IPv6 routing with unnumbered interface - beyound scope error

Question

I have set up an unnumbered L2tp tunnel from home to a remote host. While trying to ping ipv6.google.com, the I received a beyond scope error, I know that prior to some time, link-local addresses are not supposed to be used this way, but now with unnumbered interface this should be possible.

Both machine running latest debian jessie, but with a more recent kernel 4.6.0-0.bpo.1-amd64

Tunnel:

~> sudo ip l2tp show tunnel
   Tunnel 386, encap IP
   From 192.168.88.254 to remote_host
   Peer tunnel 381

Addresses and routing:

Home ~> ip -6 addr

5: l2tpeth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1492 state UNKNOWN qlen 1000
    inet6 fe80::8427:7dff:fea4:939b/64 scope link
       valid_lft forever preferred_lft forever
~> ip -6 route
local ::1 dev lo  proto kernel  metric 256
fe80::/64 dev vnet0  proto kernel  metric 256
fe80::/64 dev l2tpeth0  proto kernel  metric 1024
default via fe80::f94e:693a:aa66:e79b dev l2tpeth0  metric 1024

remote_host ~> ip -6 addr

5: l2tpeth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 state UNKNOWN qlen 1000
    inet6 fe80::f94e:693a:aa66:e79b/128 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::f434:73ff:fef3:5236/64 scope link
       valid_lft forever preferred_lft forever
~> ip -6 route
local ::1 dev lo  proto kernel  metric 256
2400:8900::/64 dev eth0  proto kernel  metric 256  expires 2591997sec mtu 1300
fe80::f94e:693a:aa66:e79b dev l2tpeth0  proto kernel  metric 256
fe80::/64 dev eth0  proto kernel  metric 256  mtu 1300
fe80::/64 dev tun0  proto kernel  metric 256
fe80::/64 dev l2tpeth0  proto kernel  metric 256  mtu 1460
default via fe80::1 dev eth0  proto ra  metric 1024  expires 87sec mtu 1500 hoplimit 64

Ping:

~> ping6 fe80::f94e:693a:aa66:e79b%l2tpeth0
PING fe80::f94e:693a:aa66:e79b%l2tpeth0(fe80::f94e:693a:aa66:e79b) 56 data bytes
64 bytes from fe80::f94e:693a:aa66:e79b: icmp_seq=1 ttl=64 time=61.9 ms
64 bytes from fe80::f94e:693a:aa66:e79b: icmp_seq=2 ttl=64 time=58.4 ms
64 bytes from fe80::f94e:693a:aa66:e79b: icmp_seq=3 ttl=64 time=57.4 ms
64 bytes from fe80::f94e:693a:aa66:e79b: icmp_seq=4 ttl=64 time=56.5 ms
64 bytes from fe80::f94e:693a:aa66:e79b: icmp_seq=5 ttl=64 time=66.1 ms
^C
--- fe80::f94e:693a:aa66:e79b%l2tpeth0 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 56.509/60.113/66.190/3.562 ms

ping Google from home:

ping6 ipv6.google.com
PING ipv6.google.com(hkg12s01-in-x0e.1e100.net) 56 data bytes
From hkg12s01-in-x0e.1e100.net icmp_seq=1 Destination unreachable: Beyond scope of source address
From hkg12s01-in-x0e.1e100.net icmp_seq=2 Destination unreachable: Beyond scope of source address
^C
--- ipv6.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms

tcpdump on remote:

~> sudo tcpdump -ni l2tpeth0 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on l2tpeth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:34:19.944576 IP6 fe80::8427:7dff:fea4:939b > 2404:6800:4005:801::200e: ICMP6, echo request, seq 1, length 64
09:34:19.944749 IP6 fe80::f94e:693a:aa66:e79b > fe80::8427:7dff:fea4:939b: ICMP6, destination unreachable, beyond scope 2404:6800:4005:801::200e, source address fe80::8427:7dff:fea4:939b, length 112
09:34:20.946277 IP6 fe80::8427:7dff:fea4:939b > 2404:6800:4005:801::200e: ICMP6, echo request, seq 2, length 64
09:34:20.946397 IP6 fe80::f94e:693a:aa66:e79b > fe80::8427:7dff:fea4:939b: ICMP6, destination unreachable, beyond scope 2404:6800:4005:801::200e, source address fe80::8427:7dff:fea4:939b, length 112
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

sysctl on remote host (ipv6 forwarding is on):

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.l2tpeth0.forwarding = 1

score 3 · Accepted Answer · answered Aug 06 '16 at 04:03

3

Beyond scope of source address means that you don't have an IPv6 address with a sufficiently large scope to reach the destination.

In particular, you have only a link-local address, so you can only reach IPv6 addresses on that layer 2 link. In this case, that means you can only reach the other end of the tunnel.

In order to reach the Internet, you need global scope IPv6 addresses, and you need them routed to (and from) you. You obtain these addresses from your Internet service provider, university, datacenter, etc.

answered Aug 06 '16 at 04:03

Michael Hampton

244,070
43
506
972

i masquerade my upstream host's v6 address it sees the internet with so i don't need to get an extra one (but v6 are cheap since there are so many). – Skaperen Aug 06 '16 at 05:16
1

@Skaperen Did you say masquerade? That just completely defeats the whole point. – Michael Hampton Aug 06 '16 at 05:22

IPv6 routing with unnumbered interface - beyound scope error

1 Answers1