I am running into venders that do not support injection of a delegated route when operating as a DHCPv6 relay (or server for that matter). Brocade supports this, but I am not finding this as part of any of the RFC's. This is to deliver home ISP service, so it is very important or return packets won't go to the client unless the route is manually added as a routing protocol is not an option. There should be a MUST activity for this somewhere.
Anyone know what gives?
Steve Teusch wrote:
I am running into venders that do not support injection of a
delegated route when operating as a DHCPv6 relay (or server for that
matter). Brocade supports this, but I am not finding this as part of
any of the RFC's. This is to deliver home ISP service, so it is very
important or return packets won't go to the client unless the route
is manually added as a routing protocol is not an option. There
should be a MUST activity for this somewhere.Anyone know what gives?
This is being blocked by a number of parties at the IETF because of
religious systemic antipathy towards DHCPv6.
Nick
On 9/22/17, 3:12 AM, "NANOG on behalf of Steve Teusch"
<nanog-bounces+lee=asgard.org@nanog.org on behalf of
I am running into venders that do not support injection of a delegated
route when operating as a DHCPv6 relay (or server for that matter).
Brocade supports this, but I am not finding this as part of any of the
RFC's. This is to deliver home ISP service, so it is very important or
return packets won't go to the client unless the route is manually added
as a routing protocol is not an option. There should be a MUST activity
for this somewhere.Anyone know what gives?
Well, it’s weird for a DHCPv6 relay process to inspect relayed Reply
messages and use them to update the routing table. Weird, but I’ve done it.
What origin type do you use for that route? Static, really?
This behavior was requested by operators who needed it; I don’t remember
whether we even went to the IETF with it. I think descriptions exist in
CableLabs IPv6 docs; maybe in BBF docs, too.
Any vendor who doesn’t do it is in the process of shutting down their ISP
access router business.
Lee
This method is lacking because you might have several routers eg. using
VRRP and the backup router will not learn anything from a relay on the
primary.
Which method would you recommend as an alternative?
VRRP failover and not having the route injected is a good point, although I could mitigate that with a lower lease time a little. I prefer to get V6 working. Plus, its dual stack we are talking about, V4 access is still available.
Maybe a VRRP-DHCPv6 relay state table share would be nice to handle that. Although V6 still needs a lot more attention to get to that point.
I know of several methods all flawed in some ways. There seems to be no
progress in this obvious lack of a solid easy way to inject routes to match
DHCP-PD.
We use ExaBGP to inject routes via BGP that matches the configuration that
our DHCP server has. But this is non standard and clumsy to implement. Does
not work with all CPE routers either.
Regards
Baldur
You know CPE devices are routers. They can tell you what routes
DHCP has given them. That annoucement could be cryptographically
authenticated.
Send a CPE generated public key with the PD request. Generate a
CERT for the prefix delegation using those two pieces of information
and return it with the prefix delegation. The CPE announces the
route using that CERT to sign the announcement to prevent spoofing.
Each ISP can be its own CA here if it wants to be or they can
tie into the public infrastructure.
Mark
This is, of course, a lot easier if the CPE already has onboard the needed
software to do that, or you have the ability to push it out.
Is anybody from Comcast or other eyeball network willing to say (even roughly)
what percent of CPE is gear they supply, versus gear that people get at Best
Buy or Walmart and just plug in, versus (if they can identify it) gear that's
been reflashed by clued customers?
(Personally, I have a Linksys that's been reflashed with Lede, and is
configured to work with what Comcast does at their end, and I'm more than happy
to reconfig/reflash with other options if Comcast changes their end. Damned if
I know how I'd find out, though, other than debugging my connection going
wonky.)
I don't know about brocade, but here's what I see in Junos and IOS...
....dhcpv6 relay binding seen...
{master:0}
agould@eng-lab-5048-2> show dhcpv6 relay binding routing-instance three
Prefix Session Id Expires State Interface Client
DUID
2699:2699:0:7::100/128 199 2591002 BOUND irb.26
LL_TIME0x1-0x1861ed8c-e8:03:9a:eb:0d:21
....that same binding above is seen as a /128 route of type
access-internal...
{master:0}
agould@eng-lab-5048-2> show route table three.inet6.0 2699:2699:0:7::100/128
three.inet6.0: 16 destinations, 38 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
2699:2699:0:7::100/128
*[Access-internal/12] 1w5d 03:19:06
Dear Steve,
We used to have this in the IETF: https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-prefix-pool-opt-03 and https://tools.ietf.org/html/draft-petrescu-relay-route-pd-problem-00.
We abandoned that effort because there wasn't sufficient support for it at that time.
Cheers,
Med
On 9/23/17, 1:51 AM, "nanog-bounces@nanog.org on behalf of
valdis.kletnieks@vt.edu" <nanog-bounces@nanog.org on behalf of
You know CPE devices are routers. They can tell you what routes
DHCP has given them. That annoucement could be cryptographically
authenticated.This is, of course, a lot easier if the CPE already has onboard the needed
software to do that, or you have the ability to push it out.
Right. How many residential market gateways support any routing protocol
at all? How many support RIPv2? How many support RIPng. Being routers does
not mean they support any dynamic routing protocol. If I were an ISP, I
would be very skeptical of the return on adding routing support to every
gateway I supported, plus an RPKI.
Is anybody from Comcast or other eyeball network willing to say (even
roughly)
what percent of CPE is gear they supply, versus gear that people get at
Best
Buy or Walmart and just plug in, versus (if they can identify it) gear
that's
been reflashed by clued customers?
It varies 0-100% based on network, year, and the mood of whoever makes the
decision about how to handle CPE. Some ISPs provide a gateway to all of
their customers, and some of those customers then put them into bridged
mode. (I think Vz FiOS, for instance, always comes with a gateway). Some
provide a gateway for free, which may be worth much more or less than you
paid for it, depending on the philosophy of the ISP. Some assume you want
a gateway and charge you several dollars a month for it.
Lee
Isn't this the topic area that the home networking working group was
supposed to resolve?
HOMENET was never looking into running a routing protocol between the ISP and the HGW. It was all about running a routing protocol WITHIN the home, not between the home and the ISP.
All the work I saw took for granted there was for instance a DHCPv6-PD lease handed to the home gateway router.
Depends on how flabby a definition you use. Does "ask for a default route" count? 