PD broken in v4.3.2? prefix6 start prefix is outside the subnet

Jim Pingle lists at pingle.org
Wed Jul 15 22:01:09 UTC 2015 

[Apologies for breaking threading]
On Wed Jul 15, 2015 at 12:23 PM EDT 2015, Chris Buechler cmb at
pfsense.org wrote:
> On Wed, Jul 15, 2015 at 3:59 AM, Christian Kratzer <ck-lists at cksoft.de> wrote:
>>
>> a couple of quick points on this:
>>
>> 1. this would require one to enlargeng the access network to emcompass
>> the whole pool of prefixes one wishes to delegate. This would definetely
>> be considered a broken design.
>>
> 
> Yes, especially considering there's no reason the PD subnet needs to
> be even close to the interface's subnet. As things stand now after
> that change, in some circumstances you'd need a subnet6 2000::/3 or
> close to it for PD to work.

I concur, the relationship implied by the new check is an invalid
assumption. The subnet and the prefix for delegation need not be related
at all, so the check should be removed.

In a common example, consider this:

A tunnel from Hurricane Electric with a /64 for the "LAN" and a routed
/48. The downstream devices get an address inside of the "LAN" /64 and
are delegated a block out of the /48 for their own use. Routes are added
dynamically for the delegated blocks. This scenario worked perfectly on
previous versions but broke after the last release.

>> 2. Just having the network large enough would still only route towards
>> the net.  This would not help with getting the ultimate next hop for the
>> assigned prefix resolved.
>>
>> 3. ipv6 relay agents on routers that support PD sniff the traffic and
>> transparently add the route to the delegated prefix to the correct next hop.
>>
>> Such a change would definetely be broken and would have to be backed out.
>>
> 
> Yes, agree.

There is also a related check of the prefix size against the subnet
("network mask smaller than subnet mask"), which becomes irrelevant with
the other check removed. Since the prefix is unrelated to the subnet, it
does not matter if the mask is smaller. It's quite common to delegate
/60 chunks to clients even when the "LAN" (in the above example) is /64.

Jim

More information about the dhcp-users mailing list