Project

General

Profile

Actions

Bug #6541

open

IPv6 RAs always include on-link prefix; clients may not use DHCPv6 managed addresses

Added by Bruce Simpson almost 6 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPv6 Router Advertisements (RADVD)
Target version:
-
Start date:
06/27/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

pfSense IPv6 RA support in 2.3.1-x correctly includes the 'M' (Managed) bit in its advertisements.

By contrast, Cisco IOS supports an explicit "ipv6 nd prefix default non-advertise" configuration to prevent this.

However, pfSense always includes the on-link prefix in these advertisements, even if the "Router mode" in Services -> DHCPv6 Server & RA -> LAN -> Router Advertisements is set to "Managed".

This causes Mac OS X clients to (inappropriately) use SLAAC & privacy addresses by default, unless temporary addresses are explicitly disabled system-wide using sysctl (as per FreeBSD).

Linux and Windows do not exhibit this issue and use the DHCPv6 statefully-managed address by default -- which is the desired behaviour in this configuration. (It's an office, PCI DSS is in play, and we need to at least track who initiated communication to the outside world, even if we don't act as a man-in-the-middle.)

There appears to be no option to disable advertising the on-link prefix.

Actions

Also available in: Atom PDF