ipv6 default router Operation not permitted

Mark Martinec Mark.Martinec+freebsd at ijs.si
Wed Mar 13 15:59:45 UTC 2013 

On Wednesday March 13 2013 Schrodinger wrote:
> This isn't my network so I don't have any input into the matter. This
> is the OVH configuration for their dedicated servers, at least in my
> product range.
> 
> > [1] http://help.ovh.com/Ipv4Ipv6#link10
> I read this, I made sure to read this and then I read it a second time.
> No where does it indicate the use of a /56. I am in the process of a
> migration from an old OVH server to a new OVH server. My old box uses
> the /56 prefix length "fix" but based on the documentation this is
> incorrect and IMO this assumes that anyone else in the /56 is in the
> same segment as me and if they are using /64 - well, There Be Dragons.

> I am informed that I must configure my interface to /64 by OVH. The same
> as everyone else. So if everyone was on a /64 then we will send packets
> to each other via our shared default gateway.

> If I were to change my interface prefix length to /56 my host would no
> longer consider the need to send packets to the default gateway for any
> host within this /56. I would simply perform Neighbour Solicitation on
> my link.

> I am informed that I must configure my interface to /64 by OVH. The same
> as everyone else. So if everyone was on a /64 then we will send packets
> to each other via our shared default gateway.

Fleuriot Damien writes:
> OVH allocates a /64 per customer.
> To avoid having to setup 1 gateway per customer, they set up a single one
> within a /56, allowing for 256 /64s

I see, nasty.

> This mimics the situation where your host gives you a /32 ipv4 within
> a /24 network and uses a single gateway, again for 250ish customers.

No it doesn't. That would be true if a mask on the interface were /32,
in which case there would again be a problem reaching a default router
in absence of an ARP entry.

Similarly if a net would be a /16 and an interface would be given
a /24 mask and a router would be outside of this /24 subnet,
even if on the same L2 link.

> Does adding the interface route not put the default gateway on-link
> though ?

I don't think it does. The on-link state of an address comes
from matching the address to a set of prefixes on an interface,
or finding it in the ndp cache - perhaps as a result of receiving
a redirect messages, or manually.


RFC 4861 section 2.1.:

on-link - an address that is assigned to an interface on a
          specified link.  A node considers an address to be
          on-link if:

  - it is covered by one of the link's prefixes (e.g.,
    as indicated by the on-link flag in the Prefix
    Information option), or

  - a neighboring router specifies the address as the
    target of a Redirect message, or

  - a Neighbor Advertisement message is received for
    the (target) address, or

  - any Neighbor Discovery message is received from
    the address.


> Also from the information I have received, router advertisements may be
> turned off in the future, my host should simply Neighbour Solicit for
> the global scope unicast address of my default gateway.

A host would not send a Neighbour Solicitation for an address
which is not considered on-link:

RFC 4861 section 7.2

  Address resolution is the process through which a node determines the
  link-layer address of a neighbor given only its IP address.  Address
  resolution is performed only on addresses that are determined to be
  on-link and for which the sender does not know the corresponding
  link-layer address (see Section 5.2).


> was that because of the host route for the default gateway FreeBSD does
> not solicit for the "on-link gateway" because the interface is not set 
> to ACCEPT_RTADV. But that doesn't make immediate sense.
> 
> And as pointed out in previous emails without ACCEPT_RTADV for
> re0 - FreeBSD does not perform this action.

The router's link-layer address is available in RA messages.
If you turn off ACCEPT_RTADV (or if a router does not send them),
the only way to obtain a router's link-layer address would be
by sending a Neighbour Solicitation (which is only sent to an
address which is considered on-link), or by manually placing
it in the NDP cache.

> So again, what is the correct way ? I think this is a debate of IPv6
> Protocol vs. IPv6 Policy vs. Network architecture.

I'm not sure, but it appears to me that adding the router's
link-layer address to the NDP cache looks like the only
reliable way, in absence or router advertisements.

  Mark

More information about the freebsd-net mailing list