IPv6 DUID-EN Support

Started by gstuartj, April 08, 2019, 05:18:27 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 08, 2019, 05:18:27 PM Last Edit: April 08, 2019, 05:42:22 PM by gstuartj
My ISP requires DUID-EN support for IPv6 prefix delegation to work correctly. This involves setting an enterprise number, along with an identifier. pfSense supports DUID-EN, as does the DHCPv6 service used in OPNSense.

I found this closed GitHub issue about DUID-EN support, but although it was added to the 19.1 milestone I can't seem to find this functionality in the latest dev branch release. (OPNsense 19.7.a_442-amd64)

Am I missing something, or does DUID-EN support not exist? If not, will it be supported in the near-future? I can't run a functional IPv6 stack without it. Thanks!
April 09, 2019, 04:18:45 AM #1
Figured it out when I expanded the info for the DUID textarea in Interface>Settings. For posterity: OPNSense does support DUID-EN, but it will not generate it for you from the decimal enterprise number + hex ID. You must generate the DUID-EN manually and the form validation will accept it.
April 09, 2019, 07:52:52 AM #2
Hi there,

Indeed. Not sure why EN generation was left out. Are there any best practices for generating such a DUID? Maybe we can add it too.


Cheers,
Franco
April 09, 2019, 04:59:42 PM #3 Last Edit: April 09, 2019, 05:01:53 PM by gstuartj
Sure, it's not actually difficult, I just wasn't sure that it would accept a manually formatted string. Having it do the conversion in the UI would be helpful.

With DUID-EN you have two pieces of static info: the enterprise number (e.g., 3562) and the identifier (e.g., xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx). These are assigned by the ISP/enterprise.

  • First, we have to indicate that this is a type 2 DUID (EN) by prepending two octets: "00:02"
  • Then, we have to convert the decimal enterprise number to hex and format it as four octets, so "3562" becomes "00:00:0D:EA". Append it to the type indicator.
  • Lastly, we have to append the DUID identifier.
So the final DUID-EN string for the DHCPv6 client becomes: "00:02:00:00:0D:EA:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
April 12, 2019, 12:03:01 PM #4
EN was in the original PR I did, I thought you left it out when you cherry picked the PR as technically it needs to be registered like Cisco xxx etc.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 13, 2019, 02:34:11 AM #5
It's not obvious how DUID-EN would be used with a software router such as OPNsense, except to provide a way to comply with an ISP that requires the DUID-EN format.

Theoretically, an enterprise number must have been allocated, along with a mechanism to allocate unique instances of DUID-EN using the enterprise number.

Here is a link to the description of DUID-EN in RFC 8415: https://tools.ietf.org/html/rfc8415#page-35

Here is a link to the IANA list of enterprise numbers: https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
April 13, 2019, 03:38:25 AM #6
Quote from: bimmerdriver on April 13, 2019, 02:34:11 AM
It's not obvious how DUID-EN would be used with a software router such as OPNsense, except to provide a way to comply with an ISP that requires the DUID-EN format.

Yeah, that was my situation. AT&T service in the U.S. requires the use of a DUID-EN for IPv6. This is fine as the huge majority of customers use an AT&T provided gateway that connects to the ONT for fiber or copper for DSL. I did not want to use the gateway as it has tiny NAT tables, breaks prefix delegation, and causes issues with random address renewals.

As long as it's documented that the DUID-EN can be set manually I don't see it as a super high priority feature.
April 13, 2019, 07:48:07 AM #7
@Franco did a cherry pick on the original PR but it will be simple enough to add the EN function back in. I'll do it today and issue a PR.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 13, 2019, 11:23:21 AM #8 Last Edit: April 13, 2019, 11:25:09 AM by marjohn56

Actually there is nothing to do. If you expand the help then it tells you how to manually create the EN DUID, just checked and it does work.

QuoteEN: 2 bytes "00:02" followed by 4 bytes of the enterprise number e.g. "00:00:00:01", followed by a variable length identifier of hex values up to 122 bytes in length.


So I just entered the following:

00:02:02:02:02:02:70:85:C2:A5:07:7F

That gives me 00:02 to signify EN type DUID. Then four bytes to signify the enterprise ID, in the example above I have used 02:02:02:02, you'll need to find  the enterprise ID you need to use, then the rest of the bytes I have taken from the existing LT UUID.

To be honest, the best way for you to do this is to wireshark the packet that's sent using the supplied router and copy the DUID, that way you know it's correct.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 13, 2019, 11:27:37 AM #9 Last Edit: April 13, 2019, 11:29:24 AM by marjohn56
Just read your previous message, you figured it out.. :)

@Franco - do we want to expand this by putting back the generation? You'd still need to fake the enterprise ID etc.

OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 20, 2019, 07:39:40 PM #10
Apologies for removal from the PR. It must have been complexity issues and rework required. I changed the original PR quite a bit to operate under the same conditions that other parts already use (e.g. auto-fill MAC address).

I'm not sure how to best integrate if we have multiple vendors and even need a database for it on the system?


Cheers,
Franco
April 21, 2019, 10:58:39 AM #11
As the op found out you can enter an EN DUID manually, and depending on the original device and the way the ISP has set it up it may not only require the vendor ID but the mac address as part of the DUID for it to work. That being the case manual is the only way as you would need to grab the original DUID and enter that.


I don't think there is much we can do to automate it, but at least it's possible to clone it.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 22, 2019, 02:48:31 AM #12
The "vendor" doesn't have to be a hardware vendor. For example, Linux generates a DUID-EN by using the systemd enterprise number (43793) and a hash of the the unique machine ID (randomly generated during installation). FreeBSD also has an enterprise number (2238).
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
April 22, 2019, 07:42:01 AM #13 Last Edit: April 22, 2019, 10:44:58 AM by marjohn56
I'm happy to use the FreeBSD ID but not sure we should use any other. However registering a PEN is free. This is something that @franco should do. Once this is done then Opnsense would have its own PEN and we could legitimately use that.


http://pen.iana.org/pen/PenApplication.page


PR #3436 - Using FreeBSD PEN only.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
April 23, 2019, 03:25:50 AM #14
Quote from: marjohn56 on April 22, 2019, 07:42:01 AM
I'm happy to use the FreeBSD ID but not sure we should use any other. However registering a PEN is free. This is something that @franco should do. Once this is done then Opnsense would have its own PEN and we could legitimately use that.


http://pen.iana.org/pen/PenApplication.page


PR #3436 - Using FreeBSD PEN only.
This enterprise number is administered by Poul-Henning Kamp. Maybe he would explain how (or if) it's intended to be used for generating DUIDs.
Print
Go Up Pages1 2
User actions