• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Internal GUA routing using link-local only

Started by MagellanTX, November 28, 2012, 10:03:40 AM

Previous topic - Next topic

MagellanTX

I thought about putting this under the routing platforms but this question is really router agnostic so forgive me if I've placed it in the wrong forum.

I am advertising GUA prefixes across multiple LAN segments but my SVI routers are not using any GUA addresses at all; they are using link-local only. The computers will traverse the LAN using link-local addresses until they reach the edge routers which are using a /64's assigned by the provider.

Internet connectivity is fine, and even traceroutes back to the computers look normal so my question is: Is this an acceptable or recommended way of routing?

The biggest reason I chose this approach is security. I am trying to limit the number of publicly reachable addresses on my internal routers but I'm not sure that my routing approach is considered correct or if it will create other problems down the road.

Any suggestions or design comments are appreciated!

Thanks!!



kasperd

As long as the two endpoints have valid IPv6 addresses, you can route packets between them without having to care about the IP addresses of intermediate routers. You could even go so far as to having the routers not even know the IP address of the router it received the packet from or the router it sends the packet to. It just need to know the MAC address of the next router, and which interface to send the packet on.

But just because you can do it, doesn't mean it is a good idea. The problem shows up when you have to do source address selection on packets originated by the router. At the very least, the router needs to be able to send ICMPv6 errors in response to packets attempted to be routed through it. Use the wrong source address on such ICMPv6 errors, and those packets may be dropped by other routers before they reach their destination.

Additionally to be able to debug problems, you need to be able to do a traceroute and ping each router on the path. For that reason a router needs an IP address, which is reachable by both endpoints of any communication going through that router. If a router is used for any packets to or from the Internet, that router need a globally routeable address.

You don't need one for each interface though. If you have a router attached to a LAN with prefix 2001:db8:1:2::/64 and the router has address 2001:db8:1:2::1/64 on the interface for the LAN, then you can assign 2001:db8:1:2::1/128 to all other interfaces on that router without any problems. But even if you didn't, a router may still be able to figure out to use the address. For example Linux is able to do this.

I have a Linux host with IPv6 routes on three virtual network interfaces, but only a globally routable IPv6 address on eth0. I have a Miredo relay on that Linux host, so any packets to Teredo clients are send over the route for 2001::/32 on the teredo interface. The teredo interface only has address fe80::ffff:ffff:ffff assigned to it, so packets originated by the Linux host on the teredo interface will actually be sent with the source address taken from eth0.

If you have a router with multiple IP addresses and some interfaces without addresses, then it may be a good idea to explicitly assign a globally routeable address to each interface (as a /128 if the address was copied from another interface). For example I tried configuring my Linux host with a globally routable address on one interface and an RFC 4193 address on another interface. Packets originated on the Teredo interface, which had only a link-local address would end up using the RFC 4193 address rather than the globally routeable address.

As for the security, I don't believe breaking PMTU discovery, every debugging tool available, and some tunnelling protocols, is going to help security overall. Each router should have at least one globally routeable address which it can use for ICMPv6 packets. If you have open ports on the router and only want those accessible to your LAN, then enforce that through packet filters or by listening on an RFC 4193 address.