From nobody Mon Jul 29 10:05:37 2024
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WXYs71mNYz5RgFQ
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Mon, 29 Jul 2024 10:05:47 +0000 (UTC)
	(envelope-from roy@marples.name)
Received: from sender-of-o57.zoho.eu (sender-of-o57.zoho.eu [136.143.169.57])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WXYs56X4nz4J17
	for <freebsd-net@freebsd.org>; Mon, 29 Jul 2024 10:05:45 +0000 (UTC)
	(envelope-from roy@marples.name)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=marples.name header.s=zmail header.b=aMcKJ5cU;
	dmarc=pass (policy=quarantine) header.from=marples.name;
	spf=pass (mx1.freebsd.org: domain of roy@marples.name designates 136.143.169.57 as permitted sender) smtp.mailfrom=roy@marples.name;
	arc=pass ("zohomail.eu:s=zohoarc:i=1")
ARC-Seal: i=1; a=rsa-sha256; t=1722247541; cv=none; 
	d=zohomail.eu; s=zohoarc; 
	b=RGtAthN+FcKm85sYTgcYKrWDQsr6nefk45cI3kbmVYJ+AZb37KzfRfF6TqiHH7XLZAR0RBmLlEEJWxUq5Q773zDAA1NCw6FaQHzifYmrmOiYrI+YuNQmqYRcCGdWlrYCEkKNkbfVckQWNSdSly+Yhe51R22CFvnYM08JCEEabgw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu; s=zohoarc; 
	t=1722247541; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; 
	bh=XjoTSo69H/w+hkaE5XqrV4HOwDoyd7XgSdnizgQ3rhc=; 
	b=CAVS+RpTq/4YE1QRRG18P9py6J1snTyx5+kd0FIblYBQmlhRLvmlXVNl54kMU3Nn9zS17qP03HgiCm8aVLXvQU27hjCKHM+0LKOvDGW0glALmgskZwPfYk1vFDC6UoMBbaH6Qmok2unX23AmIdR/Q6C9pLCa9Ua6GjnNq/n85CY=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
	dkim=pass  header.i=marples.name;
	spf=pass  smtp.mailfrom=roy@marples.name;
	dmarc=pass header.from=<roy@marples.name>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1722247541;
	s=zmail; d=marples.name; i=roy@marples.name;
	h=Date:Date:From:From:To:To:Cc:Cc:Message-ID:In-Reply-To:References:Subject:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-Id:Reply-To;
	bh=XjoTSo69H/w+hkaE5XqrV4HOwDoyd7XgSdnizgQ3rhc=;
	b=aMcKJ5cUqTwxxAsAloIVdlAQdQdvAcSVBXjOOxBTdYdL6KPaZ56gzMo1EJHe96Py
	HJsqPA4QQ0J0wTM5Xv2iXjfjsH28NAra8Hjk/eIOv204ZYRNdb913r80r5eZTkZWUeX
	nwUi/LCiXw6g7LJXHAGtFc4USRqPz0h+J3j4Oj7A=
Received: from mail.zoho.eu by mx.zoho.eu
	with SMTP id 1722247537539622.0479729933691; Mon, 29 Jul 2024 12:05:37 +0200 (CEST)
Date: Mon, 29 Jul 2024 11:05:37 +0100
From: Roy Marples <roy@marples.name>
To: "moto kawasaki" <moto@kawasaki3.org>
Cc: "cross+freebsd" <cross+freebsd@distal.com>,
	"freebsd-net" <freebsd-net@freebsd.org>
Message-ID: <190fdf3e353.11351bb5e292296.3216692081725884177@marples.name>
In-Reply-To: <20240727.122108.862717899466090274.moto@kawasaki3.org>
References: <CA0C0E7D-4956-4DB4-A274-D74C84A18529@distal.com>
	<190e09e6c1a.11450232913849.654798645277119294@marples.name>
	<050440F8-B3D8-4B2C-85BD-D5C09C303037@distal.com> <20240727.122108.862717899466090274.moto@kawasaki3.org>
Subject: =?UTF-8?Q?Re:_=C2=A0DHCPv6_IA=5FPD_-_how-to?=
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Importance: Medium
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.09 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	ARC_ALLOW(-1.00)[zohomail.eu:s=zohoarc:i=1];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.998];
	DMARC_POLICY_ALLOW(-0.50)[marples.name,quarantine];
	R_SPF_ALLOW(-0.20)[+ip4:136.143.168.0/22];
	R_DKIM_ALLOW(-0.20)[marples.name:s=zmail];
	RWL_MAILSPIKE_VERYGOOD(-0.20)[136.143.169.57:from];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	XM_UA_NO_VERSION(0.01)[];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	ASN(0.00)[asn:41913, ipnet:136.143.168.0/23, country:CH];
	RCVD_IN_DNSWL_NONE(0.00)[136.143.169.57:from];
	RCVD_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	TO_DN_ALL(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org];
	TAGGED_RCPT(0.00)[freebsd];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	MID_RHS_MATCH_FROM(0.00)[];
	DKIM_TRACE(0.00)[marples.name:+]
X-Rspamd-Queue-Id: 4WXYs56X4nz4J17

 ---- On Sat, 27 Jul 2024 04:21:08 +0100  moto kawasaki  wrote --- 
 > 
 > Hi Chris, all
 > 
 > I am struggling the same problem too, and here is my working
 > configuration for dhcp6c in my test environment.
 > Hope this can be help.
 > 
 > 
 > vtnet0 is uplink, where I expect to receive RA from ISP.
 > 
 > If upstream router send RA with PD with 2001:db8:beef::/56, dhcp6c
 > will add sla-len (8 in this configuration) to the prefix length (/56)
 > to get the final prefix length of /64.
 > Also, dhcp6c will add sla-id (11 and 12, decimal) to prefix, so that
 > I will use 2001:db8:beef:b/64 and 2001:db8:beef:c/64 for assigning my
 > internal network interfaces (vtnet1 and vtnet2).
 > 
 > Well, I am wondering how I can tell "authentication isp_auth" entry to
 > use the "isp_key", especially when I have multiple "keyinfo" entries.
 > 
 > 
 > 
 > ===== /usr/local/etc/dhcp6c.conf =====
 > keyinfo isp_key {
 >         realm "example.org";
 >         keyid 1;
 >         secret "JTY0XXXXXXXXXXXXXXX==";  # masked.
 > };
 > 
 > authentication isp_auth {
 >         protocol delayed;
 > };
 > 
 > interface vtnet0 {
 >         script "/usr/local/etc/dhcp6c-script.sh";
 >         send ia-pd 3;
 >         send authentication isp_auth;
 >         request domain-name-servers;
 >         request domain-name;
 >         request ntp-servers;
 >         #send rapid-commit;
 > };
 > 
 > id-assoc pd 3 {
 >         prefix-interface vtnet1 {
 >                 sla-id 11;
 >                 sla-len 8;
 >         };
 >         prefix-interface vtnet2 {
 >                 sla-id 12;
 >                 sla-len 8;
 >         };
 > };
 > =====
 
For dhcpcd you would do this:

interface vtnet0
  ia_pd 3 vtnet1/11 vtnet2/12
  option domain_name_servers, domain_name, ntp_servers
  authproto delayed
  authtoken 1 "example.org" forever "JTY0XXXXXXXXXXXXXXX=="


But please note that delayed authentication has now been obsoleted:
https://datatracker.ietf.org/doc/html/rfc8415#section-25
While dhcpcd supports it to some extend, it's not widely tested and could be broken in any given release as I don't have a means of testing it right now.

The only real authentication support that is in the RFC's is the reconfigure key.
https://datatracker.ietf.org/doc/html/rfc8415#section-20.4

Roy