0

Hello, there.

I manage some Wheezy servers with IPv6 enabled on all of them. They all have a global IPv6 /64 block using the first address in the block as the primary, i.e.:

root@Host /h/david# ifconfig
eth0      Link encap:Ethernet  HWaddr 4c:72:b9:56:03:6e  
          […]
          adr inet6: fe80::4e72:b9ff:fe56:36e/64 Scope:Lien
          adr inet6: 2001:1234:1234:1234::1/64 Scope:Global
          […]

I recently saw that, even if the whole block is configured on the interface, only the one in the block definition, here 2001:1234:1234:1234::1, answers to IPv6 requests. For example, if I ping 2001:1234:1234:1234::2 or 2001:1234:1234:1234::42, I get no answer. I already checked the firewall, which lets all ICMPv6 requests passing through, including NDP ones, but NDP is still a problem to me: Wheezy doesn't answer to Neighbor solicitations. Here is what I get from tcpdump when I listen while pinging:

root@Host /h/david# tcpdump icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                            
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes                                              
10:55:23.224447 IP6 fe80::264:40ff:fe3a:fac0 > ff02::1:ff00:55: ICMP6, neighbor solicitation, who has 2001:1234:1234:1234::55, length 32                                                                                                       
10:55:24.311669 IP6 fe80::264:40ff:fe3a:fac0 > ff02::1:ff00:55: ICMP6, neighbor solicitation, who has 2001:1234:1234:1234::55, length 32                                                                                                       
10:55:25.392511 IP6 fe80::264:40ff:fe3a:fac0 > ff02::1:ff00:55: ICMP6, neighbor solicitation, who has 2001:1234:1234:1234::55, length 32                                                                                                       
^C

As you can see, Wheezy doesn't answer to Neighbor solicitations. I thought about kernel parameters, but I didn't change any of them, and I can't see why the default config would ignore NDP packets, which are, from what I read, critical. In addition, I tried changing the following parameters :

root@Host /h/david# sysctl -w net.ipv6.conf.all.accept_ra=1     
net.ipv6.conf.all.accept_ra = 1                                   
root@Host /h/david# sysctl -w net.ipv6.conf.default.accept_ra=1 
net.ipv6.conf.default.accept_ra = 1                               
root@Host /h/david# sysctl -w net.ipv6.conf.eth0.accept_ra=1    
net.ipv6.conf.eth0.accept_ra = 1

This didn't work either. Does somebody see why Wheezy doesn't answer to Neighbor solicitations?

Hoping to understand where the problem is,

Regards.

Penegal
  • 156
  • 1
  • 14

1 Answers1

0

You don't configure a whole block of addresses on your interface. In your example you only configured one address from a /64 subnet.

When you configure for example 192.168.1.1/24 (which is 192.168.1.1/255.255.255.0 in pre-CIDR notation) you configure one address (192.168.1.1) in a subnet (192.168.1.0/24). IPv6 works in exactly the same way.

Wheezy is doing the right thing here.

Sander Steffann
  • 7,712
  • 19
  • 29
  • Well, I don't understand… `ifconfig` shows me a full /64 IPv6 block and only one IPv4 address; shouldn't the server answer on all IP addresses displayed by `ifconfig`? Asked otherwise, why does `ifconfig` show me a full /64 IPv6 block if the server doesn't answer to all of them? – Penegal Jan 15 '15 at 16:28
  • @Penegal You are misinterpreting the output from ifconfig. It will show you the netblock for both IPv4 and for IPv6, it uses a more compact notation for IPv6. – kasperd Jan 15 '15 at 17:20
  • @Penegal: it doesn't show you that the server had the `/64` for itself, it shows you the server is connected to a /64 subnet. – Sander Steffann Jan 15 '15 at 22:37
  • @SanderSteffann: my ISP grants me the full /64 IPv6 block; does that mean I have to configure each IPv6 address I wan't to use on the interface? Isn't there a mean to use a part or all of the /64 IPv6 block in only one go? – Penegal Jan 16 '15 at 09:17
  • Yes, you have to configure all the addresses you want to use or use SLAAC and let the device(s) autoconfigure their addresses. – Sander Steffann Jan 16 '15 at 16:12
  • OK, there is no chance I can convince my ISP to do that. Thanks anyway for your help! – Penegal Jan 20 '15 at 15:27