Router Avertisements

Started by trdeal, April 01, 2023, 03:17:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 01, 2023, 03:17:57 PM Last Edit: April 05, 2023, 01:18:07 PM by trdeal
Hi,

I have my Opnsense 23.1.5_4 configured for IPv6 Router Advertisements as Managed, as I have separate pair of Kea Servers handling IPv6. I noticed that a Windows 10 PC was using SLAAC to automatically generate its own IP address.

When I performed a packet capture I found that the SLAAC Router Advertisements were coming from the Opnsense which I specifically had disabled by configuring as Managed.

I presume this is a bug.

I have updated to include the packet capture despite the Router Flags set to Managed and the Opnsense dhcp server being disabled it includes the Network Prefix to cause clients to generate their own SLAAC address
April 05, 2023, 01:58:11 PM #1
Further to the packet capture, expanding the ICMPv6 Option (Prefix information) it includes a Valid Lifetime and Preferred Lifetime information which is being used to get the DHCPv6 clients to generate a SLAAC address using the information.

When the Router Advertisements are set to Managed, SLAAC is disabled and the ICMPv6 Option (Prefix Information) should be advertised. The DHCPv6 Server should handle the allocation of IPv6 Addresses.

April 05, 2023, 03:03:49 PM #2
The "Managed" setting does not disable router advertisments. RAs are sent with the "managed" flag set, which tells the client that there is a stateful DHCPv6 server which they can ask next.

Code Select
AdvManagedFlag on|off

      When set, hosts use the administered (stateful) protocol for ad-
      dress autoconfiguration in addition to any addresses autoconfig-
      ured using stateless address autoconfiguration.  The use of this
      flag is described in RFC 4862.


Note the phrase "in addition".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 05, 2023, 07:21:31 PM #3 Last Edit: April 07, 2023, 12:28:54 PM by trdeal
Configuring Router Advertisements to "Managed" I know does not disable Router Advertisements but the Router Advertisement should not include ICMP Option (Prefix Information) as this includes Valid Lifetime and Preferred Lifetime settings and is used by clients to generate SLAAC addresses.

ICMP Option (Prefix Information) should only be included when Router Advertisements are configured "Unmanaged", "Assisted" and "Stateless" when SLAAC is being used.

April 13, 2023, 12:00:30 PM #4
As a result of the Router Advertisements ICMPv6 Option 134 including the Network Prefix is in Managed Mode this is causing Windows 10 clients which have been configured with Static IPv6 Addresses to generate SLAAC addresses.
Windows Auto Address configuration is enabled is enabled by default, and despite searching with Google I have not found a way to disable IPv6 auto address configuration when using static IPv6 addresses.
April 13, 2023, 12:45:32 PM #5
Quote from: trdeal on April 13, 2023, 12:00:30 PM
Windows Auto Address configuration is enabled is enabled by default, and despite searching with Google I have not found a way to disable IPv6 auto address configuration when using static IPv6 addresses.

That is strange, because it took me about 5 seconds:

http://www.excaliburtech.net/archives/192
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
April 13, 2023, 11:36:24 PM #6
Hi

On Windows 10 the command which is supposed to disable autoconfiguration does not work

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled

there is additional option which is supposed to take effect immediately or permanently and they do not work.

There is no reason for the Network Prefix to be included in the Router Advertisement when in router or managed mode.
April 14, 2023, 12:22:07 AM #7
I tried exactly that with Windows 10 and for me, it worked right away. The EUI-64 configured by SLAAC went away. After I re-enabled SLAAC, IPv6 came up again.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
April 14, 2023, 12:41:34 PM #8
Hi

Great that you can disable autoconfiguration on your version of Windows 10.
Which version of Windows 10 are you testing? My wife's laptop Windows 10 will not disable Autoconfiguration.

Either way the Network Prefix should not be included in the Router Advertisement when Managed is selected and the DHCPv6 server on Opnsense is disabled.

The problem is that Autoconfiguration is enabled by default, on Linux it is easy to permanently disable acting on Router Advertisements but on Windows it is more problematic and all a rogue actor needs to do is to inject rogue router advertisements into an IPv6 network to cause havoc.


April 14, 2023, 01:43:43 PM #9
As I interpret the relevant RFCs it is put on the host to use stateful (DHCP) autoconfiguration only and nothing specific is said about the router sending or not sending prefix information in case of the managed flag set.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 14, 2023, 07:30:28 PM #10
Hi,
What I have found is that if a Router Advertisement includes a Network Prefix and an IPv6 client is configured with a static address, unless you configure the client to not accept router advertisements then the client will generate a SLAAC address if the Router Advertisement includes a network prefix.

The use of a network prefix is to inform the client to generate to either generate a SLAAC address or inform the client to use DHCPv6 stateful or stateless.

I found with Windows 2008 server configured with a static address, using RA I could get it to generate a SLAAC address. This was fixed in if I remember correctly in Server 2012 so it ignored the RA by default.


Print
Go Up Pages1
User actions