Support IPv6 Prefix Delegation

DHCPv6 Prefix Delegation is the best practice IPv6 deployment method and supported by most ISPs who provide native IPv6 for consumers on fixed networks. NetworkManager should support this.

In a nutshell, a CPE router (which could be a Linux box running NetworkManager) sends a DHCPv6 solicit message that includes the IA_PD option. The ISP DHCPv6 response has BOTH a IPv6 address for the CPE WAN interface AND a IPv6 prefix.

The IPv6 Prefix is typically a /56 which can be subnetted into quantity 256 /64 networks that can be assigned to internal networks.

First use case that should be supported:

Given a two interface system (WAN and LAN), NetworkManager ought to be able to be configured so that it can make a IA_PD solicitation, configure the WAN interface with the IPv6 IA_NA address, get the the prefix (IA_PD) from the response, extract the first /64 from the prefix, assign that prefix to the LAN interface and setup radvd to advertise that prefix on the LAN including setting the RDNSS option to advertise the DNS server.

That first use case will cover 90% of the need.

Additional use cases to consider:

• Support multiple LAN interfaces. Extract a /64 from the prefix for each LAN interface, setup radvd to advertise on each

• Support setting the AdvManagedFlag setting for radvd for radvd+DHCPv6 configurations.

• Configurable DNS server to advertise

References:

• https://wiki.debian.org/IPv6PrefixDelegation
• https://en.wikipedia.org/wiki/Prefix_delegation
• https://tools.ietf.org/id/draft-ietf-dhc-rfc3315bis-09.html#rfc.section.6.3
• ;https://blog.dan.drown.org/fedora-based-router-with-dhcpv6-pd-support/
• ttps://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113141-DHCPv6-00.html

changed the description

changed the description

Hi, setting ipv6.method=shared in the LAN connection profile should already cover the main use case and possibly some of the additional ones. Can you please try it and report how it is working for you?

I setup a lab environment with a KEA DHCPv6 server.

            "reservations": [
                {
                    "duid": "<snip>",
                    "ip-addresses": ["<snip>::2" ],
                    "prefixes": [ "<snip>::/63" ]
                }
            ],

I have a CentOS 8 box with NetworkManager-1.20.0-3.el8.x86_64

• eth0 - internal
• eth1 - WAN

The KEA server is answering the DHCPv6 request made by eth1. I have eth0 ipv6.method set to shared.

Looking at the DHCP server logs, I only see a IA_NA request, not a IA_NA plus IA_PD like I was expecting. The eth1 is getting it's static IPv6 reservation, but the prefix isn't being handled.

# nmcli connection show eth0 | grep ipv6
ipv6.method:                            shared
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         --
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.ip6-privacy:                       0 (disabled)
ipv6.addr-gen-mode:                     eui64
ipv6.dhcp-duid:                         --
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.token:                             --

# nmcli connection show eth1 | grep ipv6
ipv6.method:                            dhcp
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         --
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.ip6-privacy:                       0 (disabled)
ipv6.addr-gen-mode:                     eui64
ipv6.dhcp-duid:                         --
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.token:                             --

I have a CentOS 8 box with NetworkManager-1.20.0-3.el8.x86_64

On that version, the default main.dhcp setting is "internal", which doesn't support IPv6-PD. You'd have to configure main.dhcp=dhclient. See man NetworkManager.conf.

In 1.20.0, "internal" used an implementation based on systemd code. That code got support for PD in 3c4f70c5 (1.22.0). However, at the same time, the implementation of the "internal" plugin changes to a new nettools based code. That means, on 1.22.0, you could also use the undocumented main.dhcp=systemd plugin that now supports it. That uses the same "internal" plugin as in 1.20, but with PD support. On 1.22.0, main.dhpc=internal now means main.dhcp=nettools, and that doesn't support PD yet. It's a bit confusing. The point is, that we are replacing the implementation of the internal plugin in 1.22, and while the old implementation got support for PD, the new still doesn't.

That means, PD should work in 1.20 with main.dhcp=dhclient and in 1.22 with main.dhcp=dhclient|systemd. Most important is of course to add support for the default (internal) plugin.

Patches and feedback welcome.

Looking at the DHCP server logs

also look at NM trace logs. Enable level=TRACE as described at https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/contrib/fedora/rpm/NetworkManager.conf#n28

OK, recap:

CentOS8 with NetworkManager-1.20.0-3.el8.x86_64

• eth0 - LAN
• eth1 - WAN

LAN interface has ipv6.method=shared set:

# nmcli connection show eth0 | grep ipv6.method
ipv6.method:                            shared

main.dhcp=dhclient set via snippet in /etc/NetworkManager/conf.d/

confirmed with:

# ps aux | grep dhclient
root      1705  0.0  0.1  83148  8816 ?        S    10:36   0:00 /sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /run/NetworkManager/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-c9a40ec6-c3a1-4c0b-9748-220ebc92c1af-eth1.lease -cf /var/lib/NetworkManager/dhclient-eth1.conf eth1

Contents of /var/lib/NetworkManager/dhclient-eth1.conf

# grep -v ^#  /var/lib/NetworkManager/dhclient-eth1.conf | grep .
send dhcp-client-identifier = hardware;
send host-name "server1"; # added by NetworkManager
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
option ms-classless-static-routes code 249 = array of unsigned integer 8;
option wpad code 252 = string;
also request rfc3442-classless-static-routes;
also request ms-classless-static-routes;
also request static-routes;
also request wpad;
also request ntp-servers;
also request root-path;

NetworkManger logs:

NetworkManager[1245]: <debug> [1583602595.0480] device[0x560918d4b590] (eth0): activation-stage: schedule activate_stage5_ip_config_result_6,v6 (id 179)
NetworkManager[1245]: <debug> [1583602595.0480] policy: ipv6-pd: eth0 needs a subnet
NetworkManager[1245]: <info>  [1583602595.0480] policy: ipv6-pd: no device to obtain a subnet to share on eth0 from

Result: Not working.

Notice how the -P isn't set with dhclient, and looking at the dhcp server logs, no IA_PD was requested.

How do I get the WAN interface eth1 to make the prefix request?

Is there some other setting that needs to be set?

On a side note, is it possible to set main.dhcp=dhclient with nmcli?

policy: ipv6-pd: no device to obtain a subnet to share on

NM looks for a device with (the best) IPv6 default route, where to ask for the prefix (notice that you don't configure on which interface to as for a prefix)...

possibly NM is not smart enough to recover from activating the devices in the "wrong" order... the full log should tell you more.

Thank you! That was a helpful hint. Perhaps the error message could include the hint "no interface with ipv6 default route found" or something?

These settings needed to be in in my WAN ifcfg file.

IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes

It's working! My LAN interface is configured and hosts on my LAN are getting addresses from the prefix.

I don't see radvd running, does NetworkManager itself have a built in route advertisement?

It's working! My LAN interface is configured and hosts on my LAN are getting addresses from the prefix.

@daxkelson, can the issue then be “properly” closed? Could you please create separate issues for the additional use-cases?

I don't see radvd running, does NetworkManager itself have a built in route advertisement?

Yes, it uses libndp to build and send RA packets.

IPV6 is a real joke in NM! #100 (closed) is still not fixed, IPV6 should be prefered, both ipv6 DNS servers must be first and AAAA RR must be done first (yes, second is hard to do)!

A patch might help...

I already told you that ipv6.dns-priority must be 1. I think you can do a patch for that yourself.

@ValZapod you're in no way helping the project behaving like this, there's no need to be aggressive about a specific NM issue, we appreciate people reporting problems and we do look at them trying to address them as soon as possible.

NetworkManager, being open-source, gives you the chance to contribute yourself to the codebase so if you think this is a priority for the project or even just for yourself then submit a patch, we will gladly review it and help you to get it merged, we're always happy to welcome new contributors.

If you need help in crafting the patch or just understanding the code you can reach us on (IRC) #nm on freenode.

This issue has been inactive for 6 months, closing automatically, please reopen if you think the issue is still relevant.

closed

added auto-closed label

Reopen this, please.

reopened

removed auto-closed label

It doesn't seem that there is something left to do here.

At least, from the description it is not clear what should be done. In this form, is the issue not actionable.

Closing this issue. If you think something should be done, then please comment very clearly what exactly (and then it might be reopened). Thank you.

closed

mentioned in issue #1048 (closed)

@thaller did the new "internal" implementation get PD support?

What value should be used with NM 1.40?

yes. Since 3c4f70c5 (1.22).

there is nothing special (or plugin specific) to configure. Have the other profile with ipv6.method=shared, which will imply that NM attempts to delegate a prefix.