Re: IPv6 with wide-dhcpv6

2017-07-18 Thread Mike 
On 7/17/2017 11:09 PM, David Higgs wrote:
>[snip]
> After a good amount of trial and error, it appears that Comcast will only
> dole out a single /128 via DHCPv6.  Annoying but easy enough to work around
> with pf(4) nat-to and some static RFC 4193 prefixes.


I have Comcast as my ISP.

Comcast's IPv6 DHCP, by default, doles out a /128.  If you also want a
prefix delegation, you have to ask for it.  Comcast will give out up to
a /60 prefix delegation.  I ask for and receive a /62.  If you don't
specify a prefix delegation length, you'll get a /64 prefix.

I use the ISC-DHCP dhclient with this patch:
https://archive.mgm51.com/sources/pd-pref.html

It's been running reliably ever since Comcast fired up IPv6 in my area,
i.e., more than three years.

IPv6 is deployed nationwide on Comcast's network for at least a couple
of years now.

Re: IPv6 with wide-dhcpv6

2017-07-17 Thread David Higgs 
On Sat, Jul 15, 2017 at 2:17 AM, Stuart Henderson 
wrote:

> On 2017-07-14, David Higgs  wrote:
> > Comcast provides me with IPv6 via DHCPv6, which I've finally tried to
> > configure on my OpenBSD 6.1 router.  I am having difficulty maintaining
> my
> > IPv6 public IP address when using the wide-dhcpv6 package when in client
> > mode.
>
> Switch to dhcpcd, which has a workaround for the vltime/pltime bug, or
> use a snapshot, where it has been fixed. Or both.
>
> > - Is there a security/quality preference between wide-dhcpv6 and
> dhcpcd?  I
> > notice that dhcp6c doesn't appear to support a dedicated chroot/user...
>
> dhcpcd is more modern and actively maintained. I'm not aware of any
> client that does DHCPv6-PD that has privsep though.
>
> > - Does the project have any near-term plans to write a DHCPv6 daemon to
> > live in base?
>
> I'm not aware of any.
>
>
After a good amount of trial and error, it appears that Comcast will only
dole out a single /128 via DHCPv6.  Annoying but easy enough to work around
with pf(4) nat-to and some static RFC 4193 prefixes.

No apparent problems when running dhcpcd.  FWIW, I did notice that
sometimes my upstream link does not have the accept_rtadv flag set (as per
ndp -i $INTF), but I haven't investigated this in depth.

Thanks!

--david

Re: IPv6 with wide-dhcpv6

2017-07-15 Thread Stuart Henderson 
On 2017-07-14, David Higgs  wrote:
> Comcast provides me with IPv6 via DHCPv6, which I've finally tried to
> configure on my OpenBSD 6.1 router.  I am having difficulty maintaining my
> IPv6 public IP address when using the wide-dhcpv6 package when in client
> mode.

Switch to dhcpcd, which has a workaround for the vltime/pltime bug, or
use a snapshot, where it has been fixed. Or both.

> - Is there a security/quality preference between wide-dhcpv6 and dhcpcd?  I
> notice that dhcp6c doesn't appear to support a dedicated chroot/user...

dhcpcd is more modern and actively maintained. I'm not aware of any
client that does DHCPv6-PD that has privsep though.

> - Does the project have any near-term plans to write a DHCPv6 daemon to
> live in base?

I'm not aware of any.

IPv6 with wide-dhcpv6

2017-07-14 Thread David Higgs 
Comcast provides me with IPv6 via DHCPv6, which I've finally tried to
configure on my OpenBSD 6.1 router.  I am having difficulty maintaining my
IPv6 public IP address when using the wide-dhcpv6 package when in client
mode.

Specifically, when the pltime/vltime goes to zero, the address is removed
from the interface but dhcp6c doesn't seem interested in renewing either
before or after this happens until I manually send it a HUP.

When running tcpdump, I see the following RA packet(s) but do not see the
prefixes in my routing table.
13:27:09.986879 fe80::201:5cff:fe86:7046 > ff02::1: icmp6: router
advertisement(chlim=0, MO, pref=medium, router_ltime=1800,
reachable_time=360, retrans_time=1000)(prefix info: valid_ltime=604800,
preferred_ltime=302400, prefix=2001:558:4083:17::/64)(prefix info:
valid_ltime=604800, preferred_ltime=302400,
prefix=2001:558:5018:69::/64)(prefix info: valid_ltime=604800,
preferred_ltime=302400, prefix=2001:558:6020:117::/64)(prefix info:
valid_ltime=604800, preferred_ltime=302400, prefix=2001:558:8026:22::/64)
[icmp6 cksum ok] (len 144, hlim 255)

Several questions:
- Have I configured something wrong?
- Should the RA prefixes appear in my routing table?  Is this related at
all to my issues?
- I plan to get prefix delegation going eventually, are there any other
surprises to worry about?
- Is there a security/quality preference between wide-dhcpv6 and dhcpcd?  I
notice that dhcp6c doesn't appear to support a dedicated chroot/user...
- Does the project have any near-term plans to write a DHCPv6 daemon to
live in base?

Happy to provide further info; thanks in advance for any feedback.

--david