IPV6 routing issue

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

IPV6 routing issue

Giancarlo Razzolini-3
HI all,

     I've recently changed my ISP and they have native IPv6. My customer
premises equipment, which is a GPON, supports both stateless as DHCPv6
on it's LAN interface. I want to put a OpenBSD firewall between this CPE
and my internal network. I'm using OpenBSD 5.7 stable. My CPE receive a
/64 prefix delegation from my ISP. Unfortunately, this is a dynamic
prefix, so I can't configure anything manually.

     I've managed to get wide-dhcp6 working and requesting the prefix to
be delegated to my internal network. After that, all I needed to do was
to run rtadvd on my internal interface, and my internal LAN machines
began to be autoconfigurated getting ip's from the delegated prefix.

     The OpenBSD firewall has 2 ipv6 addresses. One on the WAN interface
and another on the LAN interface. If I use ping6 to ping any ipv6 host
from my firewall, I can ping them with no problems. But, If I ping
setting the source to be the ipv6 address from the internal interface,
it won't work. Also, no machine from my LAN can connect to any host
through ipv6.

     I've inspected the traffic with tcpdump, and I can see the packets
leaving my network and getting on the destination. The problem is the
packets never gets back. My CPE equipment keeps asking for neighbour
solicitation asking who has the ipv6 address, but the OpenBSD firewall
never replies, so the packts get dropped. I'm currently with PF
disabled. But I had the same problem with it enabled and with the
default firewall configuration. I'm trying first to get ipv6
connectivity working to after filter the packets. Anyone had a similar
issue?

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Patrik Lundin-3
I have struggled with a similar problem a few years back. Can it be that
the upstream equipment does not create a route for the delegated prefix
pointing to your openbsd machine?

This would explain why you see neighbour solicitations on the outside
interface. The upstream router is not aware that the prefix should be
routed to you.

--
Patrik Lundin

----- Original message -----
From: Giancarlo Razzolini <[hidden email]>
To: "Openbsd-Misc" <[hidden email]>
Subject: IPV6 routing issue
Date: Thu, 25 Jun 2015 21:06:51 -0300

HI all,

     I've recently changed my ISP and they have native IPv6. My customer
premises equipment, which is a GPON, supports both stateless as DHCPv6
on it's LAN interface. I want to put a OpenBSD firewall between this CPE
and my internal network. I'm using OpenBSD 5.7 stable. My CPE receive a
/64 prefix delegation from my ISP. Unfortunately, this is a dynamic
prefix, so I can't configure anything manually.

     I've managed to get wide-dhcp6 working and requesting the prefix to
be delegated to my internal network. After that, all I needed to do was
to run rtadvd on my internal interface, and my internal LAN machines
began to be autoconfigurated getting ip's from the delegated prefix.

     The OpenBSD firewall has 2 ipv6 addresses. One on the WAN interface
and another on the LAN interface. If I use ping6 to ping any ipv6 host
from my firewall, I can ping them with no problems. But, If I ping
setting the source to be the ipv6 address from the internal interface,
it won't work. Also, no machine from my LAN can connect to any host
through ipv6.

     I've inspected the traffic with tcpdump, and I can see the packets
leaving my network and getting on the destination. The problem is the
packets never gets back. My CPE equipment keeps asking for neighbour
solicitation asking who has the ipv6 address, but the OpenBSD firewall
never replies, so the packts get dropped. I'm currently with PF
disabled. But I had the same problem with it enabled and with the
default firewall configuration. I'm trying first to get ipv6
connectivity working to after filter the packets. Anyone had a similar
issue?

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Gregor Best
On Fri, Jun 26, 2015 at 03:07:41PM +0200, Patrik Lundin wrote:
> [...]
> This would explain why you see neighbour solicitations on the outside
> interface. The upstream router is not aware that the prefix should be
> routed to you.
> [...]

I've also seen something similar. A friend of mine suggested [0], though
I haven't tried it. I circumvented my problem by using a routed /64 on a
Hurricane Electric tunnel.

Depending on your hosting provider, their setup might actually be
vulnerable to a neat little trick: If you see NDP requests for prefixes
that are not your own while tcpdump'ing your external interface, you
might be able to add an address inside one of those networks to your
external interface and have it reachable from the outside, so that in
effect you can use an IPv6 address that's outside of your prefix.

[0]: https://github.com/DanielAdolfsson/ndppd

--
        Gregor Best

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Giancarlo Razzolini-3
In reply to this post by Patrik Lundin-3
Em 26-06-2015 10:07, Patrik Lundin escreveu:
> I have struggled with a similar problem a few years back. Can it be that
> the upstream equipment does not create a route for the delegated prefix
> pointing to your openbsd machine?
>
> This would explain why you see neighbour solicitations on the outside
> interface. The upstream router is not aware that the prefix should be
> routed to you.
Yes, I believe it to be te problem. The prefix is delegated to the CPE,
not the OpenBSD machine. When I run the dhcp6c program, it asks for a
prefix delegation from the CPE and gets one. But I don't think that the
CPE is trully delegating the prefix, hence that's why he's issuing
neighbor solicitation messages. Someone pointed to me that I'll need to
use a ndp proxy or use the openbsd machine as a bridge filter. I can't
change the CPE configuration, it's locked by my ISP.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Giancarlo Razzolini-3
In reply to this post by Gregor Best
Em 26-06-2015 10:43, Gregor Best escreveu:
> I've also seen something similar. A friend of mine suggested [0], though
> I haven't tried it. I circumvented my problem by using a routed /64 on a
> Hurricane Electric tunnel.

I wouldn't like to use a tunnel, since my ISP is (kind of) providing
native IPv6 connectivity.

>
> Depending on your hosting provider, their setup might actually be
> vulnerable to a neat little trick: If you see NDP requests for prefixes
> that are not your own while tcpdump'ing your external interface, you
> might be able to add an address inside one of those networks to your
> external interface and have it reachable from the outside, so that in
> effect you can use an IPv6 address that's outside of your prefix.

Since my CPE is working in routed mode, I don't see anything like that.
But, I believe that this will be a problem for many ISP's, since I doubt
they will implement authenticated NDP. I will look into this ndp proxy
daemon, since I couldn't make the ndp(8) proxy functionality to work.
Thank all you guys who replied. Both on and off list.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Giancarlo Razzolini-3
In reply to this post by Gregor Best
Em 26-06-2015 10:43, Gregor Best escreveu:
> https://github.com/DanielAdolfsson/ndppd 
This doesn't compile on OpenBSD. I'm correcting it's includes and
headers, but it seems it's linux centric. I'll probably need to change
it's code.

I've found some other tools but it seems almost all of them are linux
centric:

[0]: https://github.com/fishilico/autoneighxy
[1]: https://github.com/andriyanov/ndp-proxy

I don't know if OpenBSD does have any NDP proxying functionality,
besides the one in ndp(8). But it seems to me that, besides a bridge, a
NDP proxy is the only viable solution (besides my ISP allowing me to
change my router configuration).

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Christian Weisgerber
In reply to this post by Giancarlo Razzolini-3
On 2015-06-26, Giancarlo Razzolini <[hidden email]> wrote:

>      I've recently changed my ISP and they have native IPv6. My customer
> premises equipment, which is a GPON, supports both stateless as DHCPv6
> on it's LAN interface. I want to put a OpenBSD firewall between this CPE
> and my internal network.

So you have TWO networks.  One between the CPE and your OpenBSD
firewall, and one containing the firewall and your internal machines.

> I'm using OpenBSD 5.7 stable. My CPE receive a
> /64 prefix delegation from my ISP.

So you get ONE network address.

You can't use a single network address for two networks.  This has
nothing to do with IPv6.  It's the same with IPv4.

You can use private addresses for your internal network and run NAT
on the firewall.  Or you can configure your firewall as a bridge
and filter there.
http://www.openbsd.org/faq/faq6.html#Bridge

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Giancarlo Razzolini-3
Em 26-06-2015 16:17, Christian Weisgerber escreveu:
> So you have TWO networks.  One between the CPE and your OpenBSD
> firewall, and one containing the firewall and your internal machines.

Yes. Two interfaces, to be more exactly.

> So you get ONE network address.

I get a prefix on the CPE. And I can configure any address in the prefix
on any machine on my LAN (or the OpenBSD LAN iface). And traffic gets
out. Just won't get replies.

>
> You can't use a single network address for two networks.  This has
> nothing to do with IPv6.  It's the same with IPv4.

I'm aware of that fact. But, since my CPE replies to an IA_PD request, I
imagined it would be able to route the packets correctly.

>
> You can use private addresses for your internal network and run NAT
> on the firewall.  Or you can configure your firewall as a bridge
> and filter there.
> http://www.openbsd.org/faq/faq6.html#Bridge

I'm trying to get some NDP proxy running on OpenBSD. But all of them are
linux centric. Perhaps, for now, I will use it as a filtering bridge.
Since I have enough interfaces on my OpenBSD machine, I will have a
bridge specifically for IPv6. And IPv4 will still be NATed.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Christian Weisgerber
In reply to this post by Giancarlo Razzolini-3
On 2015-06-26, Giancarlo Razzolini <[hidden email]> wrote:

> I don't know if OpenBSD does have any NDP proxying functionality,
> besides the one in ndp(8). But it seems to me that, besides a bridge, a
> NDP proxy is the only viable solution (besides my ISP allowing me to
> change my router configuration).

Well, you can add an IPv6 address for each internal host to the
external interface of your firewall, use private addresses on the
internal network, and then use pf's binat to map between the two.
This will preserve port numbers, although it may not be enough for
nasty protocols like SIP.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Giancarlo Razzolini-3
Em 26-06-2015 16:44, Christian Weisgerber escreveu:
> Well, you can add an IPv6 address for each internal host to the
> external interface of your firewall, use private addresses on the
> internal network, and then use pf's binat to map between the two.
> This will preserve port numbers, although it may not be enough for
> nasty protocols like SIP.
I know I could use NAT. But, I really think it's almost an abomination
to use it, when you have native IPv6 support. I'll contact my ISP to see
if they can change my CPE mode of operation or, at least, allow me to
configure it. In the meantime, I'll go with a bridge firewall. It seems
like the most hassle free way to go. Perhaps I'll hack some NDP proxy.
But I need IPv6 connectivity, and I need it now.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Stuart Henderson
In reply to this post by Christian Weisgerber
On 2015-06-26, Christian Weisgerber <[hidden email]> wrote:

> On 2015-06-26, Giancarlo Razzolini <[hidden email]> wrote:
>
>>      I've recently changed my ISP and they have native IPv6. My customer
>> premises equipment, which is a GPON, supports both stateless as DHCPv6
>> on it's LAN interface. I want to put a OpenBSD firewall between this CPE
>> and my internal network.
>
> So you have TWO networks.  One between the CPE and your OpenBSD
> firewall, and one containing the firewall and your internal machines.
>
>> I'm using OpenBSD 5.7 stable. My CPE receive a
>> /64 prefix delegation from my ISP.
>
> So you get ONE network address.
>
> You can't use a single network address for two networks.  This has
> nothing to do with IPv6.  It's the same with IPv4.

Actually that's fine, a point-to-point interface can be unnumbered,
or in the case of IPv6, it can just have a link-local address.

So PPP can *only* configure a link-local address. To get a globally
routable address you must use another method, either SLAAC, DHCPv6 PD,
or static configuration.

SLAAC would only give you an address on a /64 for use on the PPP
interface itself.

DHCPv6 PD would give you a /64 or (if allowed by the ISP) a larger
prefix to assign to interfaces as you choose. Normally you would
assign this to "internal" interface/s, but assuming the ISP allows
more than a /64, you *can* apply part of that delegation to the
PPP interface if you would like it to have a globally routable
address.

Reply | Threaded
Open this post in threaded view
|

Re: IPV6 routing issue

Giancarlo Razzolini-3
Em 25-07-2015 11:50, Stuart Henderson escreveu:
> Actually that's fine, a point-to-point interface can be unnumbered,
> or in the case of IPv6, it can just have a link-local address.

In my case I don't have a ppp interface, my CPE talks to my OpenBSD
firewall through normal LAN.

> DHCPv6 PD would give you a /64 or (if allowed by the ISP) a larger
> prefix to assign to interfaces as you choose. Normally you would
> assign this to "internal" interface/s, but assuming the ISP allows
> more than a /64, you *can* apply part of that delegation to the
> PPP interface if you would like it to have a globally routable
> address.
This is one of my problems, my ISP would only give me a /64 prefix, not
a /56 or other manageable size. I can ask a PD from the CPE, but the
only prefix already is delegated to the CPE itself. So the CPE keeps
asking me neighbor solicitation messages, and won't route the packets.
Unless I use NDP proxying, I can't do normal routing. As I stated, I did
a bridge. When I have some free time I'll visit the NDP proxy again.
Perhaps I'll be able to port some of the existing solutions to OpenBSD.

Cheers,
Giancarlo Razzolini