[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces



On Wed, 8 Dec 2010, chiel wrote:
On a test network I just installed a Debian server. On this network RA
are being sent for SLAAC, just for testing.

I configured a static IPv6 address in /etc/network/interfaces with the
line "iface eth0 inet6 static", all works good. However, because RA are
being send I also have a SLAAC address, resulting in two IPv6 addresses.
I know that I can disable the SLAAC behaviour somewhere in a config file
but that is not the point.
Wouldn't it be better if RA messages be ignored once you specified
"iface eth0 inet6 static"? This result in a more understandable
configuration and I also think a lot of administrator will neglect to
turn off RA configurations once the server has a static address,
resulting in a possible security/stability issues when RA are start
being sent by either a legitimate or rogue node.

It would then be nice if you can control the behaviour, just like IPv4,
in /etc/network/interfaces with something like "iface eth0 inet6 ra" and
"iface eth0 inet6 dhcpv6".

SLAAC, DHCPv6, & static are not mutually exclusive with IPv6.  I agree that
most things with a static IPv6 address probably don't also want a SLAAC
address, but if you generalize this very much you'll cause trouble for some
use scenarios. Basically, don't assume that static implies no SLAAC.

RAs have information you want/need, such as the net MTU & the router address,
so don't discard the whole RA.

Here's what I do for my system with a static IPv6 address:

    iface eth0 inet6 static
	address <system_ipv6_addr>
	netmask 64
	gateway <rtr_ipv6_addr>
	# disable IPv6 address auto-configuration
	pre-up /sbin/sysctl -w net.ipv6.conf.eth0.autoconf=0
	# disable IPv6 acceptance of default router in RA
	pre-up /sbin/sysctl -w net.ipv6.conf.eth0.accept_ra_defrtr=0
	dns-nameservers <dns_ipv6_addr_1> <dns_ipv6_addr_2>
	dns-options edns0

I'm ignoring the router address in the RA because I'm a net guy & know what
router I want to use.  Most systems would not set the gateway & would accept
the router address in the RA by not setting
net.ipv6.conf.eth0.accept_ra_defrtr=0.

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951


Reply to: