bench Cisco 7206VXR (running 12.2(33)SRE2) to
> cooperate with me in regards to using an external DHCPv6 server (ISC v4.2)
> to delegate IPv6 prefixes to CPE.
>
> Any ideas?  Is anyone else doing this?!?

I've got similar results in a somewhat different setup:

interface GigabitEthernet0/2.601
encapsulation dot1Q 601
ipv6 enable
ipv6 dhcp relay destination FD00:8C0:199::199

With this config the relay (7200/NPE-G2 running SRD/SRE) also sends
empty link addresses towards the DHCPv6 server (ISC 4.1 in my case).

The only way I managed to get DHCP-PD working was adding an IPv6
address on the interface + running SLAAC on the CPE.

Reading the RFC (http://tools.ietf.org/html/rfc3315#section-20.1.1)
this behaviour is expected. The Interface-Id option is populated, but
AFAIK ISC can't use that when selecting the scope.

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


pelle at hemmop

Jan 13, 2011, 4:42 AM

Post #4 of 19 (3366 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Hi

> Interesting.  With PVI's I had no issue on the 7206VXR or 7609-S running
> 12.2(33)SRE2.  I have you tried the "ipv6 dhcp relay source xxxx" option, so
> that the source is specified?

Yes, but that does solve anything. Here's two tshark captures illustrating it:

Without "dhcp-relay source":

Internet Protocol Version 6
Source: fd00:8c0:3::91 (fd00:8c0:3::91)
Destination: fd00:8c0:1::20 (fd00:8c0:1::20)
DHCPv6
Message type: Relay-forw (12)
Hop count: 0
Link-address: ::
Peer-address: fe80::219:aaff:fe85:9981


With "dhcp-relay source":

Internet Protocol Version 6
Source: fd00:8c0:2116::1:7 (fd00:8c0:2116::1:7)
Destination: fd00:8c0:1::20 (fd00:8c0:1::20)
DHCPv6
Message type: Relay-forw (12)
Hop count: 0
Link-address: ::
Peer-address: fe80::219:aaff:fe85:9981


In both cases there is no link address and just a link local peer
address, it's just the source of the IPv6 frame that's changed. And
isc-dhcpd doesn't use that info when selecting the subnet6 clause (see
below).

> BTW, I would recommend running ISC dhcp v4.2 or later.  There's IPv6-related
> items fixed/working in v4.2.

Yes, but I'm running Debian on the server, and it's only 4.1.1 that's
pre-packaged. Unfortunately 4.2 won't be available in the next release
(squeeze) either.

Anyway, looking at the 4.2 sources reveals what isc-dhcpd is lookng
for. The function mapping packet to subnets
(shared_network_from_packet6) starts at line 4159 in the file
server/dhcpv6.c. The comments says it all:

1)
/*
* First, find the link address where the packet from the client
* first appeared (if this packet was relayed).
*/

pseudo code: looking for an link address which is neither unspecified
nor link local.

/*
* If there is a relayed link address, find the subnet associated
* with that, and use that to get the appropriate
* shared_network.
*/


2)
/*
* If there is no link address, we will use the interface
* that this packet came in on to pick the shared_network.
*/


That is: first look for the link address in the DHCPv6 packet,
secondly use the interface on the DHCPv6 *server* the packet was
received on.

In practice the second option is not very viable in a SP environment,
which gives you only one option left: make sure the DHCPv6 packet do
have an identifyable link address.

Changing the source address of the relayed packet doesn't help much.

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


pelle at hemmop

Jan 13, 2011, 7:44 AM

Post #5 of 19 (3355 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
> Interesting.  With PVI's I had no issue on the 7206VXR or 7609-S running
> 12.2(33)SRE2.  I have you tried the "ipv6 dhcp relay source xxxx" option, so
> that the source is specified?

Aargh, missed your solution to the problem (the thread broke).

Adding "ipv6 unnumbered X" to the sub-interface fills in the link
address beautifully => DHCPv6-PD works fine (on 4.1.1).

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


frnkblk at iname

Jan 13, 2011, 8:26 AM

Post #6 of 19 (3349 views)
Permalink
RE: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Glad to hear. My bad for not suggesting it. I had presumed you had an IPv6
address on that interface.

Frank

-----Original Message-----
From: Per Carlson [mailto:pelle [at] hemmop]
Sent: Thursday, January 13, 2011 9:44 AM
To: frnkblk [at] iname
Cc: ipv6-ops [at] lists; ipv6-techsig [at] mailman
Subject: Re: Using an *external* DHCPv6 server for prefix-delegation in
conjunction with PPPoE

> Interesting.  With PVI's I had no issue on the 7206VXR or 7609-S running
> 12.2(33)SRE2.  I have you tried the "ipv6 dhcp relay source xxxx" option,
so
> that the source is specified?

Aargh, missed your solution to the problem (the thread broke).

Adding "ipv6 unnumbered X" to the sub-interface fills in the link
address beautifully => DHCPv6-PD works fine (on 4.1.1).

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


pelle at hemmop

Jan 13, 2011, 9:42 AM

Post #7 of 19 (3354 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Hi again.

> Glad to hear.  My bad for not suggesting it.  I had presumed you had an IPv6
> address on that interface.

No I didn't. In fact I have tried hard *not* to have a global IPv6
address on the WAN-link.

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


swmike at swm

Jan 13, 2011, 11:35 AM

Post #8 of 19 (3347 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
On Thu, 13 Jan 2011, Per Carlson wrote:

> Hi again.
>
>> Glad to hear.  My bad for not suggesting it.  I had presumed you had an IPv6
>> address on that interface.
>
> No I didn't. In fact I have tried hard *not* to have a global IPv6
> address on the WAN-link.

If you create a loopback interface with an PD address and use that as
unnumbered addresson the WAN interface, does that work?

That's what I advocated for the CPE router draft anyway, I sure hope it
works to do what you want to do (make the customer only have IPs from the
PD space).

--
Mikael Abrahamsson email: swmike [at] swm


pelle at hemmop

Jan 14, 2011, 4:54 AM

Post #9 of 19 (3336 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Hi Mikael.

> If you create a loopback interface with an PD address and use that as
> unnumbered addresson the WAN interface, does that work?

Yes, at least on a 1841 running 15.1(3)T [0].

> That's what I advocated for the CPE router draft anyway, I sure hope it
> works to do what you want to do (make the customer only have IPs from the PD
> space).

I don't really see how this would improve anything. What's the point
on assigning an IPv6 address on the WAN interface the BNG (PE) doesn't
know about? And informing it by running SLAAC "backwards" (CPE assigns
addresses to BNG) seams rather wierd... Risking the CPE sending a
default route towards the BNG is even worse!

[0] Tried this first with 12.4(23), but that one is broken. DHCPv6
Solicits are sourced with the loopback LL address, but it never
listened on that address on the physical interface.

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


pelle at hemmop

Jan 14, 2011, 5:52 AM

Post #10 of 19 (3345 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Hi.

After playing a bit more, I can answer my questions my self.

>> If you create a loopback interface with an PD address and use that as
>> unnumbered addresson the WAN interface, does that work?
>
> Yes, at least on a 1841 running 15.1(3)T [0].

It's even better: You can directly assign a PD address on the WAN interface:

interface FastEthernet0/1.1600
encapsulation dot1Q 1600
ipv6 address PREFIX ::/64 eui-64
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client pd PREFIX rapid-commit
end

CPE#sh ipv6 interface FastEthernet0/1.1600
FastEthernet0/1.1600 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::219:AAFF:FE85:9981
No Virtual link-local address(es):
General-prefix in use for addressing
Global unicast address(es):
FD00:8C0:474E:9500:219:AAFF:FE85:9981, subnet is
FD00:8C0:474E:9500::/64 [EUI/CAL/PRE]
valid lifetime 42847 preferred lifetime 26647
<snip/>

BNG#ping FD00:8C0:474E:9500:219:AAFF:FE85:9981
Sending 5, 100-byte ICMP Echos to
FD00:8C0:474E:9500:219:AAFF:FE85:9981, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms


>> That's what I advocated for the CPE router draft anyway, I sure hope it
>> works to do what you want to do (make the customer only have IPs from the PD
>> space).
>
> I don't really see how this would improve anything. What's the point
> on assigning an IPv6 address on the WAN interface the BNG (PE) doesn't
> know about?

It do, the PD aggregate of course covers the WAN link. The BNG doesn't
need to know/care which subnet from the PD is used.

> And informing it by running SLAAC "backwards" (CPE assigns
> addresses to BNG) seams rather wierd... Risking the CPE sending a
> default route towards the BNG is even worse!

There is no need for SLAAC and thus no security risk.

In addition to those findings, I did discover a (new? can't find any
documentation) knob in IOS. By configuring an interface with "ipv6 nd
autoconfig default-route" it automatically installs a default-route
pointing to the BNG LL address. Nice!

CPE#sh ipv6 route
S ::/0 [2/0]
via FE80::207:84FF:FE22:FC1A, FastEthernet0/1.1600
<snip>

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


bjorn at mork

Jan 14, 2011, 6:49 AM

Post #11 of 19 (3334 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Per Carlson <pelle [at] hemmop> writes:

> After playing a bit more, I can answer my questions my self.
>
>>> If you create a loopback interface with an PD address and use that as
>>> unnumbered addresson the WAN interface, does that work?
>>
>> Yes, at least on a 1841 running 15.1(3)T [0].
>
> It's even better: You can directly assign a PD address on the WAN interface:

Really? rfc3633 says

Upon the receipt of a valid Reply message, for each IA_PD the
requesting router assigns a subnet from each of the delegated
prefixes to each of the links to which the associated interfaces are
attached, with the following exception: the requesting router MUST
NOT assign any delegated prefixes or subnets from the delegated
prefix(es) to the link through which it received the DHCP message
from the delegating router.


Bjørn


swmike at swm

Jan 14, 2011, 7:10 AM

Post #12 of 19 (3332 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
On Fri, 14 Jan 2011, Per Carlson wrote:

> I don't really see how this would improve anything. What's the point on
> assigning an IPv6 address on the WAN interface the BNG (PE) doesn't know
> about? And informing it by running SLAAC "backwards" (CPE assigns
> addresses to BNG) seams rather wierd... Risking the CPE sending a
> default route towards the BNG is even worse!

What? Why on earth would the CPE assign addresses to BNG (I don't know
what BNG is, but I guess it's the ISP PE). The WAN link should be link
local only and if there should be an IP address on WAN, it should be a
/128 from the PD space.

The customer should never be able to source traffic from anything outside
his/her PD, and the ISP core/access equipment should never have an IP in
the PD space.

--
Mikael Abrahamsson email: swmike [at] swm


pelle at hemmop

Jan 14, 2011, 8:30 AM

Post #13 of 19 (3328 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Hi Bjørn.

> > It's even better: You can directly assign a PD address on the WAN
interface:
>
> Really? rfc3633 says
>
> Upon the receipt of a valid Reply message, for each IA_PD the
> requesting router assigns a subnet from each of the delegated
> prefixes to each of the links to which the associated interfaces are
> attached, with the following exception: the requesting router MUST
> NOT assign any delegated prefixes or subnets from the delegated
> prefix(es) to the link through which it received the DHCP message
> from the delegating router.

I don't know the reasoning behind the MUST NOT, but it is configurable and
seams to work fine. Clearly Cisco do violate the RFC here, but without any
apparent harm.

--
Pelle


fbulk at mypremieronline

Jan 14, 2011, 9:16 AM

Post #14 of 19 (3329 views)
Permalink
RE: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
And that all happens automatically on Cisco's routers (800-series, etc)?

Frank

-----Original Message-----
From: Per Carlson [mailto:pelle [at] hemmop]
Sent: Friday, January 14, 2011 8:58 AM
To: frnkblk [at] iname
Cc: ipv6-ops [at] lists
Subject: Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE

> If the PD address is assigned to the WAN, what does the LAN get?

The PD is typically a /56 or /48. Just split of one /64 of that range
to the WAN side.

--
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.


pelle at hemmop

Jan 14, 2011, 2:35 PM

Post #15 of 19 (3328 views)
Permalink
Re: RE: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
> And that all happens automatically on Cisco's routers (800-series, etc)?

No, very little happens automatically. It's quite easy to configure though.
Read it up in the IPv6 DHCP Config Guide.

--
Pelle


frnkblk at iname

Jan 14, 2011, 2:56 PM

Post #16 of 19 (3328 views)
Permalink
RE: RE: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
The part I meant about "all happens automatically" was the LAN interface
sharing the use of the delegated prefix, a part of which you already used on
the WAN interface.

My guess is that you just need to add "ipv6 dhcp client pd <dhcp-prefix>" to
the LAN interface.

Frank

From: Per Carlson [mailto:pelle [at] hemmop]
Sent: Friday, January 14, 2011 4:36 PM
To: Frank Bulk
Cc: ipv6-ops [at] lists
Subject: Re: RE: Using an *external* DHCPv6 server for prefix-delegation in
conjunction with PPPoE

> And that all happens automatically on Cisco's routers (800-series, etc)?

No, very little happens automatically. It's quite easy to configure though.
Read it up in the IPv6 DHCP Config Guide.
--
Pelle


pelle at hemmop

Jan 14, 2011, 10:01 PM

Post #17 of 19 (3306 views)
Permalink
Re: RE: RE: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
> The part I meant about "all happens automatically" was the LAN interface
> sharing the use of the delegated prefix, a part of which you already used
on
> the WAN interface.
>
> My guess is that you just need to add "ipv6 dhcp client pd <dhcp-prefix>"
to
> the LAN interface.

No, the PD client should only run on the WAN interface. Use the command you
just described. Note that <dhcp-prefix> is just a name, e.g. PREFIX, PD, or
myprefix.

On the LAN you apply the delegated prefix with a command like " ipv6 address
<dhcp-prefix> 0:0:0:1::/64 eui-64". This gives you the second (0:0:0:0:: is
the first) /64 out of the delegation.

--
Pelle


swmike at swm

Jan 14, 2011, 10:21 PM

Post #18 of 19 (3296 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
On Fri, 14 Jan 2011, Per Carlson wrote:

> Hi Bjørn.
>
>>> It's even better: You can directly assign a PD address on the WAN
> interface:
>>
>> Really? rfc3633 says
>>
>> Upon the receipt of a valid Reply message, for each IA_PD the
>> requesting router assigns a subnet from each of the delegated
>> prefixes to each of the links to which the associated interfaces are
>> attached, with the following exception: the requesting router MUST
>> NOT assign any delegated prefixes or subnets from the delegated
>> prefix(es) to the link through which it received the DHCP message
>> from the delegating router.
>
> I don't know the reasoning behind the MUST NOT, but it is configurable and
> seams to work fine. Clearly Cisco do violate the RFC here, but without any
> apparent harm.

I'd say Cisco has made it possible to violate the RFC, which I think is
the correct decision on their part.

The text from RFC3633 should be followed for default configuration, but
it's common that RFC-violating behaviour is allowed through specific
configuration. I'm very happy this is the case.

--
Mikael Abrahamsson email: swmike [at] swm


otroan at employees

Jan 16, 2011, 8:41 AM

Post #19 of 19 (3248 views)
Permalink
Re: Using an *external* DHCPv6 server for prefix-delegation in conjunction with PPPoE [In reply to]
Per,

> After playing a bit more, I can answer my questions my self.
>
>>> If you create a loopback interface with an PD address and use that as
>>> unnumbered addresson the WAN interface, does that work?
>>
>> Yes, at least on a 1841 running 15.1(3)T [0].
>
> It's even better: You can directly assign a PD address on the WAN interface:
>
> interface FastEthernet0/1.1600
> encapsulation dot1Q 1600
> ipv6 address PREFIX ::/64 eui-64
> ipv6 enable
> ipv6 nd autoconfig default-route
> ipv6 dhcp client pd PREFIX rapid-commit
> end

it would be cleaner and more in the spirit of RFC3633 and "http://tools.ietf.org/html/draft-ietf-v6ops-ipv6-cpe-router-09" if you assigned the address to a loopback interface.

e.g:
interface FastEthernet0/1.1600
# CPE interface with "Basic CPE behaviour"
encapsulation dot1Q 1600
ipv6 address autoconfig default ! will "fail" in your case, but does router discovery (sends RS)
ipv6 address dhcp ! fails in your case
ipv6 dhcp client pd PREFIX rapid-commit
ipv6 nd suppress-ra ! don't send RA messages from the CPE on the WAN interface
!
interface Loopback0
ipv6 address PREFIX 0:0:0:FFFF::1/64 ! use the last prefix for the internal loopback
!
interface FastEthernet0/0
ipv6 address PREFIX ::/64 eui-64 ! use the first prefix for the customer LAN
!

in this example the WAN interface tries both SLAAC and DHCP to acquire an address. this works fine in your case with link-local only also. just make sure you send an empty RA on the WAN link.

cheers,
Ole

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.