OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: gstuartj on April 08, 2019, 05:18:27 pm
-
My ISP requires DUID-EN (https://tools.ietf.org/html/rfc3315#page-22) support for IPv6 prefix delegation to work correctly. This involves setting an enterprise number, along with an identifier. pfSense supports DUID-EN, as does the DHCPv6 service used in OPNSense.
I found this closed GitHub issue about DUID-EN support (https://github.com/opnsense/core/issues/2573), but although it was added to the 19.1 milestone I can't seem to find this functionality in the latest dev branch release. (OPNsense 19.7.a_442-amd64)
Am I missing something, or does DUID-EN support not exist? If not, will it be supported in the near-future? I can't run a functional IPv6 stack without it. Thanks!
-
Figured it out when I expanded the info for the DUID textarea in Interface>Settings. For posterity: OPNSense does support DUID-EN, but it will not generate it for you from the decimal enterprise number + hex ID. You must generate the DUID-EN manually and the form validation will accept it.
-
Hi there,
Indeed. Not sure why EN generation was left out. Are there any best practices for generating such a DUID? Maybe we can add it too.
Cheers,
Franco
-
Sure, it's not actually difficult, I just wasn't sure that it would accept a manually formatted string. Having it do the conversion in the UI would be helpful.
With DUID-EN you have two pieces of static info: the enterprise number (e.g., 3562) and the identifier (e.g., xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx). These are assigned by the ISP/enterprise.
- First, we have to indicate that this is a type 2 DUID (EN) by prepending two octets: "00:02"
- Then, we have to convert the decimal (https://www.rapidtables.com/convert/number/decimal-to-hex.html) enterprise number to hex and format it as four octets, so "3562" becomes "00:00:0D:EA". Append it to the type indicator.
- Lastly, we have to append the DUID identifier.
So the final DUID-EN string for the DHCPv6 client becomes: "00:02:00:00:0D:EA:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
-
EN was in the original PR I did, I thought you left it out when you cherry picked the PR as technically it needs to be registered like Cisco xxx etc.
-
It's not obvious how DUID-EN would be used with a software router such as OPNsense, except to provide a way to comply with an ISP that requires the DUID-EN format.
Theoretically, an enterprise number must have been allocated, along with a mechanism to allocate unique instances of DUID-EN using the enterprise number.
Here is a link to the description of DUID-EN in RFC 8415: https://tools.ietf.org/html/rfc8415#page-35 (https://tools.ietf.org/html/rfc8415#page-35)
Here is a link to the IANA list of enterprise numbers: https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers (https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers)
-
It's not obvious how DUID-EN would be used with a software router such as OPNsense, except to provide a way to comply with an ISP that requires the DUID-EN format.
Yeah, that was my situation. AT&T service in the U.S. requires the use of a DUID-EN for IPv6. This is fine as the huge majority of customers use an AT&T provided gateway that connects to the ONT for fiber or copper for DSL. I did not want to use the gateway as it has tiny NAT tables, breaks prefix delegation, and causes issues with random address renewals.
As long as it's documented that the DUID-EN can be set manually I don't see it as a super high priority feature.
-
@Franco did a cherry pick on the original PR but it will be simple enough to add the EN function back in. I'll do it today and issue a PR.
-
Actually there is nothing to do. If you expand the help then it tells you how to manually create the EN DUID, just checked and it does work.
EN: 2 bytes "00:02" followed by 4 bytes of the enterprise number e.g. "00:00:00:01", followed by a variable length identifier of hex values up to 122 bytes in length.
So I just entered the following:
00:02:02:02:02:02:70:85:C2:A5:07:7F
That gives me 00:02 to signify EN type DUID. Then four bytes to signify the enterprise ID, in the example above I have used 02:02:02:02, you'll need to find the enterprise ID you need to use, then the rest of the bytes I have taken from the existing LT UUID.
To be honest, the best way for you to do this is to wireshark the packet that's sent using the supplied router and copy the DUID, that way you know it's correct.
-
Just read your previous message, you figured it out.. :)
@Franco - do we want to expand this by putting back the generation? You'd still need to fake the enterprise ID etc.
-
Apologies for removal from the PR. It must have been complexity issues and rework required. I changed the original PR quite a bit to operate under the same conditions that other parts already use (e.g. auto-fill MAC address).
I'm not sure how to best integrate if we have multiple vendors and even need a database for it on the system?
Cheers,
Franco
-
As the op found out you can enter an EN DUID manually, and depending on the original device and the way the ISP has set it up it may not only require the vendor ID but the mac address as part of the DUID for it to work. That being the case manual is the only way as you would need to grab the original DUID and enter that.
I don't think there is much we can do to automate it, but at least it's possible to clone it.
-
The "vendor" doesn't have to be a hardware vendor. For example, Linux generates a DUID-EN by using the systemd enterprise number (43793) and a hash of the the unique machine ID (randomly generated during installation). FreeBSD also has an enterprise number (2238).
-
I'm happy to use the FreeBSD ID but not sure we should use any other. However registering a PEN is free. This is something that @franco should do. Once this is done then Opnsense would have its own PEN and we could legitimately use that.
http://pen.iana.org/pen/PenApplication.page (http://pen.iana.org/pen/PenApplication.page)
PR #3436 - Using FreeBSD PEN only.
-
I'm happy to use the FreeBSD ID but not sure we should use any other. However registering a PEN is free. This is something that @franco should do. Once this is done then Opnsense would have its own PEN and we could legitimately use that.
http://pen.iana.org/pen/PenApplication.page (http://pen.iana.org/pen/PenApplication.page)
PR #3436 - Using FreeBSD PEN only.
This enterprise number is administered by Poul-Henning Kamp. Maybe he would explain how (or if) it's intended to be used for generating DUIDs.
-
OPNSense should get it's own. It's free and takes a couple of days.
(I just got one for my DBA).
They are FREE.
-
This enterprise number is administered by Poul-Henning Kamp. Maybe he would explain how (or if) it's intended to be used for generating DUIDs.
It's used when generating EN type DUIDs, it's stated quite clearly in the RFC docs. The question is rather should we allow the use of other PENs or only the FreeBSD one or only the one that would be allocated to Opnsense. The latter would be my preference but in the meantime I've used the FreeBSD one.
-
1. First of all, we have to define that this is a type 2 DUID (EN) by prepending two octets: "00:02"
2. Then, we have to convert the decimal to hex (https://www.johnpatel.com/tools/decimal-to-hex-converter/) and format it as four octets, so "3562" becomes "DEA". Append it to the type indicator.
-
That is all done and it's in the PR.
-
That is all done and it's in the PR.
Yeah, that dude just copied two lines from a previous post of mine in this thread (https://forum.opnsense.org/index.php?topic=12361.msg56855#msg56855) without context. Can't tell if they're trying to make a point or if it's some kind of spam test, honestly.
-
The question is rather should we allow the use of other PENs or only the FreeBSD one or only the one that would be allocated to Opnsense. The latter would be my preference but in the meantime I've used the FreeBSD one.
I think it's a good idea to only use the FreeBSD PEN (or a yet to register OPNsense one) for the auto generation ('Insert a new EN DUID' link). Users can always enter a DUID-EN with custom PEN by calculating and entering it manually, right? Or did you mean whether to actively block that by asking "should we allow the use of other PENs"?
(Oh, and I think you forgot the hex conversion in your PR. Should be: "\x00\x02\x00\x00\x08\xBE")
Cheers
Maurice
-
We've just applied for a PEN, if it gets assigned I will make sure to post it here.
-
ok, we've received feedback from iana:
Your Private Enterprise Number is: 53869
Below is a copy of your PEN record. This record will be visible in the PEN registry within an hour.
The PEN registry is available at the following address:
http://www.iana.org/assignments/enterprise-numbers