Mysterious missing DHCPv6 feature, was Re: How does one obtain an IPv6 DNS server when VPNing to an ASA?

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon May 17 06:16:15 CEST 2010


 Hi Shane,

	First off, I write the way I write - not tryng to be funny.
	Acronyms:  
	
	DHCP - Dynamic Host Control Protocol
	DNS -  Domain Name Service
	NTP -  Network Time Protocol
	RA  - Router Adverstisement
	ND  - Neighboor Discovery
	IPv6 - The sixth version of the IP protocol
	MAC - Media Access Control
	IPv4 - the fourth version of the IP protocol
	IVI - The CERNET IPv4-IPv6 translator code

	DHCP documentation is not up to tht level of the DNS docs,
	so will use snippets from my homegrown version.

	This is what I wanted DHCP to do, regardless of family
	and not running -two- DHCP services, one per family.

	DHCP to hand out DNS servers, NTP servers on request, and do 
	dynamic update for the forward and reverse DNS maps.
	in an ipv6 network without RA,ND, or any other "helpful" IPv6
	features enabled. The ipv6 network in question is running in
	a single /96, so the subnetting needs to work properly.

	like this:

    subnet FD00:4555:6::cafe/96  {
    range FD00:4555:6::cafe:d0 FD00:4555:6::cafe:ff;


    # options
    option domain-name "ep.net";
    option domain-name-servers FD00:4554:6:0:230:48ff:fe22:6a29;
    option routers  FD00:4554:6::1;

    option ntp-servers FD00:4554:6::123;


	To get those options to work with those values requires a bit
	of a willingness to toss the spec in the trash and start over.
	I started by creating new option code points for IPv6 address family
	stuff .. this was problematic at best.

	So I borrowed a little logic from the ()getaddress API and 
	re-wrote the existing option codes to -mostly- be address family
	agnostic.  (It hangs when I mix addresses inside an option for example
	I can't get this to work:

	option routers FD00:4554:6::1, 192.0.2.1;

	yet...)


	No cisco stuff in the middle - and we had to tweek this to 
	get IVI to work well - handing out IPv4 addresses based on
	the IPv6 address, not the MAC.
	
	And I have -most- of this working.  My kludgey patches to 
	the v3 tree of DHCP ended up requiring both server and client
	side, so its not really interoperable w/ anything else - 
	when I am at home, one library gets used - on the road - stock
	v4DHCP.  For v6, whatever works.  Looking forward to having to port 
	my crap to the v4DHCP tree.

	I am -not- looking for ISC to do anything here.   I don't expect
	ISC to ship anything based on this, nor do I expect "vendor"
	specific options - since Im not a vendor.  THis is fullbore custom
	code - its mine, I'm not sharing (mostly 'cause my code is ugly
	and no doubt bug-ridden) .. My point was/is, if folks
	don't like what they are getting, they have the source and should
	use it.

--bill



On Mon, May 17, 2010 at 10:38:52AM +0800, Shane Kerr wrote:
> Bill,
> 
> It's not clear to me which DHCP feature you are referring to. Perhaps it
> is the mix of interleaved style and top-posting, or maybe my ignorance
> with Cisco technologies, but I honestly can't figure it out.
> 
> Please write it very clearly, in a non-funny way. Try to use a minimum
> of acronyms (sort of the opposite of the first post in this thread).
> Ideally sprinkle a few URLs explaining what you mean.
> 
> Even if we don't ultimately ship it in ISC DHCP, it is probably better
> to define this as a dhcpd.conf/dhclient.conf recipe, perhaps using
> vendor-specific options, rather than shipping custom code. But I can't
> say since I don't know what you mean.
> 
> --
> Shane
> 
> On Sat, 2010-05-15 at 00:35 +0000, bmanning at vacation.karoshi.com wrote:
> > many months ago, I asked for this DHCP feature to be supported in
> > the IPv6 varient and was told that the IETF refused - hence ISC didn't build
> > it into their product.  Phaugh on them - its open source!  So I built a
> > server and client that talk IPv6 and support the usual/customary DHCP
> > options over IPv6...  it has the unfortunate side effect of not being compatable
> > with other DHCP servers or clients but does the job for me and my little 
> > piece of hell.  Should work anywhere DHCPv4 does though.
> > 
> > --bill
> > 
> > 
> > On Fri, May 14, 2010 at 10:53:16AM +0200, Andrew Yourtchenko wrote:
> > > On Fri, May 14, 2010 at 7:53 AM, Ben Jencks <ben at bjencks.net> wrote:
> > > > It's officially supported in 8.2.x, but there's apparently a nasty bug
> > > > in at least the early versions where the "inactive" appliance still
> > > > sends RAs despite not forwarding traffic. Be careful and test
> > > > carefully. (I didn't experience this bug, we're still on 8.0, but I
> > > > know someone who did)
> > > 
> > > That bug was before 8.2.2 - where it started to be "officially"
> > > supported (because of the necessary changes to the infrastructure that
> > > alleviated this behaviour. It was more than just a bugfix, yes -
> > > starting from 8.2.2 the stateful failover is possible)
> > > 
> > > I did test it in 8.2.2, it worked all right. Don't use anything earlier.
> > > 
> > > As for the original question - no; there's no DHCPv6.
> > > 
> > > >From the config - since you give out both IPv4 and IPv6 - just
> > > dual-stack the recursive DNS server, and use IPv4 towards the clients
> > > ?
> > > 
> > > Or you plan to get rid of IPv4 completely for those clients ?
> > > 
> > > cheers,
> > > andrew
> > > 
> > > >
> > > > WRT the original question: I assume you're using AnyConnect? If so, I
> > > > can't help you, but if you've managed to get anything IPv6 to work
> > > > with IPsec on the ASA, I'd like to hear about it.
> > > >
> > > > -Ben
> > > >
> > > > On Fri, May 14, 2010 at 01:11, Frank Bulk <frnkblk at iname.com> wrote:
> > > >> I don't believe that's the case in a 8.2.x, look for "IPv6 Support in
> > > >> Failover Configurations" in the following:
> > > >> http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.htm
> > > >> l#wp337399
> > > >>
> > > >> Frank
> > > >>
> > > >> -----Original Message-----
> > > >> From: Shaun Ewing [mailto:s.ewing at aussiehq.com.au]
> > > >> Sent: Friday, May 14, 2010 12:02 AM
> > > >> To: Shane Kerr; frnkblk at iname.com
> > > >> Cc: ipv6-ops at lists.cluenet.de
> > > >> Subject: Re: How does one obtain an IPv6 DNS server when VPNing to an ASA?
> > > >>
> > > >> <snip>
> > > >>
> > > >> We have a lot of ASAs, but they're all in HA - and
> > > >> anybody who has tried to do IPv6 on them knows (or should know) that IPv6
> > > >> support is presently non-existent when in a HA config.
> > > >>
> > > >> -Shaun
> > > >>
> > > >>
> > > >
> > 
> 


More information about the ipv6-ops mailing list