DHCPv6-based address allocation on PPPoE links

Cassidy Larson from InfoWest sent me an interesting challenge: using the sample configurations I provided in the Building Large IPv6 Service Provider Networks webinar he was getting weird DHCPv6 errors when a residential CPE device requested a delegated prefix from the BRAS router (before moving forward, have to mention how nice it is to see an US ISP deploying IPv6 ;).

The symptoms

He was using a configuration very similar to this one with local PPPoE address pool and local prefix delegation pool ...

Simple IPv6-over-PPPoE configuration with local pools

ipv6 dhcp pool Clients
prefix-delegation pool DhcpPool
address prefix FEC0:1:23FF:FFFF::/64
dns-server FEC0::CCCC:4
domain-name example.com
!
interface Virtual-Template10
mtu 1480
peer default ipv6 pool PPP
ipv6 enable
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server Clients
no keepalive
ppp authentication pap
ppp direction callin
!
ipv6 local pool DhcpPool FEC0:1:2200::/40 56
ipv6 local pool PPP FEC0:1:2300::/48 64

... and observing DHCPv6 debugging printouts similar to the one below (reproduced in my lab):

DHCPv6 SOLICIT packet

IPv6 DHCP: Received SOLICIT from FE80::C804:7FF:FEE6:8 on Virtual-Access2.1
IPv6 DHCP: detailed packet contents
src FE80::C804:7FF:FEE6:8 (Virtual-Access2.1)
dst FF02::1:2
type SOLICIT(1), xid 2333403
option ELAPSED-TIME(8), len 2
elapsed-time 0
option CLIENTID(1), len 10
00030001CA0407E60008
option ORO(6), len 4
DNS-SERVERS,DOMAIN-LIST
option IA-NA(3), len 12
IAID 0x000B0001, T1 0, T2 0

DHCPv6 request processing

IPv6 DHCP: Using interface pool Clients
IPv6 DHCP: Binding for IA_NA 000B0001 not found
IPv6 DHCP: Allocating IA_NA 000B0001 in binding for FE80::C804:7FF:FEE6:8
IPv6 DHCP: Freeing IA_NA 000B0001 from binding for FE80::C804:7FF:FEE6:8
IPv6 DHCP: Binding for IA_NA 000B0001 not found

DHCPv6 ADVERTISE response

IPv6 DHCP: Sending ADVERTISE to FE80::C804:7FF:FEE6:8 on Virtual-Access2.1
IPv6 DHCP: detailed packet contents
src FE80::C800:7FF:FEE5:8
dst FE80::C804:7FF:FEE6:8 (Virtual-Access2.1)
type ADVERTISE(2), xid 2333403
option SERVERID(2), len 10
00030001CA0007E50008
option CLIENTID(1), len 10
00030001CA0407E60008
option IA-NA(3), len 31
IAID 0x000B0001, T1 0, T2 0
option STATUS-CODE(13), len 15
status code NOADDRS-AVAIL(2)
status message: NOADDRS-AVAIL
option DNS-SERVERS(23), len 16
FEC0::CCCC:4
option DOMAIN-LIST(24), len 13
example.com

A bit of a background

DHCPv6 is used for (at least) three purposes in IPv6 access networks:

  • To assign IPv6 addresses to DHCPv6 clients (IA-NA option);
  • To pass DNS information (DNS server address, default domain) to the clients (DNS-SERVERS and DOMAIN-LIST options);
  • To delegate prefixes to CPE routers (IA-PD option).

The use of DHCPv6 for the first two purposes SHOULD be controlled by the flags sent by the routers in Router Advertisement messages:

  • If the M flag is set, hosts COULD use DHCPv6 to get their addresses;
  • If the O flag is set, hosts COULD use DHCPv6 to get other information.

You cannot force an end host to use DHCPv6 by setting the M flag in the RA messages (but you could prevent an end hosts from using SLAAC by not advertising SLAAC-able prefixes in RA messages).

Based on the information Cassidy sent me some CPE devices ignore the M flag as well; virtual access template was configured with ipv6 nd other-config-flag and debugging printouts indicated M flag was not set in RA messages:

Dump of RA packet

ICMPv6-ND: Request to send RA for FE80::C800:7FF:FEE5:8
ICMPv6-ND: Setup RA from FE80::C800:7FF:FEE5:8 to FF02::1 on Virtual-Access2.1
ICMPv6-ND: Setup RA common:Other stateful configuration
ICMPv6-ND: MTU = 1480
ICMPv6-ND: prefix = FEC0:1:2300::/64 onlink autoconfig
ICMPv6-ND: 2592000/604800 (valid/preferred)
ICMPv6: Sent R-Advert, Src=FE80::C800:7FF:FEE5:8, Dst=FF02::1

I used ipv6 address dhcp on a Cisco IOS-based CPE to force this behavior; Cassidy was using a Linksys CPE on which he could only enable or disable IPv6.

Where’s the problem?

Depending on the DHCPv6 client code in the CPE, you could observe one of these behaviors:

  • CPE gets annoyed when it can’t get an IPv6 address with DHCPv6 and never asks for the delegated prefix. User has no IPv6 connectivity (this is how my Cisco IOS release behaves ... but then I forced it to use DHCPv6);
  • CPE asks for IPv6 address and delegated prefix in the same request, but never completes the DHCPv6 address allocation because it’s upset by the STATUS-CODE in IA-NA option (yeah, you really couldn’t expect half of your request to fail, could you?). Seems the Linksys router Cassidy is using is in this category;
  • CPE survives the partial DHCPv6 response failure, but still doesn’t use SLAAC on the outside interface and thus never gets a globally routable outside IPv6 address. This shouldn’t be a big problem unless the customer tries to do a ping from the CPE (or configures NAT66 ;).

Anyhow, history shows we cannot rely on CPEs doing the right thing (after all, why would a CPE use DHCPv6 IA-NA if the BRAS never tells it to do so), so we have to cope with whatever is thrown at us.

Can we fix it? Yes we can!

DHCPv6 server in Cisco IOS was doing IA-PD prefix delegation for a long time. They added IA-NA address allocation somewhere in the 15.x M&T train, so it’s pretty easy to add an address-prefix to ipv6 dhcp pool:

IPv6 DHCP pool with address and prefix delegation

ipv6 dhcp pool Clients
prefix-delegation pool DhcpPool
address prefix FEC0:1:23FF:FFFF::/64
dns-server FEC0::CCCC:4
domain-name example.com

This configuration would work great on a Metro Ethernet or a WiFi subnet, but not so well in PPPoE environments – every PPPoE session is a separate virtual access interface and thus needs a separate IPv6 subnet for clients who prefer to do SLAAC (or don’t have DHCPv6 IA-NA support at all).

To support all possible (and impossible) combinations of client hosts and CPEs, you’d have to:

  • Assign a /64 prefix to every PPPoE link to support hosts expecting to use SLAAC;
  • Support prefix delegation and assign another prefix (anything from /48 to /64 depending on your L8-10 persuasions) to CPEs requesting the prefix;
  • Assign an IPv6 address from IA-NA pool to clients or CPEs who want to use DHCPv6 for address assignment.

However, it’s impossible to make the IPv6 address CPE gets from the IA-NA pool be in the dynamic subnet allocated to each PPPoE link. To make the CPE device reachable from the IPv6 Internet, you need another static route (similar to the one generated by prefix delegation) ... and the ipv6 dhcp iana-route-add global configuration command is here to help you. After configuring it, the BRAS generates static /128 routes for DHCPv6-allocated IPv6 addresses.

IPv6 routes on virtual access interface

PE-A#show ipv6 route interface vi2.1 | begin ^[SC]_
S FEC0:1:2200::/56 [1/0]
via FE80::C804:7FF:FEE6:8, Virtual-Access2.1
C FEC0:1:2300::/64 [0/0]
via Virtual-Access2.1, directly connected
S FEC0:1:23FF:FFFF:C1D7:32FE:F4C7:DF8C/128 [1/0]
via FE80::C804:7FF:FEE6:8, Virtual-Access2.1

The final gotcha

And thus it seems our problem is solved ... unless you’re a lucky owner of an ASR or any other Cisco IOS device running 15.2S software – they accept ipv6 dhcp iana-route-add configuration command but never generate the /128 static route. Neat, isn’t it? Who would ever need that in a service provider environment?

Related webinars

You’ll find detailed description of DHCPv6 address allocation and prefix delegation mechanisms, and related design, deployment and configuration guidelines in the Building Large IPv6 Service Provider Networks webinar (you can get it as individual recording, or as part of the IPv6 trilogy or yearly subscription).

11 comments:

  1. Hehe. Why do we always seem to research the same stuff at the same time :-)

    I had the assigning DHCPv6-IA_NA on PPPoE links problem with one of my customers (a CPE manufacturer). Upgraded from 15.1S to 15.2S, then to 15.2M to make it work. Unfortunately 15.2M doesn't support "ipv6 dhcp bindings track ppp", but that's a different issue :-)
    Replies
    1. Must be due to us being exposed to the same manufacturers' brilliancy in our consulting engagements.
    2. Do you have the ID of this bug for reference?
  2. Hi Ivan

    What is the exact difference between IA_NA and IA_PD.

    IA_PD is used to give IPV6 address lease to CPE routers

    IA_NA is used to Ipv6 address to client and it is non temporary ( normal ) IPv6 address.

    Can you throw some more light on this ?
  3. Thanks for this blog entry. When I tested this last year on our 7206VXR running 12.2SB I didn't run into this problem, only the lack of static route insertion for the PD. I solved that (during testing) by manually creating the route.
  4. We have the same issue with some CPEs: we get hundreds (per min) of IA-NA requests.

    We still don't know if we'll follow your solution. We're currently looking for a way to limit them (x solicits per min per customer).

    Generally, i don't like the idea of supporting both SLAAC and DHCP wan ip address assignment.
  5. Hi,

    I need to configure ipv6 dhcp server with 112 subnet.When i configured ipv6 dhcp server in linux .In my client box it showing 64 subnet.
  6. Hi Ivan, found this post when searching for Juniper SRX DHCPv6 PD over PPPOE interfaces...it appears to be broken, even though PD works over standard ethernet interfaces. Do you know anything more on this? Apparently it's not working for ASAs as well...do I really need a full router just to support v6 PD? Can I use DHCPv6 relay agent to work around this? Thanks!
    Replies
    1. Hi! Unfortunately I have no hands-on experience with IPv6 in Junos, and the last time I looked (but it was a long time ago) ASA had no support for IPv6 PD, so it looks like you'll have to settle for some other platform.
  7. Hi Ivan
    I try to connect from a Cisco 810 (4G/LTE, over cellular interface) via PPP to our LNS (ASR1k). However, IPv6 doesn't work. The IPv6 protocol state on the virtual-access interface stays down. Important to know is that our mobile network (UGW) doesn't support PPP/IPV6CP. The DHCPv6 request sent by the CPE never touch the LNS. The question is, if IPv6 communication over PPP is possible at all if IPV6CP is not supported?
    Replies
    1. If IPv6CP doesn't start then you can't start exchanging IPv6 packets over PPP.
Add comment
Sidebar