running rtsold on obsd 5.6 while also forwarding ipv6 traffic?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

running rtsold on obsd 5.6 while also forwarding ipv6 traffic?

Forman, Jeffrey-2
Hi Misc,

Long time listener, seldom caller.

My problem statement: I run OpenBSD 5.6-stable on my fw/router. My ISP
(Comcast in the US) provides native IPv6 support for all their customers.
They provide a /128 address for your external WAN interface, along with a
/64 delegation for your internal LAN. I can use ISC's dhclient binary (from
the isc-dhcp-client-4.3 package) along with OpenBSD's rtsold binary to
request an IP and router gateway information respectively on my fw/router.
My problem is, rtsold is only expected/allowed to be used on host
(non-router) nodes.

"rtsold should be used on IPv6 hosts (non-router nodes) only. The
net.inet6.ip6.forwarding sysctl(8) should be set to zero (see also the -F
option below)." from rtsold(8).

First scenario: forwarding is enabled. The result is that rtsold seemingly
to my naive eyes does nothing. No default ipv6 route is added to the
routing table.

*# sysctl net.inet6.ip6.forwarding    *
*net.inet6.ip6.forwarding=1*
*# rtsold -f -D -d em0                *
*rtsold: kernel is configured as a router, not a host*
*setting rdomain 0*
*....*
*em0 is ready*
*send RS on em0, whose state is 2*
*received RA from fe80::c639:3aff:fe02:59fa on em0, state is 2*


Second scenario: forwarding is disabled. Rtsold adds the default ipv6 route
to the routing table.
*# sysctl net.inet6.ip6.forwarding=0*
*net.inet6.ip6.forwarding: 1 -> 0*
*# rtsold -f -D -d em0               *
*setting rdomain 0*
*checking if em0 is ready...*
*em0 is ready*
*send RS on em0, whose state is 2*
*received RA from fe80::c639:3aff:fe02:59fa on em0, state is 2*


*# netstat -rn -f inet6 | grep -e default -e DestinationDestination
               Gateway                        Flags   Refs      Use   Mtu
 Prio Ifacedefault                            fe80::c639:3aff:fe02:59fa%em0
 UG         0        0     -    56 em0  *

How do I reconcile rtsold's requirement of not running on a router while
still attempting to provide IPv6 connectivity to hosts behind my OpenBSD
fw/router? I've read various FreeBSD/Linux documentation that their OSen
provide functionality for mixing rtsold on the WAN with IPv6 forwarding,
but I would rather stick with OpenBSD on my fw/router as this is what I've
run for many years.

Thanks,
Jeff

Reply | Threaded
Open this post in threaded view
|

Re: running rtsold on obsd 5.6 while also forwarding ipv6 traffic?

Stefan Sperling-5
On Wed, Nov 26, 2014 at 04:05:42PM -0500, Forman, Jeffrey wrote:
> How do I reconcile rtsold's requirement of not running on a router while
> still attempting to provide IPv6 connectivity to hosts behind my OpenBSD
> fw/router?

There's http://tools.ietf.org/html/rfc7084 but it's not implemented by
OpenBSD yet.

For now, try to ignore the IPS's WAN prefix and route outgoing
IPv6 traffic over link-local. This might work:

   route add -inet6 default -ifp em0 fe80::

For incoming traffic you can assign an address from the LAN /64 on
your router's internal interface and tell pf to make that address
reachable from the internet.

Reply | Threaded
Open this post in threaded view
|

Re: running rtsold on obsd 5.6 while also forwarding ipv6 traffic?

Florian Obser-2
In reply to this post by Forman, Jeffrey-2
On Wed, Nov 26, 2014 at 04:05:42PM -0500, Forman, Jeffrey wrote:

> Hi Misc,
>
> Long time listener, seldom caller.
>
> My problem statement: I run OpenBSD 5.6-stable on my fw/router. My ISP
> (Comcast in the US) provides native IPv6 support for all their customers.
> They provide a /128 address for your external WAN interface, along with a
> /64 delegation for your internal LAN. I can use ISC's dhclient binary (from
> the isc-dhcp-client-4.3 package) along with OpenBSD's rtsold binary to
> request an IP and router gateway information respectively on my fw/router.
> My problem is, rtsold is only expected/allowed to be used on host
> (non-router) nodes.

On -current there is no longer the need to run rtsold(8), I just didn't
get around to delet it, yet.
        inet6 autoconf
in your /etc/hostname.$WAN_IF will suffice.
However, the problem is actually in the kernel. If you feel courageous
you can try this diff with net.inet6.ip6.forwarding=1 enabled.

And please use "inet6 autoconf" and not rtsold(8), I seem to recall that
there is a check in rtsold(8) that it won't send solicitations if
forwarding is enabled, I might be mistaken though.
Only tested a little; I don't have a testsetup for this.
It compiles, doesn't panic immediately and I do get a default route
with forwarding enabled.

diff --git sys/netinet6/nd6.c sys/netinet6/nd6.c
index 529f077..52f1146 100644
--- sys/netinet6/nd6.c
+++ sys/netinet6/nd6.c
@@ -610,8 +610,7 @@ nd6_purge(struct ifnet *ifp)
  }
  }
 
- /* XXX: too restrictive? */
- if (!ip6_forwarding && (ifp->if_xflags & IFXF_AUTOCONF6)) {
+ if (ifp->if_xflags & IFXF_AUTOCONF6) {
  /* refresh default router list */
  defrouter_select();
  }
@@ -1574,12 +1573,8 @@ fail:
  * defrtrlist_update called the function as well.  However, I believe
  * we can compromise the overhead, since it only happens the first
  * time.
- * XXX: although defrouter_select() should not have a bad effect
- * for those are not autoconfigured hosts, we explicitly avoid such
- * cases for safety.
  */
- if (do_update && ln->ln_router && !ip6_forwarding &&
-    (ifp->if_xflags & IFXF_AUTOCONF6))
+ if (do_update && ln->ln_router && (ifp->if_xflags & IFXF_AUTOCONF6))
  defrouter_select();
 
  return rt;
diff --git sys/netinet6/nd6_rtr.c sys/netinet6/nd6_rtr.c
index ba16368..9f1b728 100644
--- sys/netinet6/nd6_rtr.c
+++ sys/netinet6/nd6_rtr.c
@@ -712,21 +712,6 @@ defrouter_select(void)
  struct llinfo_nd6 *ln = NULL;
 
  /*
- * This function should be called only when acting as an autoconfigured
- * host.  Although the remaining part of this function is not effective
- * if the node is not an autoconfigured host, we explicitly exclude
- * such cases here for safety.
- */
- /* XXX too strict? */
- if (ip6_forwarding) {
- nd6log((LOG_WARNING,
-    "defrouter_select: called unexpectedly (forwarding=%d)\n",
-    ip6_forwarding));
- splx(s);
- return;
- }
-
- /*
  * Let's handle easy case (3) first:
  * If default router list is empty, there's nothing to be done.
  */
@@ -879,7 +864,7 @@ defrtrlist_update(struct nd_defrouter *new)
  /* entry does not exist */
  if (new->rtlifetime == 0) {
  /* flush all possible redirects */
- if (!ip6_forwarding && (new->ifp->if_xflags & IFXF_AUTOCONF6))
+ if (new->ifp->if_xflags & IFXF_AUTOCONF6)
  rt6_flush(&new->rtaddr, new->ifp);
  splx(s);
  return (NULL);


--
It compiles, let's ship it!

Reply | Threaded
Open this post in threaded view
|

Re: running rtsold on obsd 5.6 while also forwarding ipv6 traffic?

Forman, Jeffrey-2
In reply to this post by Stefan Sperling-5
On Wed, Nov 26, 2014 at 4:26 PM, Stefan Sperling <[hidden email]> wrote:

> On Wed, Nov 26, 2014 at 04:05:42PM -0500, Forman, Jeffrey wrote:
> > How do I reconcile rtsold's requirement of not running on a router while
> > still attempting to provide IPv6 connectivity to hosts behind my OpenBSD
> > fw/router?
>
> There's http://tools.ietf.org/html/rfc7084 but it's not implemented by
> OpenBSD yet.
>
> For now, try to ignore the IPS's WAN prefix and route outgoing
> IPv6 traffic over link-local. This might work:
>
>    route add -inet6 default -ifp em0 fe80::
>

I hadn't ever thought of this, as this is my first foray into IPv6 on any
level. This actually worked! Using ndp, I was able to set the IPv6 default
gateway for my connection to this address associated with my cable modem.
I'm trying to come up with ways to programmatically do such a thing and
launch it as the dhclient-script, but that is for another time.


>
> For incoming traffic you can assign an address from the LAN /64 on
> your router's internal interface and tell pf to make that address
> reachable from the internet.
>

Yes. The next part of this plan will be to provide connectivity to my LAN.
Thanks Stefan!