# Some IPv6 routing woes



## vh (Nov 15, 2012)

Hi there,

This is a very primitive question, but I canâ€™t seem to find a way out: My hosting service has granted me a /64 block for my FreeBSD box (go figure why, I donâ€™t need zillions of aliasesâ€¦). Now, the default router I must use is *not* located in that block, but has another prefix.

If I add a manual route like this:
`# route add -inet6 -host router_address -interface ix0`

and then I do:
`# route add -inet6 default router_address`

It does not work: ping6(8) to any host fails yelling 'operation not permitted'.

When I examine the output of *netstat -rn*, I find that the route to the default router is shown as using the ARP address of the ethernet adapter rather than, e.g., â€˜link#3â€™.

Does anybody know how I should configure the routing tables to get it work?

Thanks a lot!
Vincent


----------



## SirDice (Nov 15, 2012)

vh said:
			
		

> My hosting service has granted me a /64 block for my FreeBSD box (go figure why, I donâ€™t need zillions of aliasesâ€¦).


They gave me a /48 :e


Try this one:
`# route add -inet6 default -iface ix0`


----------



## vh (Nov 15, 2012)

SirDice said:
			
		

> They gave me a /48 :e



Well, Apple and HP got /8 at the beginning of IPv4.  Now, as I wrote somewhere, they will sell it back, and get zillions of dollarsâ€¦ just because the IANA was so short sighted.



> Try this one:
> `# route add -inet6 default -iface ix0`



Ok, I will. Thanks for the hint.
Vincent


----------



## kpa (Nov 15, 2012)

If you have just one machine that is not a router you can't use the /64 block, it's meant to be assigned to another interface that is connected to a local LAN network.

Giving a /64 to customers may seem excessive but it's the only way to get autoconfiguration working in IPv6, the host part must be 64 bits. Even with /48s there are almost 2^48 *) different network prefixes to choose from and that's a hell a lot.

*) May be less because there a quite a few reserved prefixes but it's still way more than 2^32.


----------



## throAU (Nov 19, 2012)

I've got a /56 at home (Internode).  As above, it's more to do with ease of configuration rather than needing the IP address space for home.

Even point to point links in IPv6 use /64.

The IPv6 address space is so un-imaginably huge that it doesn't matter, and makes things simpler.

Still, it does feel wasteful having 4 billion IPv4 internet's worth of address space (or more) for home.


----------



## kpa (Nov 19, 2012)

There's also what is called the  IPv6 privacy extensions. If they are turned on your machine can choose a random address from the pool of 2^64 addresses (from the /64 prefix the router advertises) every time it connects to a network anywhere in the world. This effectively trumps any attempts to track your internet use based on IP address.


----------



## gkontos (Nov 19, 2012)

kpa said:
			
		

> There's also what is called the  IPv6 privacy extensions. If they are turned on your machine can choose a random address from the pool of 2^64 addresses (from the /64 prefix the router advertises) every time it connects to a network anywhere in the world. This effectively trumps any attempts to track your internet use based on IP address.



This is debatable because all of those IP addresses will belong to the same /64 subnet. If I want to track the activity of a home user and I know that you are using IPv6 I will track your subnet and not your IP address.


----------



## kpa (Nov 19, 2012)

gkontos said:
			
		

> This is debatable because all of those IP addresses will belong to the same /64 subnet. If I want to track the activity of a home user and I know that you are using IPv6 I will track your subnet and not your IP address.



Yes if you put that way but if the /64 is owned by an ISP and the addresses are handed out to their customers it's no longer possible to track anyone who uses the privacy extensions. In this scenario the users would not get any additional /64 or larger routed subnets, all they would get is the addresses assigned to the single interface of their host using autoconfiguration.

Also think of situation where you're using other networks, not just your home network. If you were using just the plain stateless autoconfiguration your host part of the address that is derived from the mac address would be the same in every network and you could tracked based on that. With the privacy extensions your host part is random every time you visit a new network and tracking is no longer possible.


----------



## gkontos (Nov 19, 2012)

kpa said:
			
		

> Yes if you put that way but if the /64 is owned by an ISP and the addresses are handed out to their customers it's no longer possible to track anyone who uses the privacy extensions. In this scenario the users would not get any additional /64 or larger routed subnets, all they would get is the addresses assigned to the single interface of their host using autoconfiguration.



Actually ISPs should provide a /64 as a minimal to every client I think. I know it sounds scary but if I am not mistaken the original plans were for /56 as a standard and a /48 to an organization.
Anyway, I don't disagree with you regarding the privacy extensions and I think that unless you need a static IP they should be used.



			
				kpa said:
			
		

> Also think of situation where you're using other networks, not just your home network. If you were using just the plain stateless autoconfiguration your host part of the address that is derived from the mac address would be the same in every network and you could tracked based on that. With the privacy extensions your host part is random every time you visit a new network and tracking is no longer possible.



You are right in that matter and I think this is the most dangerous part. I can understand that for link local it makes sense but it is very dangerous for public IPs.


----------



## kpa (Nov 19, 2012)

Correct me if I'm wrong but I believe you need a static IPv6 address on your router's WAN interface for additional routed subnets.


----------



## gkontos (Nov 20, 2012)

kpa said:
			
		

> Correct me if I'm wrong but I believe you need a static IPv6 address on your router's WAN interface for additional routed subnets.



I am currently using a FreeBSD box as a router / firewall, connecting over ppp to my ISP.


```
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
	options=80000<LINKSTATE>
	inet x.x.x.x --> 62.103.129.45 netmask 0xffffffff 
	inet6 fe80::a12a:e398:a32a:e399%tun0 prefixlen 64 scopeid 0xa 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

And the routing table:


```
Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           fe80::215:c7ff:fed0:841b%tun0 UGS        tun0
::1                               link#8                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2a02:xxx:xxxx:2c00::/64           link#6                        U           re0
```

This box has another interface where I have assigned a /64 subnet from the /56 subnet that my ISP has provided me with.

bge0 is the external interface which binds to tun0


```
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
	ether 00:13:21:cc:39:35
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
```

re0 is the internal interface that has been assigned with the /64 subnet.


```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 64:70:02:00:65:72
	inet 10.10.10.4 netmask 0xffffff00 broadcast 10.10.10.255
	inet6 fe80::6670:2ff:fe00:6572%re0 prefixlen 64 scopeid 0x6 
	inet6 2a02:xxx:xxxx:2c00::2093 prefixlen 64 
	inet 10.10.10.6 netmask 0xffffffff broadcast 10.10.10.6
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
```


----------



## kpa (Nov 20, 2012)

I was thinking of a native IPv6 set up where the WAN connection is a plain ethernet connection and the router advertisements are coming from ISP's router. In such a case you couldn't have additional routed subnets unless you have a static IP address.

PPPoE is quite rare here in Finland. Most common type of connection is ADSL with ethernet traffic encapsulated in the ATM connection and IP addresses assigned directly with DHCP. That's why I didn't think of the possibility of forwarding the routes over a PPP link.


----------

