Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces

To: chiel <chiel@gmx.net>
Cc: debian-ipv6@lists.debian.org
Subject: Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces
From: Jay Ford <jay-ford@uiowa.edu>
Date: Wed, 8 Dec 2010 13:51:48 -0600 (CST)
Message-id: <[🔎] alpine.DEB.2.00.1012081341450.28583@seatpost.its.uiowa.edu>
Reply-to: Jay Ford <jay-ford@uiowa.edu>
In-reply-to: <[🔎] 4CFFDD0C.70807@gmx.net>
References: <[🔎] AANLkTind53Gkimi-FWoKzfF7Y+GkgFQa+_jxbOiRDyDG@mail.gmail.com> <[🔎] 4CFFDD0C.70807@gmx.net>

On Wed, 8 Dec 2010, chiel wrote:

On a test network I just installed a Debian server. On this network RA
are being sent for SLAAC, just for testing.

I configured a static IPv6 address in /etc/network/interfaces with the
line "iface eth0 inet6 static", all works good. However, because RA are
being send I also have a SLAAC address, resulting in two IPv6 addresses.
I know that I can disable the SLAAC behaviour somewhere in a config file
but that is not the point.
Wouldn't it be better if RA messages be ignored once you specified
"iface eth0 inet6 static"? This result in a more understandable
configuration and I also think a lot of administrator will neglect to
turn off RA configurations once the server has a static address,
resulting in a possible security/stability issues when RA are start
being sent by either a legitimate or rogue node.

It would then be nice if you can control the behaviour, just like IPv4,
in /etc/network/interfaces with something like "iface eth0 inet6 ra" and
"iface eth0 inet6 dhcpv6".


SLAAC, DHCPv6, & static are not mutually exclusive with IPv6.  I agree that
most things with a static IPv6 address probably don't also want a SLAAC
address, but if you generalize this very much you'll cause trouble for some
use scenarios. Basically, don't assume that static implies no SLAAC.

RAs have information you want/need, such as the net MTU & the router address,
so don't discard the whole RA.

Here's what I do for my system with a static IPv6 address:

    iface eth0 inet6 static
	address <system_ipv6_addr>
	netmask 64
	gateway <rtr_ipv6_addr>
	# disable IPv6 address auto-configuration
	pre-up /sbin/sysctl -w net.ipv6.conf.eth0.autoconf=0
	# disable IPv6 acceptance of default router in RA
	pre-up /sbin/sysctl -w net.ipv6.conf.eth0.accept_ra_defrtr=0
	dns-nameservers <dns_ipv6_addr_1> <dns_ipv6_addr_2>
	dns-options edns0

I'm ignoring the router address in the RA because I'm a net guy & know what
router I want to use.  Most systems would not set the gateway & would accept
the router address in the RA by not setting
net.ipv6.conf.eth0.accept_ra_defrtr=0.

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951

Reply to:

Follow-Ups:
- Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces
  - From: chiel <chiel@gmx.net>

References:
- Init Script for IPv6 6rd
  - From: Guillaume Leclanche <guillaume@leclanche.net>
- Thoughts about RA en DHCPv6 in /etc/network/interfaces
  - From: chiel <chiel@gmx.net>

Prev by Date: Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces
Next by Date: Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces
Previous by thread: Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces
Next by thread: Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces
Index(es):
- Date
- Thread