Archive for January, 2014

IPv6 – dealing with unwanted SLAAC addresses on servers

Are your servers getting SLAAC addresses in addition to the addresses you are manually configuring? If so, read on…

You need to find and turn off the “A” bit in the Prefix Length option of your Router Advertisement packets. The “A” bit is on by default on most network routers, and the documentation that describes the interactions between the “M”, “O” and “A” bits is scattered across at least a half dozen RFCs.

When we first set up our IPv6 lab, we went through several phases. Initially we just did client subnets and hosts and let all the stations auto-configure (SLAAC). This all happened “magically” with the default behavior of all the operating systems and network gear we tested.

Then we split the clients and servers onto separate subnets. When we did the split we added a DHCPv6 server and turned ON the M and O bits for the client subnets. For the server subnets, we turned OFF the M and O bits and statically configured the IPv6 (and IPv4) addresses.

The client hosts did everything exactly as expected, gathering IPv6 addresses and other options, exactly as they would have using DHCP and IPv4.

But, we never could quite get the servers to stop creating and configuring SLACC addresses, even with M & O bits turned ON or OFF on their subnets. Making sure that we did NOT have DHCPv6 clients configured on these servers, we tested all  four states with nearly identical results.

In other words, each server would always end up with three IPv6 addresses:

  1. a globally unique (global scoped) static assigned address, the one we configured at boot time
  2. a globally unique (global scoped) SLAAC address, usually based on its MAC address
  3. the usual and expected link-local address (fe80::)

So, what else was going on? Most of the documentation we found (especially RFCs) described these two bits in excruciating and often contradictory fashion! Take a look at RFC 4861 for the format of the Router Advertisements, and you’ll see the M and O bits right there in section 4.2). If there are other option bits that might control this, shouldn’t they be shown here?

By the way, the M and O bits are always OFF by default on all the networking gear we’ve seen so far (Cisco, Juniper and HP).

4.2. Router Advertisement Message Format

   Routers send out Router Advertisement messages periodically, or in
   response to Router Solicitations.

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |     Code      |          Checksum             |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     | Cur Hop Limit |M|O|  Reserved |       Router Lifetime         |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                         Reachable Time                        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                          Retrans Timer                        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |   Options ...
     +-+-+-+-+-+-+-+-+-+-+-+-

But in all four combinations of the M and O bits, and IF you aren’t running a DHCPv6 client, you get a SLAAC address in addition to the address you statically (manually) configure.  How do you turn off “auto conf” if it isn’t controlled by flags in the Router Advertisement???

It turns out that there are actually three bits in the RA that control host configuration, not two, and so there are 8 possible cases of M, O and “A”, not four. So where is this mysterious “A” bit hiding?

The “A” bit is “hidden” in a Router Advertisement option (“Prefix Information”), which is described in section 4.6.2, about 10 pages farther along in the RFC. This option’s purpose is to tell you about the length of the valid address prefix that’s available on the current subnet, but it also has “A”  that controls whether or not a station on that subnet should do SLAAC. And unlike M and O, A seems to always be set ON by default.

4.6.2. Prefix Information

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     | Prefix Length |L|A| Reserved1 |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Valid Lifetime                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Preferred Lifetime                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                           Reserved2                           |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      +                                                               +
      |                                                               |
      +                            Prefix                             +
      |                                                               |
      +                                                               +
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Fields:

      Type           3

      Length         4

      Prefix Length  8-bit unsigned integer.  The number of leading bits
                     in the Prefix that are valid.  The value ranges
                     from 0 to 128.  The prefix length field provides
                     necessary information for on-link determination
                     (when combined with the L flag in the prefix
                     information option).  It also assists with address
                     autoconfiguration as specified in [ADDRCONF], for
                     which there may be more restrictions on the prefix
                     length.

      L              1-bit on-link flag.  When set, indicates that this
                     prefix can be used for on-link determination.  When
                     not set the advertisement makes no statement about
                     on-link or off-link properties of the prefix.  In
                     other words, if the L flag is not set a host MUST
                     NOT conclude that an address derived from the
                     prefix is off-link.  That is, it MUST NOT update a
                     previous indication that the address is on-link.

      A              1-bit autonomous address-configuration flag.  When
                     set indicates that this prefix can be used for
                     stateless address configuration as specified in
                     [ADDRCONF].

So, that’s where the mysterious server SLAAC addresses come from. They are caused by the default-on “A” bit that is in the Prefix Information option to the Router Advertisement.  Clear this A bit on your server subnets, and you’ll get only the IPv6 addresses that you configure, and no more SLAAC addresses as an extra bonus.

After I figured out what was going on, I also found these web pages which each shed some light on the situation:

, , , ,

Leave a comment

Beer adventures

My #craftbeer challenge for last year was “never drink the same beer twice”. Even here in San Diego, that wasn’t quite possible. But I tried.

I ended up with “never the same beer twice in a row”, at least.

San Diego is arguably the (a?)  craft brew capital of the US. It’s the epicenter of a movement that combines old-world craftsmanship, tradition, experimentation, sustainability and “slow” (locally sourced) food. There are lots of beer choices here, but unless you are willing to visit all (150+) of the local breweries, brewpubs and beer bars, you are just going to have to repeat once in a while.

As part of our “beer tourism” last year, we also visited Denver, San Francisco, Las Vegas, Santa Monica, Tucson, Seattle, Liverpool, London, Amsterdam and Tokyo. Not that we picked the locations because of the beer, but as long as we were there, we figured we might as well check out the local craft brew scene 🙂

Craft beer is now big business, $34 billion industry (US), and $4.7 billion in California alone. That’s why the “corporate yellow fizzy water” companies are trying to convince you that they “are craft”. Really, Budweiser? Really, MillerCoors? This new “we’re small and cool and don’t suck even though our beer has for decades” marketing from the big companies has been labeled “craftwashing” by some, such as Greg Koch of Stone Brewing.

Without further ado, my stats for 2013 from untappd.com

335 beers total, 298 uniques, and 103 badges.

Fortunately, at least 20% of those brews were the 4 oz taster size! Otherwise that would have been 41 gallons (158 liters) of cool frosty beverage!  That’s about twice the US average per capita. I probably would have sprained my liver.

Leave a comment

Do I read too much?

Last year I read 92 books, for a total of 34054 pages. That’s almost as many pages as there are words in a typical novel.

That’s primarily fiction, lots of SF and a little urban fantasy. There’s some non-fiction in there, diving physiology, cryptography and math, etc. That doesn’t count online reading, web pages, training materials, or papers or documents that I wrote.

Apparently I need to read less and write more.

Tomorrow, my untappd stats for 2013 😦

Leave a comment

%d bloggers like this: