subject:"IPv6 routing\(\?\)"

Re: IPv6 routing(?)

2016-11-18 Thread Jan Danielsson

On 2016-11-18 22:44, Robert Elz wrote:
[---]
>   |What do I need to do to make it respond to such requests?
> 
> You don't want it to, just assign your addressing rationally, rather than
> attempting to cram the world into one /64 (copying horrid IPv4 required hacks)
> and I suspect it will all be OK.
> 
> Assign a different /64 to your LAN (from the same /48).

   After getting over the initial "How dare he imply I have an IPv4
fetish?!" shock, I thought about it and you're completely right:  I've
been thinking in terms of IPv4.

   I stopped trying to shoehorn.  It works now.

   Thanks to everyone who contributed toward helping me break the IPv4
chains.  IPv6 ftw.

   /Jan

Re: IPv6 routing(?)

2016-11-18 Thread Robert Elz

Date:Fri, 18 Nov 2016 17:32:47 +0100
From:Jan Danielsson 
Message-ID:  

  |So what happens is that the echo request is sent out from my host
  | (say it has address X), then I see then Cisco modem (ISP's equipment)
  | make a Neighbor Solicitation for the address X, but my NetBSD router
  | (which knows about address X according to "ndp -a") never replies.

Nor should it, it doesn't own the address.

  |What do I need to do to make it respond to such requests?

You don't want it to, just assign your addressing rationally, rather than
attempting to cram the world into one /64 (copying horrid IPv4 required hacks)
and I suspect it will all be OK.

Assign a different /64 to your LAN (from the same /48).

kre

Re: IPv6 routing(?)

2016-11-18 Thread Jan Danielsson

On 2016-11-18 03:35, Andy Ruhl wrote:
[---]
> Packets going out but not coming back seems to be the key.

   Exactly, and ..

> IPv6 likes to have ICMP enabled for path mtu discovery, might look into that.

   .. I think you're on to it here.

   So what happens is that the echo request is sent out from my host
(say it has address X), then I see then Cisco modem (ISP's equipment)
make a Neighbor Solicitation for the address X, but my NetBSD router
(which knows about address X according to "ndp -a") never replies.

   The issue seems to be that the router isn't acting as an "NDP proxy"
(analogous to an ARP proxy in IPv4, I assume).

   What do I need to do to make it respond to such requests?  Linux
appears to have a sysctl knob called net.ipv6.conf.all.proxy_ndp, is
there such a thing for NetBSD?  I looked through the sysctl list, but
couldn't find any obvious candidates.

   (NetBSD/amd64 -7).

> Also wondering if there is some issue receiving traffic, like you're
> firewalled? If you don't see ping replies they could be getting
> dropped before you can see them. Woud be nice to confirm by sniffing
> the outside interface somehow.

I'm using npf on my NetBSD router, but it's configured to allow
everything currently, so it shouldn't be an issue.

   /Jan

Re: IPv6 routing(?)

2016-11-17 Thread Robert Elz

Date:Thu, 17 Nov 2016 22:28:32 +0100
From:Jan Danielsson <jan.m.daniels...@gmail.com>
Message-ID:  <03604c00-17eb-f3de-d69e-ec070d06a...@gmail.com>

  |This is a proper global /48 network.

That sounds good, but what is "this" there - that is, to whom is
that /48 assigned, you or the ISP ?

  |The re0 interface is assigned a 2001:::0:... address (from
  | the ISP) with a prefixlen of 64

That's normal, though if this is some kind of emulated P2P link, a /64
is kind of overkill..   (but that is the ISP's choice, just accept it.)

  | (there's a static route in their router
  | which is /48, but it seems routers are typically assigned /64 chunks).

Links are typically assigned /64 chunks.  Routers have interfaces to
links, each interface has an address (of each class in use) usually.

Aside from links, the only other thing (and this is true both in v4 and v6)
that is usually assigned blocks of addresses is a dhcp server (which may
be running in a router, of course.)

  |The router's wm0 is manually assigned a /80 subnet,

Why /80 ?

  |What works:
  |- From the router, I can ping6/traceroute6 any address on the public
  | Internet.  (I.e. "ping6 netbsd.org" or "traceroute6 google.com" works fine).
  |- The router can ping6 the host1's IPv6 address.
  |- host1 can ping6 both the lan and wan addresses of the router.

That's good.

  |What doesn't work:
  |- From host1, I can not ping addresses on the public Internet.  (i.e.
  | ping6 netbsd.org) does not work.  traceroute6 google.com will only get a
  | reply for the first entry (2001:::0:4::1 (the router's lan
  | interface)) and then won't progress any further.

You might need to talk to the ISP, find out exactly what is in their
routing tables.   If the suggestion below doesn't help, you should also
probably show us what is in the router's IPv6 routing table:
netstat -rn -f inet6

Unless you have a really good reason, don't obfuscate the addresses with
  that just makes it harder to see what is really happening.

  |Typical cause for issues similar to this is that forwarding is not
  | enabled -- but it is (double and triple-checked).

v6 forwarding as well as v4 ?   (That is, what does
 sysctl net.inet6.ip6.forwarding
return ?   (On the router))   But I assume this is OK, as you say you
see ping requests from host1 passing out re0 on the router towards
the ISP.  That working tells you that the router is forwarding packets.

  |  Plus, and correct me
  | if I'm wrong here, I can ping the router's wan address from host1 which
  | wouldn't work if IPv6 forwarding had been disabled.

No, proves nothing, we don't have enough of a strict host model for that
to be a good test.

  |To my untrained eye, the routing tables on both host1 and the router
  | look fine; host1's default entry is to the router's link-local address
  | of the lan interface (analogous to the router's default route pointing
  | to fe80::1, autoconfigured and in accordance with the instructions from
  | the ISP).

Yes, those I expected to be fine from what you said worked.

  |The 2001:::0:4::/80 subnet on the router routes to link#2 (wm0).

  |If I run "tcpdump -nttt -i re0" on the router and then try to ping6
  | netbsd.org, I can see the echo requests (from the host1 address to
  | netbsd.org's IPv6 address), but no replies.

For various reasons, ping is not always a great test (it is when it works,
but when it fails the number of possible reasons is staggering...)

But ...
  | (Running the same ping6
  | command on the router will cause both requests and replies to be seen in
  | tcpdump).

Makes it look like the ISP isn't filtering ICMPv6 (which some do, stupidly).

  |Any tips on what I should be looking closer at?

Right now, my guess would be routing at the ISP.   I would tend to assume
that they are routing 2001:::0::/64 to the wan link between you
and them.   That includes your carved out /80 from that /64.   If that wan
link was really an emulated ethernet (or similar) you might see the ISP's
router issuing NDP requests for your host1 on that wan link - but the lack
of those (if they are absent) proves nothing.

You might want to try using a /64 on the lan link, perhaps
2001:::1::/64

With that you could use autoconfig on the hosts (that requires /64 prefixes,
not bigger, not smaller) rather than manual config (or DHCP).  (You can still
do manual config of course, and might want to while you're debugging -
manually config'd addresses tend to be much easier to type!)

Of course, this is assuming that the ISP has assigned 2001::::/48
to you.That's the (at least original) model for how IPv6 addresses should
be assigned, but not everyone believes in the calculations of address
availability, and some want to give smaller (that is, bigger 'n' in /n)
allocations to end

Re: IPv6 routing(?)

2016-11-17 Thread Andy Ruhl

On Thu, Nov 17, 2016 at 2:57 PM, Jan Danielsson
 wrote:
> On 2016-11-17 22:36, Andy Ruhl wrote:
>>>- The router can ping6 the host1's IPv6 address.
>>
>> I'm not really sure if this is relevant, but what source IP are you
>> using when this happens? Can you force it to be the external global
>> address?
>
>Using -S of ping6?
>
>router$ ping6 -S  
>
>.. seems to work fine.
>
>I honestly don't know what -I is supposed to do, and if it's at all
> relevant, but:
>
>router$ ping6 -I re0 
>
>.. yields "ping6: sendmsg: No route to host".  (Maybe it's grabbing
> the link-local address?)

Packets going out but not coming back seems to be the key.

IPv6 likes to have ICMP enabled for path mtu discovery, might look into that.

Also wondering if there is some issue receiving traffic, like you're
firewalled? If you don't see ping replies they could be getting
dropped before you can see them. Woud be nice to confirm by sniffing
the outside interface somehow.

Seems like not a forwarding issue like you say if you can ping the
outside global address.

Andy

Re: IPv6 routing(?)

2016-11-17 Thread Andy Ruhl

On Thu, Nov 17, 2016 at 2:28 PM, Jan Danielsson
 wrote:
>- The router can ping6 the host1's IPv6 address.

I'm not really sure if this is relevant, but what source IP are you
using when this happens? Can you force it to be the external global
address?

Andy

IPv6 routing(?)

2016-11-17 Thread Jan Danielsson

Hello,

  Thanks to help from the list, I got past some initial IPv6
configuration issues; the router gets its address and prefixlength from
the ISP and a host on the LAN gets a subnet address from the router.
However, one issue remains, and I've been banging my head against it for
too long and I need some more assistance.

   This is a proper global /48 network.

   As before, I'm reducing the network to this for simplicity:

   host1  router
   (re0)   <--->  (wm0)(re0)  <> ISP
  "lan" wan

   The re0 interface is assigned a 2001:::0:... address (from
the ISP) with a prefixlen of 64 (there's a static route in their router
which is /48, but it seems routers are typically assigned /64 chunks).

   The router's wm0 is manually assigned a /80 subnet, with the address
2001:::0:4::1.  (I had initially misunderstood the role of the
link-local address; per the suggestion of Martin Husemann I set a
hardcoded address on wm0 and that's when the address assignment of host1
started working).

   What works:
   - From the router, I can ping6/traceroute6 any address on the public
Internet.  (I.e. "ping6 netbsd.org" or "traceroute6 google.com" works fine).
   - The router can ping6 the host1's IPv6 address.
   - host1 can ping6 both the lan and wan addresses of the router.

   What doesn't work:
   - From host1, I can not ping addresses on the public Internet.  (i.e.
ping6 netbsd.org) does not work.  traceroute6 google.com will only get a
reply for the first entry (2001:::0:4::1 (the router's lan
interface)) and then won't progress any further.

   Typical cause for issues similar to this is that forwarding is not
enabled -- but it is (double and triple-checked).  Plus, and correct me
if I'm wrong here, I can ping the router's wan address from host1 which
wouldn't work if IPv6 forwarding had been disabled.

   To my untrained eye, the routing tables on both host1 and the router
look fine; host1's default entry is to the router's link-local address
of the lan interface (analogous to the router's default route pointing
to fe80::1, autoconfigured and in accordance with the instructions from
the ISP).

   The 2001:::0:4::/80 subnet on the router routes to link#2 (wm0).

   If I run "tcpdump -nttt -i re0" on the router and then try to ping6
netbsd.org, I can see the echo requests (from the host1 address to
netbsd.org's IPv6 address), but no replies.  (Running the same ping6
command on the router will cause both requests and replies to be seen in
tcpdump).

   Any tips on what I should be looking closer at?

   /Jan

Re: IPv6 routing(?)

Re: IPv6 routing(?)

Re: IPv6 routing(?)

Re: IPv6 routing(?)

Re: IPv6 routing(?)

Re: IPv6 routing(?)

IPv6 routing(?)

7 matches

Site Navigation

Mail list logo

Footer information