Re:_ DHCPv6_IA_PD_-_how-to

Reply: moto kawasaki : "Re: �DHCPv6 IA_PD - how-to"
In reply to: moto kawasaki : "Re: �DHCPv6 IA_PD - how-to"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Roy Marples <roy_at_marples.name>
Date: Mon, 29 Jul 2024 10:05:37 UTC

 ---- On Sat, 27 Jul 2024 04:21:08 +0100  moto kawasaki  wrote --- 
 > 
 > Hi Chris, all
 > 
 > I am struggling the same problem too, and here is my working
 > configuration for dhcp6c in my test environment.
 > Hope this can be help.
 > 
 > 
 > vtnet0 is uplink, where I expect to receive RA from ISP.
 > 
 > If upstream router send RA with PD with 2001:db8:beef::/56, dhcp6c
 > will add sla-len (8 in this configuration) to the prefix length (/56)
 > to get the final prefix length of /64.
 > Also, dhcp6c will add sla-id (11 and 12, decimal) to prefix, so that
 > I will use 2001:db8:beef:b/64 and 2001:db8:beef:c/64 for assigning my
 > internal network interfaces (vtnet1 and vtnet2).
 > 
 > Well, I am wondering how I can tell "authentication isp_auth" entry to
 > use the "isp_key", especially when I have multiple "keyinfo" entries.
 > 
 > 
 > 
 > ===== /usr/local/etc/dhcp6c.conf =====
 > keyinfo isp_key {
 >         realm "example.org";
 >         keyid 1;
 >         secret "JTY0XXXXXXXXXXXXXXX==";  # masked.
 > };
 > 
 > authentication isp_auth {
 >         protocol delayed;
 > };
 > 
 > interface vtnet0 {
 >         script "/usr/local/etc/dhcp6c-script.sh";
 >         send ia-pd 3;
 >         send authentication isp_auth;
 >         request domain-name-servers;
 >         request domain-name;
 >         request ntp-servers;
 >         #send rapid-commit;
 > };
 > 
 > id-assoc pd 3 {
 >         prefix-interface vtnet1 {
 >                 sla-id 11;
 >                 sla-len 8;
 >         };
 >         prefix-interface vtnet2 {
 >                 sla-id 12;
 >                 sla-len 8;
 >         };
 > };
 > =====
 
For dhcpcd you would do this:

interface vtnet0
  ia_pd 3 vtnet1/11 vtnet2/12
  option domain_name_servers, domain_name, ntp_servers
  authproto delayed
  authtoken 1 "example.org" forever "JTY0XXXXXXXXXXXXXXX=="


But please note that delayed authentication has now been obsoleted:
https://datatracker.ietf.org/doc/html/rfc8415#section-25
While dhcpcd supports it to some extend, it's not widely tested and could be broken in any given release as I don't have a means of testing it right now.

The only real authentication support that is in the RFC's is the reconfigure key.
https://datatracker.ietf.org/doc/html/rfc8415#section-20.4

Roy