The stupidity of trying to "fix" DHCPv6

Seth Mos seth.mos at dds.nl
Sun Jun 12 17:09:04 CDT 2011


Op 12 jun 2011, om 12:05 heeft Daniel Roesen het volgende geschreven:

> VRRP communications itself is via link-local addresses. There is a
> requirement to have a link-local virtual address as well, but there
> might be many more, e.g. global scope.

In FreeBSD with pfSense I use CARP with a v6 addresses which are GUA, the isp routes my /48 to the GUA address, failover time when rebooting firewalls is in the order of seconds. I see no missed http requests and no existing requests drop.

The servers behind it are also configured to use the LAN side GUA CARP ipv6 address as the default gateway.

pfsync makes sure that traffic state is being kept.

> 
> Otherwise a whole lot of IPv6 VRRP setups won't be working here. :)
> We use global scope addresses as VRRP virtual router addresses.

Indeed, same here. We have a open ticket iirc to patch our radvd daemon to also announce properly when active on a v6 CARP Address. It's that or being able to manually sending a GUA address as being the gateway.

Wait, that sounds suspicously like trying to send a gateway bit by way of DHCP. Luckily servers are statically configured. But now comes the deal that I want all my client nodes on the corporate lan to also use the GUA address (which has stateful failover) for the gateway instead of the link local address of one of my CARP cluster nodes.

Other options include crafting a link local address for the CARP address and make sure that radvd uses that. The backup carp node won't hear anything or be heard when the address has BACKUP status. It's on the todo list.

Regards,

Seth





More information about the NANOG mailing list