[ipv6hackers] IPv6 source address selection on Linux

379 views
Skip to first unread message

Sander Smeenk

unread,
Jul 19, 2012, 9:09:55 AM7/19/12
to IPv6 Hackers Mailing List
Hi, [try3,nogpg]

Could someone provide me with clue on how i can force traffic on my
server going to 2001:db8::1 to *always* source from the configured ULA
address fded:e128:5900::1 ?

In fact i want source based routing like i do in IPv4 land, like this:
| # ip addr add 10.38.80.1/24 dev eth0
|
| # ip route add 10.38.80.0/24 dev eth0 src 10.38.80.1 table 1
| # ip route add default via 10.38.80.254 table 1
| # ip rule add from 10.38.80.0/24 lookup 1
|
| # ip route add 213.136.x.y/32 dev eth0 src 10.38.80.1

It appears i can't do the "src fded:ed128:5900::1"-trick for v6 routes
and all i could find on this was /etc/gai.conf to fiddle with RFC3484
Address Selection.

Now there's really a lot of references TO that RFC but i was unable to
find any workable examples on how to set this up. Fiddling with
prefered_lft on the v6 address won't work either in this situation.

The problem i'm trying to fix:

I have a server behind a loadbalancer, the loadbalancer uses 10.x.x.x/8
and fded:e128:5900:x::/64 IPs to forward traffic to this node, and this
node needs to talk to the loadbalancer's public facing VIP to access the
platform in a loadbalanced manner and binding the VIP to the
lo-interface on the node is not feasible due to expected load then going
to that one server.

In IPv4 land the rp_filter drops traffic with an incorrect source, this
is fixed with the above quoted SBR-setup, i failed to achieve the same
with IPv6 and have now firewalled IPv6 traffic so that connections
switch to IPv4 instead. Not nice. :)

Any clue?

With regards,
-Sander.
--
| 0 bottles of beer on the wall, 0 bottles of beer, you take 1 down,
| pass it around, 4294967295 bottles of beer on the wall.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
_______________________________________________
Ipv6hackers mailing list
Ipv6h...@lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers

Romain Boissat

unread,
Jul 19, 2012, 9:36:35 AM7/19/12
to IPv6 Hackers Mailing List
Hi

On Thu, Jul 19, 2012 at 3:09 PM, Sander Smeenk <ssm...@freshdot.net> wrote:

> Hi, [try3,nogpg]
>
> Could someone provide me with clue on how i can force traffic on my
> server going to 2001:db8::1 to *always* source from the configured ULA
> address fded:e128:5900::1 ?
>

You can this little hack to all other IPv6 addresses:

ip addr change $IP6_ADDR/$NETMASK dev $NIC preferred_lft 0

An interesting article about IPv6 source address selection [1]

[1] http://www.davidc.net/networking/ipv6-source-address-selection-linux

--
Romain Boissat
chroot-me.in

Karl Auer

unread,
Jul 19, 2012, 10:27:51 AM7/19/12
to ipv6h...@lists.si6networks.com
On Thu, 2012-07-19 at 15:36 +0200, Romain Boissat wrote:
> > Could someone provide me with clue on how i can force traffic on my
> > server going to 2001:db8::1 to *always* source from the configured
> ULA
> > address fded:e128:5900::1 ?
>
> You can this little hack to all other IPv6 addresses:
>
> ip addr change $IP6_ADDR/$NETMASK dev $NIC preferred_lft 0

Be aware that this hack will make the address of the remaining NIC the
source address for ALL packets leaving the server. OK if that's what you
want. And if the server addresses are coming via autoconfig, double
check that the fix doesn't disappear with each RA that comes down the
pike :-)

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687

Karl Auer

unread,
Jul 19, 2012, 10:37:15 AM7/19/12
to ipv6h...@lists.si6networks.com
On Fri, 2012-07-20 at 00:27 +1000, Karl Auer wrote:
> Be aware that this hack will make the address of the remaining NIC the
> source address for ALL packets leaving the server.

Er, that should have read: "Be aware that this hack will make the
remaining address the source address for ALL packets leaving the
server."

Sander Smeenk

unread,
Jul 19, 2012, 10:41:59 AM7/19/12
to ipv6h...@lists.si6networks.com
Quoting Romain Boissat (rboi...@lv0.in):

> > Could someone provide me with clue on how i can force traffic on my
> > server going to 2001:db8::1 to *always* source from the configured ULA
> > address fded:e128:5900::1 ?
>
> You can this little hack to all other IPv6 addresses:
> ip addr change $IP6_ADDR/$NETMASK dev $NIC preferred_lft 0

No i can't. As i stated in my original email.
Although i might have been more clear on that subject:

| Now there's really a lot of references TO that RFC but i was unable to
| find any workable examples on how to set this up. FIDDLING WITH
| PREFERED_LFT ON THE V6 ADDRESS WON'T WORK EITHER IN THIS SITUATION.

... because if i set the preferred_lft for the public routable
2001:db8:: ip to 0, it also sources fded:e128:5900::1 for every other
address on the public internet. I want it to only source from
fded:e128:5900::1 when connecting to 2001:db8::1 (which is on the same
L2 network, and is why i need this so bad). It should use its public
routable IPv6 address on all other occasions.

Thanks though,
-Sander.
--
| "What allergies do you have?" "That would be fire. Makes my skin turn
| red or black and it often oozes and blisters after exposure."
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2

Romain Boissat

unread,
Jul 19, 2012, 10:52:10 AM7/19/12
to IPv6 Hackers Mailing List
On Thu, Jul 19, 2012 at 4:41 PM, Sander Smeenk <ssm...@freshdot.net> wrote:

> Quoting Romain Boissat (rboi...@lv0.in):
>
> > > Could someone provide me with clue on how i can force traffic on my
> > > server going to 2001:db8::1 to *always* source from the configured ULA
> > > address fded:e128:5900::1 ?
> >
> > You can this little hack to all other IPv6 addresses:
> > ip addr change $IP6_ADDR/$NETMASK dev $NIC preferred_lft 0
>
> No i can't. As i stated in my original email.
> Although i might have been more clear on that subject:
>
> | Now there's really a lot of references TO that RFC but i was unable to
> | find any workable examples on how to set this up. FIDDLING WITH
> | PREFERED_LFT ON THE V6 ADDRESS WON'T WORK EITHER IN THIS SITUATION.
>
> ... because if i set the preferred_lft for the public routable
> 2001:db8:: ip to 0, it also sources fded:e128:5900::1 for every other
> address on the public internet. I want it to only source from
> fded:e128:5900::1 when connecting to 2001:db8::1 (which is on the same
> L2 network, and is why i need this so bad). It should use its public
> routable IPv6 address on all other occasions.
>

Well in that case, I can only think of iproute2 policy routing on the
server with
two routing tables and several rules to select the right routing table
depending
on source and destination prefixes. You should check that your current
kernel
supports multiple IPv6 routing tables, though.

--
Romain Boissat
chroot-me.in

Sander Smeenk

unread,
Jul 19, 2012, 11:07:41 AM7/19/12
to ipv6h...@lists.si6networks.com
Quoting Romain Boissat (rboi...@lv0.in):

> Well in that case, I can only think of iproute2 policy routing on the
> server with two routing tables and several rules to select the right
> routing table depending on source and destination prefixes. You should
> check that your current kernel supports multiple IPv6 routing tables,
> though.

Yes. Like i do with IPv4, see my original mail.

BUT, even though i specify 'src fded:e128:5900::1', this does *NOT* end
up in the routing table (like it does for IPv4). *PLEASE* try this
yourself.

I've been there long before i mailed this list for help.

I'm fairly certain i need to fiddle with gai.conf and label / preference
settings - but there is no information on what i should put in there to
get the behaviour as described:

- source from fded:e128:5900::1 *ONLY* for traffic to 2001:db8::1
- source from public routable v6 address for anything else

-Sndr.
--
| When a clock is hungry it goes back four seconds.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2

Gert Doering

unread,
Jul 22, 2012, 2:19:46 PM7/22/12
to ipv6h...@lists.si6networks.com
Hi,

On Thu, Jul 19, 2012 at 05:07:41PM +0200, Sander Smeenk wrote:
> I'm fairly certain i need to fiddle with gai.conf and label / preference
> settings - but there is no information on what i should put in there to
> get the behaviour as described:
>
> - source from fded:e128:5900::1 *ONLY* for traffic to 2001:db8::1
> - source from public routable v6 address for anything else

If you ever get that to work, please post here so I can learn - I've
tried something similar recently (two GUAs from two different upstream
providers, and trying to insert a policy "use GUA 1 for all connects
TO 2001:608::/32, and GUA 2 for everything *else*") and couldn't make
it do anything.

What I did not test was "change gai.conf, then reboot" - mostly due
to lack of available time. I just gave up and cursed...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279

Jim Small

unread,
Jul 22, 2012, 10:11:21 PM7/22/12
to IPv6 Hackers Mailing List
Hi Sander,

I have mixed news for you. I can't achieve what you want with a ULA (bad news), but I can achieve it with another GUA.
Note: I tested with Windows 7 - Linux may yield different results.

Here's my default prefix policy table in Windows 7 (Microsoft's implementation of RFC 3484):
Precedence Label Prefix
---------- ----- --------------------------------
50 0 ::1/128
40 1 ::/0
30 2 2002::/16
20 3 ::/96
10 4 ::ffff:0:0/96
5 5 2001::/32

I have a ULA address and a GUA:
2001:470:c4e8:1::/64
fd01:0:0:1::/64 (illegally created address for example purposes only)

If I alter my prefix policy table like this it doesn't work:
Precedence Label Prefix
---------- ----- --------------------------------
70 6 fd01:0:0:1::/64
60 6 2001:470:c4e8:2::/64
50 0 ::1/128
40 1 ::/0
30 2 2002::/16
20 3 ::/96
10 4 ::ffff:0:0/96
5 5 2001::/32

However, if I add a different GUA - 2004:1:2:3::/64 and add that to the prefix policy table:
Precedence Label Prefix
---------- ----- --------------------------------
80 6 2004:1:2:3::/64
70 6 fd01:0:0:1::/64
60 6 2001:470:c4e8:2::/64
50 0 ::1/128
40 1 ::/0
30 2 2002::/16
20 3 ::/96
10 4 ::ffff:0:0/96
5 5 2001::/32

This works as you desire - when I access something with a prefix of 2001:470:c4e8:2::/64 (destination) Windows uses an address with the prefix 2004:1:2:3::/64 (source). For any other IPv6 prefix (destination) it uses 2001:470:c4e8:2::/64 (source).

This makes me suspect at least in Windows that ULA addresses aren't treated as having the same scope. From looking at the 3484 rules:

Destination Address Selection - N/A, we have chosen the destination address.

Source Address Selection:
(N/A) 1. Prefer the same address - If the a source address = the destination address, prefer it
(Susp) 2. Prefer appropriate scope - Use the address with the same/closest scope
(N/A) 3. Avoid deprecated addresses - Prefer "preferred" addresses
(N/A) 4. For Mobile IP Addresses (...)
(Poss) 5. Prefer outgoing interface - Use the interface that will be chosen give the destination
(Yes) 6. Prefer matching label - If a source address has a matching label (from the policy table) to the destination address, prefer it
7. Prefer public addresses - Prefer public addresses over temporary addresses (there should be a way to reverse this too)
8. Use the longest matching prefix - Starting from the left most bit, prefer the address that has the most bits in common with the destination address


So I suspect what's happening with my Windows box is ULAs aren't making it past step 2. In other words, Windows doesn't treat ULA as having the same scope as GUAs. However, I freely admit that this is conjecture on my part. In Linux you have the advantage of being able to look through the source code...

Where it is working I'm hitting Rule 6 - I set the destination and source prefixes/addresses to have the same label number (6 in the example above).

I also mention rule 5 because if you can use two interfaces on the server in your case and can put the ULA on one and the GUA on the other then I believe you can solve your issue with routing which will use rule 5 in your favor.


Sorry this isn't exactly what you wanted but hope it helps,
--Jim

Jim Small

unread,
Jul 23, 2012, 12:01:26 AM7/23/12
to IPv6 Hackers Mailing List
Actually just noticed that Joe Davies published Understanding IPv6, 3e. BTW - I can't recommend this book highly enough, especially if you use/deal with Windows. Anyway, according to this, Ch 9 Example of Using Address Selection seems to imply that ULAs are considered different scope from GUAs pretty much confirming my speculations below. Since the IPv6 community seems to be somewhat closely knit it wouldn't surprise me to see this behavior in BSD/Linux too but you'd have to test to know for sure.

Sander Smeenk

unread,
Jul 23, 2012, 7:14:31 AM7/23/12
to ipv6h...@lists.si6networks.com
Quoting Jim Small (jim....@cdw.com):

> Sorry this isn't exactly what you wanted but hope it helps,

Thanks for your elaborate post. Karl Auer <ka...@biplane.com.au> also
sent me in the right direction (offlist). Aparently if you add the two
matching source and destination addresses with the same 'label' (ip
addrlabel) the system selects the matching pair.

It appears to work, as i see traffic leaving the system from the
ULA-address, but somehow the routing borks later on in the path.
I haven't had the time to look into that yet.

Quoting Karl Auer:
| I got it working!
| When I manually added the two new rules using the ip program, it
| worked fine.
|
| sudo ip addrlabel add prefix $SRCADDR/128 label 99
| sudo ip addrlabel add prefix $DSTADDR/128 label 99

This can also be achieved by adding the labels to /etc/gai.conf and
restarting your network (ifdown/ifup) or just plain rebooting.

Thanks Karl, Jim and all other who put effort in this mistery!!
More to follow on this if i have the time.

With regards,
-Sander.
--
| The world is so full of these wonderful things,
| i'm sure we should all be as happy as kings.

Tim Chown

unread,
Jul 23, 2012, 9:17:10 AM7/23/12
to IPv6 Hackers Mailing List
There's an example of a config for something similar in 10.5 of http://tools.ietf.org/id/draft-ietf-6man-rfc3484bis-06.txt.

We're hoping this update to 3484 will finally be pushed out soon.

Tim

Marc Haber

unread,
Jul 24, 2012, 10:15:15 AM7/24/12
to IPv6 Hackers Mailing List
On Mon, Jul 23, 2012 at 04:01:26AM +0000, Jim Small wrote:
> Actually just noticed that Joe Davies published Understanding IPv6,
> 3e. BTW - I can't recommend this book highly enough, especially if
> you use/deal with Windows.

How big is the part of the book that will be of use to somebody who
claims to be doing "nearly everything but Windows"?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
Reply all
Reply to author
Forward
0 new messages