kenjidnb
join:2009-08-07
San Mateo, CA
| multiple ipv6 addresses on one interface
As oppose to ipv4, it seems that a single physical (or virtual) interface can have multiple ipv6 addresses assigned to it. Since we are multi-homed in a way that we have an internal link to our remote sites and we have an "ISP" link to the world, I am wondering how this thing will work. In other words, how the the router or host will know which ipv6 address source to use when sending packets to destination.
In my case let's say I have an interface with 3 ipv6 addresses assigned to it, one link local and two global unicast. My machine(the source) want to send packets to a destination that is not on the same subnet of any of my ipv6 configured addresses. So first hop is the router which will forward the packets according to its routing table. Now the packets will certainly find their way towards destination via whatever route is configured but what about the return packets? . Receiving data on a different link than the sending link will not be allowed on the firewall.
How do I get control of which ipv6 address I use as a source when I send packets? |
|
Datlev
Premium
join:2002-02-15
Ashburn, VA
 ·Vonage
 ·Verizon FIOS
| said by kenjidnb  :How do I get control of which ipv6 address I use as a source when I send packets? Source address selection for IPv6 depends on the particular application and OS, but there is an RFC that goes into detail on how it is designed to work: (RFC3484)
»www.ietf.org/rfc/rfc3484.txt
The defining factor is usually an OS default policy table that can be modified to suit specific needs.
For example, the utility ip6addrctl(8) in FreeBSD, or the netsh facility in windows (netsh int ipv6 show prefixpolicy). Google for your particular os and "ipv6 address selection" if in doubt.
As well, individual applications (e.g. openssh), can (and do) allow for binding to a specific address rather than let the os decide based upon the policy table.
There was some research done (several years ago, so take with a grain of salt now) by NTT here looking at implementations: »www.nttv6.net/dass/
Also take a look at this blog post for a decent paraphrased overview:
»etherealmind.com/ipv6-which-addr···lection/
Good Luck.
-_Dave H |
|
kenjidnb
join:2009-08-07
San Mateo, CA
| Interesting, I wonder how this algorithm performs in reality. I am sure it will become a true headache if some platforms do not follow the proper ipv6 address selection.
You mentioned windows which seems to have documented the case but I am worry about the rebel macOS. Although it's based on freeBSD, so there might be a chance to have an easy implementation of such utility.
It might take me a while to read the whole RFC and understand the mechanism but thanks a lot for the info! |
|
justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
 ·AT&T Midwest
| Concerning Mac OS X and RFC 3484:
»lists.apple.com/archives/ipv6-de···002.html
As it says, if you really want this, file a bug/enhancement request at »bugreporter.apple.com/. |
|
blackips
@digex.net | reply to kenjidnb
I thought this is possible in IPv4?
»www.cyberciti.biz/faq/multiple-i···terface/ |
|
kenjidnb
join:2009-08-07
San Mateo, CA
| reply to kenjidnb
I have been reading a little about it and it seems like the only answer to this problem is RFC3484.
Now sorting out what is possible and what is not, I had tried to experiment the source address selection process from a machine that implements the standard. My easiest pick was my PC running windows XP.
In my experiment, I had 2 global unicast address configured on one interface. I tried to reconfigure the default policy table of the PC by telling it to use one address as a source over the other for some specific destination. I only have one IPv6 address destination so I don't have to worry about destination address selection and precedence.
S1: 2620:aaaa:aaaa::1 (this is my preferred source for dest D)
S2: 2620:bbbb:bbbb::1
D: 2001:cccc:cccc::1
If I want to make sure S1 is picked when I communicate with D, this is how I configure my default policy table:
c:\> ipv6 ppt
2620:bbbb:bbbb::/48 -> precedence 30 srclabel 7 dstlabel 7
2620:aaaa:aaaa::/48 -> precedence 45 srclabel 6 dstlabel 6
2001:cccc:cccc::/48 -> precedence 45 srclabel 6 dstlabel 6
Here, the destination and the preferred source S1 have the same srclabel (matching label rule: part 5, rule 6) in the RFC. As I understood the RFC , if srclabel(S1)=srclabel(D) and srclabel(S2)!=srclabel(D) then S1 is preferred.
When looking at a sniffer capture, it appears that my PC is not using the preferred source address(S1) but is using the other one(S2).
Wondering if I am not configuring something wrong or if it's just my PC that doesn't care about the default policy table. |
|
Datlev
Premium
join:2002-02-15
Ashburn, VA
·Vonage
·Verizon FIOS
1 edit | So, dealing with the policy table can be a bit confusing, and from your description you are using an older version of the ipv6 command line tools in XP. I suggest that you update to the latest XP service pack and use the netsh interface (rather than any ipv6.exe interface)
That being said, the policy table worked fine for my tests on windows 7, but I do not have an XP box handy at the moment to verify, but last time I tried, it worked well (with XP SP3).
Please take a look at the cable guy's writeup for windows policy table:
»technet.microsoft.com/en-us/libr···985.aspx
I happen to be using a global ipv6 tunneled (6in4) connection via my gateway/router that provides ipv6 radvd to my lan, and ran a test by adding an additional global ipv6 address to my nic, and by adding two policy entries.
/64 changed to documentation prefix to protect the innocent (2001:db8::/32)
When I was done, I had two global ipv6 addresses on my "Local Area Connection" interface, and when I connect to any host in the 2001:4860::/32 range (say ipv6.google.com), it uses the 2001:db8:8:584::6666/64 source address since the label matches (I used 6666 in both entries). e.g.:
C:\Windows\system32>netsh int ipv6 show prefixpolicies
Querying active state...
Precedence Label Prefix
---------- ----- --------------------------------
50 0 ::1/128
40 1 ::/0
30 2 2002::/16
20 3 ::/96
10 4 ::ffff:0:0/96
5 5 2001::/32
2 6666 2001:db8:8:584::6666/128
2 6666 2001:4860::/32
Looking at all of the addresses on my "Local Area Connection" interface is important as well:
C:\Windows\system32>netsh int ipv6 show addresses interface="Local Area Connection"
Address 2001:db8:8:584::6666 Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : infinite
Preferred Lifetime : infinite
DAD State : Preferred
Address Type : Manual
Address 2001:db8:8:584:801c:cf06:a293:8a97 Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : 6d22h39m43s
Preferred Lifetime : 6d22h39m43s
DAD State : Preferred
Address Type : Temporary
Address 2001:db8:8:584:9092:e075:c6fb:ae3c Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : 29d23h59m51s
Preferred Lifetime : 6d23h59m51s
DAD State : Preferred
Address Type : Public
Address 2002:81a8:102:: Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.0
Valid Lifetime : infinite
Preferred Lifetime : infinite
DAD State : Preferred
Address Type : Manual
Address fe80::9092:e075:c6fb:ae3c%12 Parameters
---------------------------------------------------------
Interface Luid : Local Area Connection
Scope Id : 0.12
Valid Lifetime : infinite
Preferred Lifetime : infinite
DAD State : Preferred
Address Type : Other
Windows assigns temporary addresses and link-local addresses and uses random (non-eui64) addressing in some cases as well. You also need to look at any 6to4, teredo, and isatap addresses to be complete.
In any case, play with it, I'm sure you will get the hang of it.
Good Luck.
---Dave |
|
kenjidnb
join:2009-08-07
San Mateo, CA
|  Thanks for sharing your experience Datlev. I actually had it worked after I had restarted the network card... Worked fine with my version of XP (SP3 as well). It does the job pretty well for specific source and a destination in the prefix policy table. However when trying to set up a default source, it does not work as well.
For example, if I want to use the same source address every time except for the google range, I would set the same label as for the "any" IPv6 address(::/0) and a different set of label for the other source and destination. Sounds better with an example:
C:\Windows\system32>netsh int ipv6 show prefixpolicy
Querying active state...
Precedence Label Prefix
---------- ----- --------------------------------
50 0 ::1/128
40 1 ::/0
30 2 2002::/16
20 3 ::/96
10 4 ::ffff:0:0/96
5 5 2001::/32
40 1 2620:aaaa:aaaa::1/128
2 6666 2620:bbbb:bbbb::1/128
2 6666 2001:4860::/32
But it does not work as expected. The 2620:bbbb address is properly used for any address in the google range but my pc seems to ignore the ::/0 source label and still uses the 2620:bbbb (instead of the 2620:aaaa) for any destination. And this time, yes, I restarted the NIC to activate it:)
I will keep trying and playing with the policy table until I get the hang of it. After all, there is only 10 rules for the default address selection (sigh) |
|
