Skip to main content

zonena.me

Moving to Native IPv6 with DHCPv6-PD

For the past ten years I’ve been using Hurricane Electric’s Tunnel Broker service to get IPv6 transit at home long before it was available from my ISP (Cox Communications).

Today, I bit the bullet and switched to native IPv6 from my ISP. While Hurricane Electric has has been fantastic, it’s not a perfect solution for most residential users. Being a tunnel you’re force to have a lower MTU than you’d otherwise have, and streaming video providers have a propensity to block tunnels as “VPNs”.

But I have multiple networks at home (in part due to running Triton), so a single /64 was never going to work for me. When I learned recently that DHCPv6-PD (Prefix Delegation) clients can request longer prefixes I was motivated to try it. I have [Ubiquity Unifi][ubnt] network equipment at home, so I’ll describe the specific configuration, but the general idea should work for any router that properly supports DHCPv6-PD.

Because I already had IPv6 transit that I was relying on, I wanted to take it slowly to not break anything in the process. Expecially since I couldn’t really find anybody who had gone through the process and documented it well. Neither Ubiquiity nor Cox have helpful documentation in this area.

The first thing to know, is that to get shorter prefix you need to supply a “PD hint”. Unifi, thankfully, just calls this the Prefix Delegation Size.

WAN Config

This is the prefix length that you want. I wasn’t quite sure what to put here at first. It defaults to 64, but after enabling it I couldn’t see anything different anywhere. Looking directly on my USG didn’t really help either because the assigned prefix doesn’t go into config and due to my existing IPv6 settings anything different just wasn’t immediately obvious.

I initially tried both 48 (my existing allocation from HE.net) and 52 (enough prefixes for all 4096 VLAN IDs). Neither of those seemed to do anything. To see if it was even working, I decided to tcpdump it. DHCPv6 uses UDP ports 546 and 547. So I ssh’d over to my USG, and because tcpdump isn’t in the PATH I ran

/usr/sbin/tcpdump -i eth0 udp port 546 or port 547

So next I put in 56, suddenly I saw the output I was looking for (line breaks for readability).

11:06:10.338366 IP6
(class 0xe0, hlim 255, next-header UDP (17) payload length: 173)
fe80::2e86:d2ff:fe89:b019.547 > fe80::e263:daff:fe21:f971.546:
[udp sum ok] dhcp6 advertise
(
  xid=1b40e4
  (client-ID hwaddr/time type 1 time 473386509 e063da21f971)
  (server-ID hwaddr/time type 1 time 1430756204 c81f66e5519b)
  (DNS-server 2001:578:3f::20 2001:578:3f:1::20)
  (
    IA_NA IAID:0 T1:43200 T2:69120
    (IA_ADDR 2600:8801:ff00:600:6df1:830e:204d:83b9 pltime:86400 vltime:86400)
  )
  (
    IA_PD IAID:0 T1:43200 T2:69120
    (IA_PD-prefix 2600:8801:8606:8500::/56 pltime:86400 vltime:86400)
  )
)

Now I knew not only that it was working, but what my prefix was. The next step was to configure my local networks. This was fairly straightforward, but correctly configuring it was not immediately obvious. The important bit is first (obviously) enabling IPv6 with Prefix Delegation. The other important setting is the Prefix ID.

LAN Config

This value gets appended to your prefix. I like having the v6 subnet and vlan id match, so since this vlan is 172, I first tried setting 172 which returned an error that this was too large for my delegated prefix. Realizing this must be a hex value, I put in ac (because 172 == 0xAC), it took that.

A few minutes later once the config had been provisioned to my USG, I could see the configured interface.

admin@Mist:~$ ip -6 addr show eth1.172
10: eth1.172@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
    inet6 2600:8801:8606:85ac:e263:daff:fe21:f972/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::e263:daff:fe21:f972/64 scope link
       valid_lft forever preferred_lft forever

Perfect.

At this point I knew everything would work. Configuring the rest of my networks and updating my firewall rules to the new prefix took only a few minutes.

Conclusion

All things considered, this was very easy, and now I can remove all those black hole routes for Netflix. The things I didn’t know before hand that would have made it easier are:

  1. The Prefix Delegation Size (sometimes called the pd-hint) is the desired prefix length. The default for most ISPs will be /64. I successfully received a /56. YMMV.

  2. The IPv6 Prefix ID is a hex value that gets appended to your prefix to create a /64 for that vlan/network.

    • A /60 a single hex digit, 0-f
    • A /56 is 00-ff
    • A /52 is 000-fff
    • A /48 is 0000-ffff