IPv6 networking on OpenBSD 6.6-current (via snapshots)

[tsombi digitale]

Hello.

I've looked through the OpenBSD networking FAQ and see only mention of IPv4. I'd like to troubleshoot IPv6 networking and get that working once again. It worked until a year or two ago, I forget when. Lately, I've tried some more with fresh installations on several architectures including i386 and amd64 but cannot figure out how to get IPv6 connectivity.

I think that I do still have IPv6 support from the ISP because they do claim to have it active for my account and they are probably correct because when I plug in a proprietary Technicolor(R) router, anything I then connect to it gets a working IPv6 address and IPv6 routes.

Code:

$ ping6 -c 1 2a00:1450:400f:808::2004
PING 2a00:1450:400f:808::2004(2a00:1450:400f:808::2004) 56 data bytes
64 bytes from 2a00:1450:400f:808::2004: icmp_seq=1 ttl=54 time=26.4 ms

--- 2a00:1450:400f:808::2004 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 26.354/26.354/26.354/0.000 ms

I am otherwise completely unfamiliar with IPv6.

The defaults are apparently ok for Technicolor but not OpenBSD. What should I be looking at changing on the various OpenBSD devices?

[jggimi]

Hello and welcome! Here are two key considerations for IPv6 on OpenBSD:

1. Determine what your ISP requires for provisioning. ISPs all have varying requirements, which you must align to. Some provide SLAAC with SOII support, some provide SLAAC without SOII, some provide prefix delegation instead of SLAAC, and those are just the ISPs I have connected to myself, there are other variations.
2. Check your PF configuration, too. OpenBSD users commonly deploy default block configurations. This blocks ICMPv6, which is required for routing.

Here's a presentation I wrote in 2017 on IPv6. It may help with general concepts, if not specifics for your environment.

[tsombi digitale]

Thanks. I'll check those options out in detail over time but I think option #1 may lead to the solution.

For option two, I set pf.conf to just a single line, "pass", and restarted networking and then eventually even did a cold boot. None of that seemed to have any effect. I also combined that with various combinations of "inet6 autoconf", "inet6 autoconf soii", and "inet6 autoconf -soii" etc in the egress configuration. So I think that might rule out any question of PF being in the way.

However, for option one, that may take a bit of time. I'll post back much later with status on that.

But first, what are Semantically Opaque Interface Identifiers (SOII)? I cannot find a brief definition anywhere online or in the manual pages except for a mention in passing for ifconfig(8), the presence of a /etc/soii.key file, and online RFC7217.

[jggimi]

In SLAAC, either the interface MAC address is used as the basis for addressing, or a host value is used. You can see the creation of this one-time random value in /etc/rc:

Code:

        if [[ ! -f /etc/soii.key ]]; then
                openssl rand -hex 16 > /etc/soii.key &&
                    chmod 600 /etc/soii.key && sysctl -q \
                    "net.inet6.ip6.soiikey=$(</etc/soii.key)"
        fi

Your ISP may use a mechanism other than SLAAC for address assignment.

[tsombi digitale]

Sorry for the delay. I went and arranged to speak in person with the ISP's support staff, the mid-level support, and the manager for the latter. None new what IPv6 was. Ouch.

I also tried putting OpenBSD 6.0 on a machine and gave rtsol a try. However, that would not connect either. So slaac and rstol are not in use as far as I can tell.

After digging around in some very, very old discussions on some obscure forums there was the suggestion at least back then, many years ago, that 6rd was being used.

What would the next step in debugging this be?

[jggimi]

6rd, 6to4, DHCPv6, ICMPv6 ... and other possible provisioning mechanisms.

Quote:

Originally Posted by tsombi digitale

...they do claim to have it active for my account...

Quote:

Originally Posted by tsombi digitale

...None new what IPv6 was.

With that non sequitur in your way, I can only think of three options:

1. The upstream ISP from yours might have a clue what they provide downstream, if anything.
2. IPv6 packet inspection may lead you towards the appropriate provisioning tools. But you'd need to have the skills to capture and interpret those packets
3. Stick with IPv4, purchase a third party IPv6 tunnel service, or change ISPs.

[tsombi digitale]

I'll try option 2 while working on option 1 in the background.

I've set up a bridge which allows traffic through it, more or less invisibly, and have put it between a router which handles IPv6 and the net. GNU/Linux computers connecting through both can use IPv6. I can run tcpdump on the bridge. However, perhaps the query below is not right because I see only two packet with it despite lots of traffic over the bridge:

Code:

# tcpdump -qnli cnmac0 'ip6'
tcpdump: listening on cnmac0, link-type EN10MB

10:44:22.284468 :: > xxxx::1:xxxx:xxxx: icmp6: neighbor sol: who has xxxx::xxxx:xxxx:xxxx:xxxx
10:44:22.284625 :: > xxxx::1:xxxx:xxxx: icmp6: neighbor sol: who has xxxx::xxxx:xxxx:xxxx:xxxx

[jggimi]

You've posted what looks to me to be 2 NDP queries with no responses.

[tsombi digitale]

After going round and round and round with various levels of tech support from the ISP, and getting no direct answers to any questions regarding IPv6, I have come to the conclusion their initial claims to providing IPv6 might not be accurate. So I'll have to let this rest for a while.

[CiotBSD]

Excuse-me, It's possible that I didn't fully understand the point, however, to get IPv6 working, @home, I use the tunnelbroker's trick - cf tunnel.he.net.
Because, officialy, my ISP supports too IPv6, but in the fact, bye-bye.

With this tunnel, all my devices: PC (OpenBSD, Debian), smartphones (android), routers (openwrt) have IPv6.

- tunnelbroker.net: You obtain, by default a /64, but you can ask a /48.
- tunnelbroker.ch

Maybe, it's can be help you! Maybe…
if not, sorry!

PS : I use tunnelbroker.net since few years!

[ip6ix]

Quote:

Originally Posted by CiotBSD

Excuse-me, It's possible that I didn't fully understand the point, however, to get IPv6 working, @home, I use the tunnelbroker's trick - cf tunnel.he.net.
Because, officialy, my ISP supports too IPv6, but in the fact, bye-bye.

With this tunnel, all my devices: PC (OpenBSD, Debian), smartphones (android), routers (openwrt) have IPv6.

- tunnelbroker.net: You obtain, by default a /64, but you can ask a /48.
- tunnelbroker.ch

I was going to suggest tunnelbroker.net but you beat me to it! I used their services for years without any problems until I changed my ISP to one that fully supports IPv6 (Andrews & Arnold, here in the UK).

Tunnelbroker.net and their sister site he.net, among other things, offer an excellent IPv6 training program (see https://ipv6.he.net/certification/.

Also, their services are free.

[CiotBSD]

@ipsix: yes, I know. I'm certified "Sage", and I've the T-shirt!
LOL

[ip6ix]

Quote:

Originally Posted by CiotBSD

@ipsix: yes, I know. I'm certified "Sage", and I've the T-shirt!
LOL

Well since you mentioned it: me too