Date: Wed, 24 Jul 2024 09:51:58 -0400 From: Karl Denninger <karl@denninger.net> To: freebsd-net@freebsd.org Subject: Re: DHCPv6 IA_PD - how-to Message-ID: <b362c5eb-9189-40d9-b591-99c5aa929d5d@denninger.net> In-Reply-To: <190e3ca9424.10cb640b9133631.4510537448957801250@marples.name> References: <CA0C0E7D-4956-4DB4-A274-D74C84A18529@distal.com> <190e09e6c1a.11450232913849.654798645277119294@marples.name> <ed40dd43-3aa9-42ac-aff9-0d14c041379a@denninger.net> <190e3ca9424.10cb640b9133631.4510537448957801250@marples.name>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------ZlKgUPqDuAzK60AaWfHLq3PW
Content-Type: multipart/mixed; boundary="------------fe127SMeySDF6XwQKFdUB2Ak";
protected-headers="v1"
From: Karl Denninger <karl@denninger.net>
To: freebsd-net@freebsd.org
Message-ID: <b362c5eb-9189-40d9-b591-99c5aa929d5d@denninger.net>
Subject: Re: DHCPv6 IA_PD - how-to
References: <CA0C0E7D-4956-4DB4-A274-D74C84A18529@distal.com>
<190e09e6c1a.11450232913849.654798645277119294@marples.name>
<ed40dd43-3aa9-42ac-aff9-0d14c041379a@denninger.net>
<190e3ca9424.10cb640b9133631.4510537448957801250@marples.name>
In-Reply-To: <190e3ca9424.10cb640b9133631.4510537448957801250@marples.name>
--------------fe127SMeySDF6XwQKFdUB2Ak
Content-Type: multipart/alternative;
boundary="------------crjlbAr4tMSgziWVhJ1QB1Y3"
--------------crjlbAr4tMSgziWVhJ1QB1Y3
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
T24gNy8yNC8yMDI0IDA0OjEwLCBSb3kgTWFycGxlcyB3cm90ZToNCj4gICAtLS0tIE9uIFdl
ZCwgMjQgSnVsIDIwMjQgMDI6NDg6MTUgKzAxMDAgIEthcmwgRGVubmluZ2VyICB3cm90ZSAt
LS0NCj4gICA+ICAgICBJJ2QgbGlrZSB0byByZXBsaWNhdGUgdGhpcyB0aGF0IGlzIGN1cnJl
bnRseSBiZWluZyBzZW50IHVwIHZpYSAgICAgIGRoY3A2Yywgd2hpY2ggaXMgbm90IHF1aXRl
LWNsZWFyIHRvIG1lIGZyb20gdGhlIGRvY3Mgb24gaG93IHRvIGRvICAgICAgdGhhdC4uDQo+
ICAgPiAgICAgIw0KPiAgID4gICAgICAgIyBUaGlzIGNvbmZpZ3VyYXRpb24gd2lsbCBhdHRl
bXB0IHRvIGdldCAvNTYgb3IgYSAvNjAgZnJvbSB0aGUNCj4gICA+ICAgICAgICMgSVNQIGFu
ZCBhc3NpZ24gYSAvNjQgaW50ZXJuYWxseS4NCj4gICA+ICAgICAgICMgTm90ZSB0aGF0IGlm
IHlvdSBoYXZlIGEgLzYwIHlvdSBjYW4gaGF2ZSBmb3VyIC82NHMgZGVmaW5lZDsgaWYgICAg
ICB5b3UgaGF2ZSBhDQo+ICAgPiAgICAgICAjIC81NiB0aGVuIG9idmlvdXNseSB5b3UgY2Fu
IGhhdmUgMTYgaW50ZXJuYWwgbmV0d29ya3MuwqAgRm9yIG1vc3QgICAgICAiaG91c2UiDQo+
ICAgPiAgICAgICAjIHNpemUgbmV0d29ya3MgZm91ciBzZXBhcmF0ZSBkZWxpbmVhdGlvbnMg
aXMgZW5vdWdoLCBmb3IgbW9zdCAgICAgICJtb2RlcmF0ZSINCj4gICA+ICAgICAgICMgc2l6
ZWQgY29ycG9yYXRlIGVudmlyb25tZW50cyAxNiBpcyBlbm91Z2guwqAgQkUgQVdBUkUgVEhB
VCBUSEUgICAgICBTTEEtTEVOIE1VU1QNCj4gICA+ICAgICAgICMgTUFUQ0ggVEhFIERJRkZF
UkVOQ0UgQkVUV0VFTiBUSEUgTE9DQUwgUFJFRklYIEFORCBUSEUgUkVNT1RFICAgICAgT05F
IcKgIElmDQo+ICAgPiAgICAgICAjIHlvdSBhc2sgZm9yIGEgLzU2IHRoZW4gc2xhLWxlbiBp
cyA4LCBpZiB5b3UgYXNrIGZvciBhIC82MCB0aGVuICAgICAgdGhlIHNsYS1sZW4NCj4gICA+
ICAgICAgICMgaXMgNCAoZGlmZmVyZW5jZSBiZXR3ZWVuIHRoZSByZXF1ZXN0ZWQgcHJlZml4
IGxlbmd0aCBhbmQgNjQsICAgICAgcmVzcGVjdGl2ZWx5LikNCj4gICA+ICAgICAgICMNCj4g
ICA+DQo+ICAgPiAgICAgICBpbnRlcmZhY2UgaWdiMCB7DQo+ICAgPiAgICAgICDCoMKgwqDC
oCBzZW5kIGlhLXBkIDE7DQo+ICAgPiAgICAgICDCoMKgwqDCoCBzZW5kIGlhLW5hIDE7DQo+
ICAgPiAgICAgICDCoMKgwqDCoCBzZW5kIHJhcGlkLWNvbW1pdDsNCj4gICA+ICAgICAgIMKg
wqDCoMKgIHNjcmlwdCAiL3Vzci9sb2NhbC9ldGMvZGhjcDZjLnNjcmlwdCI7DQo+ICAgPiAg
ICAgICB9Ow0KPiAgID4NCj4gICA+ICAgICAgIGlkLWFzc29jIG5hIDEgew0KPiAgID4NCj4g
ICA+ICAgICAgIH07DQo+ICAgPg0KPiAgID4gICAgICAgaWQtYXNzb2MgcGQgMSB7DQo+ICAg
PiAgICAgICDCoCBwcmVmaXggOjovNTYgMTgwMDsNCj4gICA+DQo+ICAgPiAgICAgICDCoCBw
cmVmaXgtaW50ZXJmYWNlIGlnYjEgew0KPiAgID4gICAgICAgwqDCoMKgIHNsYS1pZCAwOw0K
PiAgID4gICAgICAgwqDCoMKgIHNsYS1sZW4gODsNCj4gICA+ICAgICAgIMKgIH07DQo+ICAg
Pg0KPiAgID4gICAgICAgfTsNCj4gICA+DQo+ICAgPiAgICAgaWdiMSBpcyB0aGUgIm5vcm1h
bCIgaW50ZXJuYWwgbmV0d29yazsgaWdiMCBpcyB0aGUgZXh0ZXJuYWwgb25lLg0KPiAgID4g
ICAgIFRoZSBJU1AgaGFuZHMgb3V0IC81NnMgKGFsdGhvdWdoIGF0IG9uZSB0aW1lIEkgY291
bGQgY2hvb3NlICAgICAgZWl0aGVyIGEgLzU2IG9yIC82MCk7IEkgaGF2ZSByb3V0aW5lcyBp
biB0aGUgc2NyaXB0IGZpbGUgdGhhdCB0aGVuICAgICAgZ2VuZXJhdGUgZHluYW1pYyB1cGRh
dGVzIGZvciBETlMgc28gdGhlIGdhdGV3YXkgaGFzIGl0cyBwb2ludGVycyAgICAgIHVwZGF0
ZWQgaWYvd2hlbiB0aGUgYWRkcmVzcyBjaGFuZ2VzIChJIHJ1biBteSBvd24gem9uZXMpDQo+
ICAgPg0KPiAgID4gICAgIEl0cyBub3QgZW50aXJlbHktY2xlYXIgaG93IHRvIHJlcGxpY2F0
ZSB0aGF0IGluIHRoZSBjb25maWcgZmlsZSBmb3IgZGhjcGNkOyBJIGNhbiBmaWd1cmUgb3V0
IHRoZSBzY3JpcHQgSSdtIHN1cmUsIGJ1dCB0aGUgYmFzZSBjb25maWcgaXMgbm90IGNsZWFy
IHRvIG1lLg0KPg0KPiBTbyB5b3Ugd291bGQgYWRkIHRoaXMgdG8gdGhlIGJvdHRvbSBvZiB0
aGUgZGVmYXVsdCBkaGNwY2QuY29uZiBmaWxlOg0KPg0KPiBpbnRlcmZhY2UgaWdiMA0KPiAg
ICBpYV9uYQ0KPiAgICBpYV9wZCAwLzo6LzU2IGlnYjEvMC82NA0KPg0KPiBUaGF0IG1pcnJv
cnMgeW91ciBjb25maWcgZXhhY3RseSBhcGFydCBmcm9tIHJlcXVlc3RpbmcgYSBzcGVjaWZp
YyBsaWZldGltZSB3aGljaCBkaGNwY2QgZG9lc24ndCBzdXBwb3J0IGZvciBQRC4NCj4gcmFw
aWQgY29tbWl0IGlzIGVuYWJsZWQgYWxyZWFkeSBpbiB0aGUgZGVmYXVsdCBkaGNwY2QuY29u
ZiBmaWxlLg0KPiBZb3UgY291bGQgdGhlbiBlZGl0IC9ldGMvZGhjcGNkLmV4aXQtaG9vayB0
byBoYW5kbGUgeW91ciBERE5TLg0KPg0KPiBZb3UgbWlnaHQgYmUgYWJsZSB0byBnZXQgYXdh
eSB3aXRoIHRoaXMgbGlnaHRlciBjb25maWcgYXMgd2VsbCwgYmFzZWQgb24gd2hhdCB5b3Ug
c2FpZDoNCj4gaW50ZXJmYWNlIGlnYjANCj4gICAgaWFfbmENCj4gICAgaWFfcGQgMCBpZ2Ix
DQo+DQo+IEFueSBwb2ludGVycyBvbiBub3cgdG8gbWFrZSB0aGlzIG1vcmUgY2xlYXIgaW4g
ZGhjcGNkLmNvbmYoNSkgYXJlIHdlbGNvbWUuDQo+IEdvb2QgbHVjayENCj4NCj4gUm95DQoN
ClRoZSBwcm92aWRlZCBleGFtcGxlIChzdGFydGluZyB3aXRoICJub2lwdjZycyIpIHJlcXVl
c3RzIG11bHRpcGxlIA0KcHJlZml4ZXMgYW5kIHN0YXJ0cyB3aXRoICJpYV9wZCAyIjsgd2hh
dCB3YXNuJ3QgY2xlYXIgaXMgdGhlIG1vc3QtY29tbW9uIA0KZXhhbXBsZSBmb3IgYSBzaW5n
bGUtYXR0YWNoZWQgZW5kcG9pbnQgdGhhdCBtaWdodCBoYXZlIG11bHRpcGxlIGludGVybmFs
IA0KaW50ZXJmYWNlcyAoZS5nLiBzZXBhcmF0ZWQgc3VibmV0czsgcGVyaGFwcyBvbmUgZm9y
IGEgZ3Vlc3QgbmV0d29yayBvciANCnNpbWlsYXIsIGFub3RoZXIgZm9yIGdlbmVyYWwgdXNl
LCBldGMuKQ0KDQpNb3N0IGluc3RhbGxhdGlvbnMgd2hldGhlciBwZXJzb25hbCBvciBzbWFs
bC9tb2Rlc3Qtc2l6ZSBidXNpbmVzcyBvbiBhIA0KcGVyLWxvY2F0aW9uIGJhc2lzIGFueXdh
eSBsaWtlbHkgaGF2ZSBvbmUgZXh0ZXJuYWwgY29ubmVjdGlvbiB0byB0aGUgDQppbnRlcm5l
dCBhcyBhIHdob2xlLCBwb2ludCBkZWZhdWx0IGF0IHRoZWlyIElTUCBhbmQgZXhwZWN0IHRo
ZW0gdG8gaGFuZCANCnRoZW0gdGhlaXIgRE5TIHBvaW50ZXJzIGFzIHdlbGwuIFNvbWUgZm9s
a3Mgb25seSBuZWVkIFNMQUNDIG9mIGNvdXJzZSBhcyANCnRoZWlyIElTUC1wcm92aWRlZCBy
b3V0ZXIgZG9lcyBhbGwgdGhpcyAoZS5nLiBtYW55IHBlb3BsZSBvbiBjYWJsZSBtb2RlbSAN
CnNlcnZpY2UgdGhlc2UgZGF5cyB3aGVyZSB0aGVpciBtb2RlbSBpcyBhbHNvIGEgV2lGaSBB
UCBhbmQgcm91dGVyKSBidXQgDQpzb21lIChsaWtlIG15c2VsZikgcHJlZmVyIHRvIGRvIHRo
YXQgb3Vyc2VsdmVzIGJvdGggZm9yIGlzb2xhdGlvbiBhbmQgDQpmaXJld2FsbGluZyBwdXJw
b3Nlcy4gTW9zdCBJU1BzIGFwcGVhciB0byBoYW5kIG91dCBhIC81NiAoc29tZSB3aWxsIGdv
IA0KbG9uZ2VyLCBidXQgZmV3IHNob3J0ZXIpIGV2ZW4gYXQgdGhlIGluZGl2aWR1YWwgInBl
cnNvbmFsLCBob3VzZWhvbGQiIA0KY29ubmVjdGlvbiBsZXZlbCBzbyBJJ2QgYmV0IHRoYXQg
YXMgYSAic2FtcGxlIiBjb25maWd1cmF0aW9uIGluIHRoZSANCm1hbnVhbCB3b3VsZCBzdWl0
IDkwJSsgb2YgdGhlIHVzZXJzLg0KDQoNCi0tIA0KS2FybCBEZW5uaW5nZXINCmthcmxAZGVu
bmluZ2VyLm5ldA0KL1RoZSBNYXJrZXQgVGlja2VyLw0KL1tTL01JTUUgZW5jcnlwdGVkIGVt
YWlsIHByZWZlcnJlZF0vDQo=
--------------crjlbAr4tMSgziWVhJ1QB1Y3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF=
-8">
</head>
<body>
<div class=3D"moz-cite-prefix">On 7/24/2024 04:10, Roy Marples wrote:=
<br>
</div>
<blockquote type=3D"cite"
cite=3D"mid:190e3ca9424.10cb640b9133631.4510537448957801250@marples.name"=
>
<pre class=3D"moz-quote-pre" wrap=3D""> ---- On Wed, 24 Jul 2024 02=
:48:15 +0100 Karl Denninger wrote ---=20
> I'd like to replicate this that is currently being sent up via =
dhcp6c, which is not quite-clear to me from the docs on how to do =
that..
> #
> # This configuration will attempt to get /56 or a /60 from th=
e
> # ISP and assign a /64 internally.
> # Note that if you have a /60 you can have four /64s defined;=
if you have a
> # /56 then obviously you can have 16 internal networks.=C2=A0=
For most "house"
> # size networks four separate delineations is enough, for mos=
t "moderate"
> # sized corporate environments 16 is enough.=C2=A0 BE AWARE T=
HAT THE SLA-LEN MUST
> # MATCH THE DIFFERENCE BETWEEN THE LOCAL PREFIX AND THE REMOT=
E ONE!=C2=A0 If
> # you ask for a /56 then sla-len is 8, if you ask for a /60 t=
hen the sla-len
> # is 4 (difference between the requested prefix length and 64=
, respectively.)
> #
> =20
> interface igb0 {
> =C2=A0=C2=A0=C2=A0=C2=A0 send ia-pd 1;
> =C2=A0=C2=A0=C2=A0=C2=A0 send ia-na 1;
> =C2=A0=C2=A0=C2=A0=C2=A0 send rapid-commit;
> =C2=A0=C2=A0=C2=A0=C2=A0 script "/usr/local/etc/dhcp6c.script=
";
> };
> =20
> id-assoc na 1 {
> =20
> };
> =20
> id-assoc pd 1 {
> =C2=A0 prefix ::/56 1800;
> =20
> =C2=A0 prefix-interface igb1 {
> =C2=A0=C2=A0=C2=A0 sla-id 0;
> =C2=A0=C2=A0=C2=A0 sla-len 8;
> =C2=A0 };
> =C2=A0=20
> };
> =20
> igb1 is the "normal" internal network; igb0 is the external one=
=2E
> The ISP hands out /56s (although at one time I could choose =
either a /56 or /60); I have routines in the script file that then =
generate dynamic updates for DNS so the gateway has its pointers up=
dated if/when the address changes (I run my own zones)
> =20
> Its not entirely-clear how to replicate that in the config file=
for dhcpcd; I can figure out the script I'm sure, but the base config is=
not clear to me.
So you would add this to the bottom of the default dhcpcd.conf file:
interface igb0
ia_na
ia_pd 0/::/56 igb1/0/64
That mirrors your config exactly apart from requesting a specific lifetim=
e which dhcpcd doesn't support for PD.
rapid commit is enabled already in the default dhcpcd.conf file.
You could then edit /etc/dhcpcd.exit-hook to handle your DDNS.
You might be able to get away with this lighter config as well, based on =
what you said:
interface igb0
ia_na
ia_pd 0 igb1
Any pointers on now to make this more clear in dhcpcd.conf(5) are welcome=
=2E
Good luck!
Roy
</pre>
</blockquote>
<p>The provided example (starting with "noipv6rs") <span
style=3D"white-space: pre-wrap">requests multiple prefixes and star=
ts with "ia_pd 2"; what wasn't clear is the most-common example for a sin=
gle-attached endpoint that might have multiple internal interfaces (e.g. =
separated subnets; perhaps one for a guest network or similar, another fo=
r general use, etc.)</span></p>
<p><span style=3D"white-space: pre-wrap">Most installations whether p=
ersonal or small/modest-size business on a per-location basis anyway like=
ly have one external connection to the internet as a whole, point default=
at their ISP and expect them to hand them their DNS pointers as well. S=
ome folks only need SLACC of course as their ISP-provided router does all=
this (e.g. many people on cable modem service these days where their mod=
em is also a WiFi AP and router) but some (like myself) prefer to do that=
ourselves both for isolation and firewalling purposes. Most ISPs appear =
to hand out a /56 (some will go longer, but few shorter) even at the indi=
vidual "personal, household" connection level so I'd bet that as a "sampl=
e" configuration in the manual would suit 90%+ of the users.</span></p>
<br>
<div class=3D"moz-signature">-- <br>
Karl Denninger<br>
<a href=3D"mailto:karl@denninger.net" class=3D"moz-txt-link-freetex=
t">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size=3D"-2"><i>[S/MIME encrypted email preferred]</i></font><=
/div>
</body>
</html>
--------------crjlbAr4tMSgziWVhJ1QB1Y3--
--------------fe127SMeySDF6XwQKFdUB2Ak--
--------------ZlKgUPqDuAzK60AaWfHLq3PW
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEvWWSxnGhSYSUSaCtby3AFeuPWXgFAmahBv4FAwAAAAAACgkQby3AFeuPWXiO
AA//SV3b/D4QUeR7NGivWsOWDPx+TI/gW197vcMnyUGUVexemdj1syCIqxk+kUXE43r7ucEwnhTM
g+bE9O7UF9SRR3+GzR3n7yU6CbjtR+7omvxYTMAqPucrG+WLl1UQw9avpOS5ZBg0puG61flvJWON
zNoKSr714YzuOpjwxjZs/++KGZVSfD13xieX5RHttPu8ns8ED+8zvBPMtiVD0PBWUmx+mpO1mmun
1hs5evXXiy6XaSu4k9j1M1V6BPGeC7zzLFhJJ0TYTAPSjJRX3beqOs0W75n1av4MulEwt4wh9cp8
FM/1ithcqZPDFieR78KE2M+tiTwWumL+fZV0pfuahr1v0AuxfT11/F30xJOzjXDZKnhY319Y9dCx
w1PY9Og7QP0ufsM3cVso2URVoyUF1rL+Z+Y9Fi7cER2EdZ6B7Nf6FCIFK5/v2ZRxQnkCRoWHrUTw
51u6EpmoXFFZ7tR8xnWeixSpSwqbJlcXEJZoGsIcAdq0sp7KOUvT/ydTsdzMAb+jvhpGgfXGB5F+
jdY+YBouXtzbIOUZQOesJ0AHAzuES7U5CAbMZLr/DOx/S5jEAeAZZBvkeGIwRZ+l3UdO7RVEJWnQ
lqvdUl9D8vQk8Sp6lUREX/ELiUuW2Ao3HY7OIQgfMjr6f7ssm9TdLLCB5XP4hiVvrAFJ5M6f3G2y
HQ4=
=vdHJ
-----END PGP SIGNATURE-----
--------------ZlKgUPqDuAzK60AaWfHLq3PW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b362c5eb-9189-40d9-b591-99c5aa929d5d>