Date: Mon, 29 Jul 2024 11:05:37 +0100 From: Roy Marples <roy@marples.name> To: "moto kawasaki" <moto@kawasaki3.org> Cc: "cross+freebsd" <cross+freebsd@distal.com>, "freebsd-net" <freebsd-net@freebsd.org> Subject: =?UTF-8?Q?Re:_=C2=A0DHCPv6_IA=5FPD_-_how-to?= Message-ID: <190fdf3e353.11351bb5e292296.3216692081725884177@marples.name> In-Reply-To: <20240727.122108.862717899466090274.moto@kawasaki3.org> References: <CA0C0E7D-4956-4DB4-A274-D74C84A18529@distal.com> <190e09e6c1a.11450232913849.654798645277119294@marples.name> <050440F8-B3D8-4B2C-85BD-D5C09C303037@distal.com> <20240727.122108.862717899466090274.moto@kawasaki3.org>
next in thread | previous in thread | raw e-mail | index | archive | help
---- On Sat, 27 Jul 2024 04:21:08 +0100 moto kawasaki wrote ---
>
> Hi Chris, all
>
> I am struggling the same problem too, and here is my working
> configuration for dhcp6c in my test environment.
> Hope this can be help.
>
>
> vtnet0 is uplink, where I expect to receive RA from ISP.
>
> If upstream router send RA with PD with 2001:db8:beef::/56, dhcp6c
> will add sla-len (8 in this configuration) to the prefix length (/56)
> to get the final prefix length of /64.
> Also, dhcp6c will add sla-id (11 and 12, decimal) to prefix, so that
> I will use 2001:db8:beef:b/64 and 2001:db8:beef:c/64 for assigning my
> internal network interfaces (vtnet1 and vtnet2).
>
> Well, I am wondering how I can tell "authentication isp_auth" entry to
> use the "isp_key", especially when I have multiple "keyinfo" entries.
>
>
>
> ===== /usr/local/etc/dhcp6c.conf =====
> keyinfo isp_key {
> realm "example.org";
> keyid 1;
> secret "JTY0XXXXXXXXXXXXXXX=="; # masked.
> };
>
> authentication isp_auth {
> protocol delayed;
> };
>
> interface vtnet0 {
> script "/usr/local/etc/dhcp6c-script.sh";
> send ia-pd 3;
> send authentication isp_auth;
> request domain-name-servers;
> request domain-name;
> request ntp-servers;
> #send rapid-commit;
> };
>
> id-assoc pd 3 {
> prefix-interface vtnet1 {
> sla-id 11;
> sla-len 8;
> };
> prefix-interface vtnet2 {
> sla-id 12;
> sla-len 8;
> };
> };
> =====
For dhcpcd you would do this:
interface vtnet0
ia_pd 3 vtnet1/11 vtnet2/12
option domain_name_servers, domain_name, ntp_servers
authproto delayed
authtoken 1 "example.org" forever "JTY0XXXXXXXXXXXXXXX=="
But please note that delayed authentication has now been obsoleted:
https://datatracker.ietf.org/doc/html/rfc8415#section-25
While dhcpcd supports it to some extend, it's not widely tested and could be broken in any given release as I don't have a means of testing it right now.
The only real authentication support that is in the RFC's is the reconfigure key.
https://datatracker.ietf.org/doc/html/rfc8415#section-20.4
Roy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?190fdf3e353.11351bb5e292296.3216692081725884177>