IPv6 SLAAC-Adresse herunterpriorisieren?

Discussion in 'Linux Networking' started by Marc Haber, Mar 23, 2012.

  1. Marc Haber

    Marc Haber Guest

    Hallo,

    ich habe hier einen Host, der mit IPv6 angebunden ist. Eine statische
    IP-Adresse ist lokal konfiguriert, zusätzlich lernt das Gerät einen
    Prefix und sein Defaultgateway per SLAAC:

    |2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    | link/ether 52:54:00:fa:de:7d brd ff:ff:ff:ff:ff:ff
    | inet 192.168.146.11/24 scope global eth0
    | inet6 2001:db8:40b7:9102::200:100/64 scope global
    | valid_lft forever preferred_lft forever
    | inet6 2001:db8:40b7:9102:5054:ff:fefa:de7d/64 scope global dynamic
    | valid_lft 86338sec preferred_lft 14338sec
    | inet6 fe80::5054:ff:fefa:de7d/64 scope link
    | valid_lft forever preferred_lft forever

    Kann ich irgendwie durch lokale Konfiguration oder durch Konfiguration
    des radvd auf dem Router dafür sorgen, dass die SLAAC-Adresse gleich
    als "deprecated" gelernt wird, so dass er für ausgehende Verbindungen
    die statisch konfiguriert Adresse nimmt? Dummerweise kann nagios'
    check_ssh plugin die Source-Adresse nicht festlegen.

    Grüße
    Marc
     
    Marc Haber, Mar 23, 2012
    #1
    1. Advertisements

  2. Hello,

    Marc Haber a écrit :
    (automatic translation from german as I do not speak the language)
    IME, IPv6 static addresses are preferred over autoconfigured addresses.

    On the local host, you can disable autoconfiguration on the interface
    (sysctl net.ipv6.conf.eth0.autoconf=0). The host will still learn the
    prefix and default router information from RA, but not create an
    autoconfigured address.

    In radvd configuration, you can try to disable the "Autonomous" flag
    (AdvAutonomous off) for the prefix, or set AdvPreferredLifetime to 0 but
    this will affect all hosts which use the RA's. I haven't tested either
    of these.
     
    Pascal Hambourg, Mar 24, 2012
    #2
    1. Advertisements

  3. Marc Haber

    Jorgen Grahn Guest

    SLAAC = Stateless address autoconfiguration. I'm quite familiar with
    the concept, but not the abbreviation.

    Unfortunately, it still doesn't make sense to me.
    Why? I set it up with radvd here some time ago, and I found it rather
    elegant. The only drawback I can see is long addresses (e.g.
    2001:470:28:4cf:211:d8ff:fe82 when it could have been
    2001:470:28:4cf::7).
    /Jorgen
     
    Jorgen Grahn, Mar 24, 2012
    #3
  4. Jorgen Grahn a écrit :
    Sure, some words are out of order, but it makes sense to me.
    What about this :
    "Can I somehow, through local configuration or configuration of
    radvd on the router, ensure that the SLAAC address
    is taught as "deprecated", making the statically configured address
    suitable for outgoing connections ? Unfortunately, nagios check_ssh
    plugin cannot set the source address."
    Maybe there is a misunderstanding in the meaning of "preferred". I did
    not mean it as "recommended practice". I just mean that in my
    experience, when a Linux host has both statically assigned and
    autoconfigured IPv6 addresses in the same prefix, the IPv6 stack always
    select the statically assigned address by default. This makes sense to
    me, because through static assignment the administrator wants the host
    to use that specific address.
     
    Pascal Hambourg, Mar 24, 2012
    #4
  5. Marc Haber

    Jorgen Grahn Guest

    Thanks again. I suspect then that "deprecated" has an official meaning
    in IPv6 autoconfig, and that it would make sense if I knew about that
    aspect.
    Yes, I misunderstood, in the way you suspected.

    /Jorgen
     
    Jorgen Grahn, Mar 24, 2012
    #5
  6. Marc Haber

    Marc Haber Guest

    .... and obviously hit the wrong news group. I apologize for the German
    post.

    Greetings
    Marc
     
    Marc Haber, Mar 26, 2012
    #6
  7. Marc Haber

    Marc Haber Guest

    My translation:

    One of my hosts has IPv6 connectivity. It has a static IPv6 address
    configured locally, but learns one Prefix/IP address and its default
    gateway via SLAAC.
    Unfortunately, it takes the SLAAC-Address for outgoing connections,
    which causes some issues with Nagios' check_ssh, since the hosts that
    I check have access lists which allow the static address, but not the
    dynamic SLAAC address. Is it possible to configure radvd (or the local
    host, as a fall back solution) to announce the SLAAC address in a way
    that it is learned (to make the host accessible in case of
    connectivity problems), but not used for outgoing connections? The
    other way around would work by configuring the IP address with a
    preferred lifetime of 0, which causes the host to immediately consider
    it deprecated.

    Greetings
    Marc
     
    Marc Haber, Mar 26, 2012
    #7
  8. Marc Haber

    Marc Haber Guest

    unfortunately, not.
    I haven't yet been able to find the correct place to set this. You
    need to set it after the ipv6 module is loaded, but before the prefix
    is learned. Setting this sysctl after the SLAAC address was learned
    doesn't remove the address.
    I'd rather have a host specific setting.

    Greetings
    Marc
     
    Marc Haber, Apr 2, 2012
    #8
  9. Marc Haber

    Marc Haber Guest

    IP address based access lists that you want to hold after changing the
    host's hardware.

    Static DNS entries that should survive changing the host's hardware.

    Greetings
    Marc
     
    Marc Haber, Apr 2, 2012
    #9
  10. Marc Haber

    Marc Haber Guest

    It has. A "deprecated" address is one that is kept online to allow
    existing connections to survive, but it is never used as address for
    outgoing connections, and, IIRC, a deprecated address doesn't accept
    new connections as well.

    An address with preferred lifetime of zero is deprecated.

    Greetings
    Marc
     
    Marc Haber, Apr 2, 2012
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.