Project

General

Profile

Bug #4483

SLAAC and stateful DHCP6 IPs are configured on interface when using DHCP6 config type

Added by Paul K over 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
DHCP (IPv6)
Target version:
Start date:
03/02/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

If I set my WAN IPv6 configuration type to DHCP6 and leave 'Request only a IPv6 prefix' unchecked I end up with two public v6 IPs on WAN interface:

vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=60009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 00:aa:bb:cc:dd:ee
        inet6 fe80::2aa:bbff:fecc:ddee%vmx0 prefixlen 64 scopeid 0x1 
        inet 111.222.132.250 netmask 0xfffffc00 broadcast 111.222.135.255 
        inet6 xxxx:yyy:zzzz:4fa0:2aa:bbff:fecc:ddee prefixlen 64 autoconf 
        inet6 xxxx:yyy:zzzz:4fa0::48 prefixlen 128 
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active

xxxx:yyy:zzzz:4fa0::48 is assigned by DHCP server
xxxx:yyy:zzzz:4fa0:2aa:bbff:fecc:ddee is auto-configured. pfSense WAN is connected to modem that sends out RA messages.

This happens because function interface_dhcpv6_configure is called for slaac and dhcp6 configurations and enables RA acceptance regardless of the config type.

If I check 'Request only a IPv6 prefix' flag so that pfSense doesn't request stateful address from DHCP server I end up with SLAAC IP only. However Interfaces widget on the dashboard shows link-local address instead of SLAAC address and firewall rules that use 'WAN net' or 'WAN address' use link-local address as well. Looking at the code I see that get_interface_ipv6 function assumes that there is no public IP if 'dhcp6prefixonly' flag is set.

Associated revisions

Revision 60802fad (diff)
Added by k-paulius over 4 years ago

Return link-local address when we are only requesting IPv6 prefix only if there is no global IPv6 address. In some cases global SLAAC IPv6 address might be present when using DHCPv6. Fixes #4483

Revision 927eecf3 (diff)
Added by k-paulius over 4 years ago

Return link-local address when we are only requesting IPv6 prefix only if there is no global IPv6 address. In some cases global SLAAC IPv6 address might be present when using DHCPv6. Fixes #4483

History

#1 Updated by Paul K over 4 years ago

Did a little bit more research on this issue.

First, in order for the SLAAC address to be auto-configured, RA message must advertise /64 (not sure why, but I was unable to reproduce it when advertising any other size prefix) prefix and autonomous address-configuration flag must be set to on (AdvAutonomous in radvd configuration).

Second, the fact that two addresses get assigned to the interface is in theory correct. RA message advertises that prefix can be used for auto-configuration and we request stateful address via DHCPv6. In practice though, you could argue that this is not the correct way to set things up. If DHCPv6 server is present AdvAutonomous flag should not be enabled. In my case I have no control over AT&T modem that does this and I expect other ISPs to follow this setup since it works if customer plugs in client computers directly to the modem and if other downstream router is present that needs prefix delegation. Also RFCs 6204 and 4862 do not specify this as invalid setup.

pfSense does not seem to be setup to handle multiple IPv6 addresses on the interface so we have to get rid of one of those addresses.

Disabling accept_rtadv on interface when DHCPv6 is used would require quite a lot of changes to the code since rtsold process is launched for SLAAC and DHCPv6 configurations and dhcp6c process is launched by rtsold. If accept_rtadv is not enabled on the interface rtsold refuses to work and so it does not start dhcp6c. The only option would be to launch dhcp6c directly for DHCPv6 configurations and via rtsold for SLAAC configurations.

It would be a lot easier to modify function get_interface_ipv6 to check if global IPv6 is not present when DHCPv6 'Request only an IPv6 prefix' flag is enabled.

#4 Updated by Chris Buechler over 4 years ago

  • Affected Version changed from 2.2 to All

#5 Updated by Anonymous over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#6 Updated by Anonymous over 4 years ago

#7 Updated by Paul K about 4 years ago

This fix was released with v2.2.3. I tested it and it works as expected now.

#8 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved
  • Target version set to 2.2.3

Also available in: Atom PDF