Date: Wed, 13 Mar 2013 14:19:25 +0100 From: Fleuriot Damien <ml@my.gd> To: Schrodinger <schrodinger@konundrum.org> Cc: freebsd-net@freebsd.org Subject: Re: ipv6 default router Operation not permitted Message-ID: <D38E17AB-86AA-40B5-BFD6-A092DFAA1660@my.gd> In-Reply-To: <20130313131016.GE17859@defiant.konundrum.org> References: <20130312225018.GA13589@defiant.konundrum.org> <3ABB5AED-DEA9-42F6-82A1-FEA9E8BBBDCF@my.gd> <20130313091727.GA17859@defiant.konundrum.org> <201303131227.57751.Mark.Martinec%2Bfreebsd@ijs.si> <20130313125221.GD17859@defiant.konundrum.org> <B58DABE0-BB82-412D-82AB-C7C9AFD82F12@my.gd> <20130313131016.GE17859@defiant.konundrum.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 13, 2013, at 2:10 PM, Schrodinger <schrodinger@konundrum.org> = wrote: > On 2013/03/13 14:02, Fleuriot Damien wrote: >>=20 >> On Mar 13, 2013, at 1:52 PM, Schrodinger <schrodinger@konundrum.org> = wrote: >>=20 >>> On 2013/03/13 12:27, Mark Martinec wrote: >>>=20 >>> Hi Mark, >>>=20 >>>> On Wednesday March 13 2013 10:17:27 Schrodinger wrote: >>>>> ifconfig_re0_ipv6=3D"inet6 2001:41D0:2:E7c4::1 prefixlen 64" >>>>> [...] >>>>> Voodoo, indeed... I'm sure there's a /48 used somewhere but to be = more >>>>> specific, or rather obvious, my default gateway resides at the = boundary >>>>> of a /56 - 2001:41D0:2:E700::/56 >>>>=20 >>>> Having multiple IPv6 subnets on the same wire is asking for = trouble. >>>>=20 >>>=20 >>> This isn't my network so I don't have any input into the matter. = This >>> is the OVH configuration for their dedicated servers, at least in my >>> product range. >>>=20 >>>> For example, I believe an ICMP redirect still (in 9.1) does not = create >>>> a temporary route: >>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D152791 >>>> which beat us hard time (random unreachability between hosts), >>>> having to rearrange that legacy segment which happened to have >>>> two subnets on the same wire. >>>>=20 >>>> The static routes destinations must be directly reachable = (on-link). >>>>=20 >>>=20 >>> Does adding the interface route not put the default gateway on-link >>> though ? >>>=20 >>>> Either use a single /56 for the whole LAN, adjusting the prefix >>>> length on each interface, or provide a router within each subnet. >>>>=20 >>>=20 >>> If I am to change my prefix length to /56 this means that anyone = else in >>> that /56 who is configured with a prefix length of 64 will be = routing to >>> me and I will be swicthing to them.... This could cause problems. >>=20 >>=20 >> I fail to see how they would be routing to you and you would be = switching to them. >>=20 >>=20 >> OVH allocates a /64 per customer. >> To avoid having to setup 1 gateway per customer, they set up a single = one within a /56 , allowing for 256 /64s >> This mimics the situation where your host gives you a /32 ipv4 = withing a /24 network and uses a single gateway, again for 250ish = customers. >>=20 >> Whenever an IPv6 packet arrives on OVH's router for your /64, it is = routed to your server. >> I don't see how this qualifies as "another customer routing to you" ? >>=20 >=20 > I am informed that I must configure my interface to /64 by OVH. The = same > as everyone else. So if everyone was on a /64 then we will send = packets > to each other via our shared default gateway. >=20 > E.g.: >=20 > I am 2001:41d0:2:e7c4::1/64 My default gateway is > 2001:41d0:2:e7ff:ff:ff:ff:ff >=20 > If I wanted to communicate with a host in 2001:41d0:2:e7c5::/64 and = his > default gateway is also 2001:41d0:2:e7ff:ff:ff:ff:ff then we will = route > packets to each other. >=20 > Correct? >=20 > If I were to change my interface prefix length to /56 my host would no > longer consider the need to send packets to the default gateway for = any > host within this /56. I would simply perform Neighbour Solicitation on > my link. >=20 > E.g.: >=20 > I am 2001:41d0:2:e7c4::1/56 My default gateway is > 2001:41d0:2:e7ff:ff:ff:ff:ff >=20 > If I wanted to communicate with a host in 2001:41d0:2:e7c5::/64 and = his > default gateway is also 2001:41d0:2:e7ff:ff:ff:ff:ff then I would = switch > to him because the /56 is "on-link" to me but to the recipient he must > route to me via his default gateway. >=20 > Correct? >=20 > C. > --=20 These are indeed correct, thanks for clarifying. Find below the config I'm using on an old OVH box. Said config might be outdated now (as per OVH's guide on setting up IPv6 = [1]) , however that was at the time the only way to get things working = properly. rc.conf =3D=3D=3D #Range IPv6: 2001:41D0:2:613b::/64 ipv6_enable=3D"YES" ipv6_ifconfig_re0=3D"fe80::21c:c0ff:fef3:31fa/64 scopeid 0x1" ipv6_ifconfig_re0_alias0=3D"2001:41d0:2:613b::dead:beef/56" ipv6_defaultrouter=3D"2001:41d0:2:61ff:ff:ff:ff:ff" =3D=3D=3D routing table =3D=3D=3D $ netstat -f inet6 -rn Routing tables Internet6: Destination Gateway Flags = Netif Expire ::/96 ::1 UGRS = lo0 =3D> default 2001:41d0:2:61ff:ff:ff:ff:ff UGS = re0 ::1 ::1 UH = lo0 ::ffff:0.0.0.0/96 ::1 UGRS = lo0 2001:41d0:2:6100::/56 link#1 U = re0 2001:41d0:2:613b::dead:beef link#1 UHS = lo0 fe80::/10 ::1 UGRS = lo0 fe80::%re0/64 link#1 U = re0 fe80::21c:c0ff:fef3:31fa%re0 link#1 UHS = lo0 fe80::%lo0/64 link#2 U = lo0 fe80::1%lo0 link#2 UHS = lo0 ff01:1::/32 fe80::21c:c0ff:fef3:31fa%re0 U = re0 ff01:2::/32 ::1 U = lo0 ff02::/16 ::1 UGRS = lo0 ff02::%re0/32 fe80::21c:c0ff:fef3:31fa%re0 U = re0 ff02::%lo0/32 ::1 U = lo0 =3D=3D=3D Notice that said config actually works: =3D=3D=3D $ ping6 www.google.com PING6(56=3D40+8+8 bytes) 2001:41d0:2:613b::dead:beef --> = 2a00:1450:4007:804::1014 16 bytes from 2a00:1450:4007:804::1014, icmp_seq=3D0 hlim=3D57 = time=3D4.461 ms 16 bytes from 2a00:1450:4007:804::1014, icmp_seq=3D1 hlim=3D57 = time=3D4.462 ms 16 bytes from 2a00:1450:4007:804::1014, icmp_seq=3D2 hlim=3D57 = time=3D4.405 ms ^C --- www.google.com ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev =3D 4.405/4.443/4.462/0.027 ms =3D=3D=3D Either way, you might want to have a look at OVH's guide [1] but in my = own case, using a /56 was, at the time, the only way to get things = working in a clean way. [1] http://help.ovh.com/Ipv4Ipv6#link10
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D38E17AB-86AA-40B5-BFD6-A092DFAA1660>