Clarifying IPv6 LuCI terminology: NDP-Proxy, ULA-Prefix, server mode, relay mode, hybrid mode

Hello,

I've had a hard time configuring IPv6 on my router because the words used to describe the settings in LuCI don't seem to be documented anywhere.

I think I have it figured out now, and I would like to help add this information to the wiki, however I am not a networking expert and would like to discuss my edits before I make them, to avoid spreading disinformation. So here is what I got:

Native IPv6 can be autoconfigured in three ways: SLAAC or DHCPv6 or both.

SLAAC is "relay mode" in the interface and uses a collection of ICMPv6 messages to detect the layout of the network and autoconfigure routing accordingly. NDP (Neighbor Discovery Protocol) is a subset of ICMPv6 messages and RA (Router Advertisement) messages represent a subset of NDP.

RA is commonly used in native IPv6 networks to properly configure default gateways. If the setting "NDP-Proxy" is set to "disabled" the router will filter ICMPv6 messages and SLAAC will not function, most notably without RAs the configured default gateway may not be recognized as a gateway and traffic to it will not work.

In SLAAC, IP addresses to client devices are automatically allocated from the "routed prefix" aka the subnet for your client devices assigned to you by your ISP.

DHCPv6 is "server mode" in the interface and uses a DHCPv6 server running on the router, to assign IP addresses and configure DNS settings. DCHPv6 does not configure routing. DHCPv6 is recommended for environments where more control over the network is required (aka corporate networks).

"Hybrid mode" obviously represents a combination of "server mode" and "relay mode".

The setting "IPv6 ULA-Prefix" in the LuCI Interfaces screen represents a subnet of local addresses that are used for private networking in the same manner as "192.168.x.x" is in IPv4. To be compliant with the protocol, the prefix must be set to a subnet within "fc00::/7" aka "fc__:" and "fd__:", though the standard recommends that you use "fd__:" with a "/48" size subnet. The other numbers in the address are random.

The address and gateway in this "ULA-Prefix" range will be added alongside to your IPv6 settings (on the router and the client devices in the "Global" scope), but will not interfere with the public IPv6 address routing. The assignment of these addresses is required by the protocol.

If you have a static IPv6 address, select "Static address" as the Protocol in the WAN6 interface, then skip the IPv4 settings and only enter the IPv6 address, gateway and routed prefix.

When entering the address, also enter the subnet size at the end of it (for example "/126"). This is the network between the WAN side of your router and the default gateway, also sometimes referred to a "connecting segment". On some networking devices (Mikrotik) the connecting segment address must be entered, but OpenWRT calculates it from the address and subnet automatically.

The gateway is entered as-is without a subnet size.

The routed prefix is provided by your ISP and contains both the prefix itself and the subnet size. This is the subnet that contains your client devices behind your router.

I think this is all that is needed. I was thinking of adding this to the current IPv6 page, which currently mainly contains outdated information on using IPv6 on OpenWRT with a tunnel provider.

LP,
Jure

sounds wrong.

Relay mode is for the (supposedly rare) cases, where the ISP does not give out more than a /64 prefix, so that the same prefix needs to be used for both wan and lan.

EDIT:
relaying is explaining pretty ok in the current wiki:

OpenWrt Wiki – 30 Oct 16

Can you give some example of this so that I have any idea what you're talking about?

The documentation you link has no information on anything present in the LuCI interface for IPv6. No offence but I don't see how a section of documentation can be "pretty good" when it only contains a sample config file with no context and no explanation on what the settings are even supposed to do or in what circumstances do they work.

I'm sure those settings worked in your case but they are absolutely meaningless to me as my ISP uses a different IPv6 setup and those settings do not work for me.

Not quite sure what you mean.
The options for IPv6 addressing in downstream LAN use pretty much the same terminology in LuCI (master, relay), as in wiki.

image967×579 18.9 KB

For upstream WAN side, the earlier part of the wiki page is relevant.

Very obvious that the same words are not used, therefore making it impossible for someone who is not familiar with this to make the connection and understand what settings are presumed to be defaults if they are not mentioned in the config files.

I doubt you can even arrive here searching for things like "NDP-Proxy" in Google.

It seems my experience with SLAAC requiring relay mode is connected to either some kind of misconfiguration at my ISP, or OpenWRT not processing RA messages correctly when WAN6 is set to a static IP. In any event I will send corrections, when I get a better understanding of this.

I also don't understand what you mean, and I fear that "corrections" may cause a misunderstanding.

Screenshot%20from%202018-08-19%2011-06-20756×414 19 KB

This is my config. By your first post, my IPv6 shouldn't work; but it does.

DHCPv6...since it's off in my case, I'll do a quick rundown. @hnyman has alread best explaind what Relay means.

You obviously see dropdowns appear in server and hybrid mode.

• Stateful is what most people understand as similar to DHCP(v4), with sequential numbering of hosts, etc.
• Stateless uses a pool, but it lacks things like lease times, requesting previous IP, etc.

NDP-Proxy: again, if you are traversing to the upstream network, this becomes necessary.

Actually, my device is doing SLAAC.

From: https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC)

IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.

Hence, you see my Router Advertisement server enabled in server mode.

By the way, this config works for IPv6 on Android devices (which do not have a fully operational DHCPv6 client).

EDIT: I should note, I don't have "native" IPv6." I really just think people are misconfiguring their native-WAN6/Tunnels, and their LANs. I highly suggest this for anyone who thinks IPv6 is a Horizontal Learning Experience compared to IPv4:

https://ipv6.he.net/certification/

ULAs are site-based. In OpenWrt, it appear a random ULA is generated upon first boot. Should you continue to use this ULA "site address," these substitute for Link Local addresses as another LAN addresses that may be used. In addition, they can be routed within ORGANIZATIONS IN YOUR NETWORK CONTROL. They are analogous to IPv4 Private addresses.

Sorry, but the wiki isn't really clear on what that does. So in relay mode the router suddenly bridges both interfaces? No, seems like NDP proxy is also needed. And what is the "target router" (in the wiki). It became much clearer for me after reading this (though it's using old radvd):

Actually a delegated /64 prefix should be enough for one LAN since you really don't need to global IPv6 address on the WAN interface. Linux will use a global IPv6 address from another interface if the WAN interface doesn't have one. But if the /64 prefix isn't delegated but is on-link then if won't work without a relay. Of course the best current practice is to use a much larger prefix (/56).

Not sure what you're even asking here.

If I understand you...I agree.

Nonetheless, I'm not even sure you're describing the function of a DHCP Relay. See:

and

Which ISP would do that? That makes no sense at all and will break SLAAC, because you have to enable NDP proxying for every address. My ISP delegates a /64 to my router, the WAN itself has a /128 which isn't really needed as you stated correctly before.

Maybe not. I am more complaining about the description in the wiki. If it made clear what does what it would be much easier to understand.

I have read it's common in Japan. Which is unfortunate for the customers.

Weird. No SLAAC means no IPv6 on Android phones.

I agree the vocabulary used in the UI is very confusing. Adding some explanation would be of a lot of value. For me was the first time ever I heard "relay mode" and the only thing I could do is google it up and come to this thread.

I'm quite certain a or a mouse-over tooltip can be added to the LuCI GUI, or between the fields.

Is there consensus on what a good short and concise explanation is for what each is, who needs them, and when they should leave them alone?

Hi! I have this - can anyone help explain how NDP Proxy hybrid mode differs? ( Whoever said this is well documented is hallucinating )

Once that's done, I can add this as help fields to LuCI under DHCP-> IPv6 and make a PR.

Router-Advertisement Service:  RA is a subset of NDP. NDP is a subset of ICMPv6.

disabled:    RA is off
server mode: RA is on; Router advertises itself as the default IPv6 gateway to downstream devices, sends RA messages (ICMPv6 type 134, to ff02::1) to LAN, and provides PD (Prefix Delegation) to downstream devices. 
relay mode:  Router relays RA from upstream, and extends upstream (WAN) interface config and prefix to downstream (LAN) interfaces.
hybrid mode: Router does both server+relay; extends upstream config and prefix downstream, and uses PD (Prefix Delegation) locally. 

DHCPv6 Service:

disabled:     No DHCPv6 runs.
server mode:  DHCPv6 runs and router assigns addresses to downstream devices and delegates prefixes (PD) to downstream interfaces.
relay mode:   Router relays WAN interface config downstream. Helps to support uplinks without Prefix Delegation (PD).
hybrid mode:  Router does combination of server+relay.

NDP Proxy:   Neighbour Discovery Protocol Proxy - reverts to disabled internally if there are no interfaces with boolean 'ndproxy_slave' set to 1. Think of NDP Proxy as Proxy ARP for IPv6: unify hosts on different physical hardware segments into the same IP subnet. Consists of NS (Solicit) and NA (Advertisement) messages. NDP listens for NS on an interface marked with boolean 'master' as 1 (i.e. upstream), then queries the slave/internal interfaces for that target IP before finally sending an NA message. NDP is effectively ARP for IPv6. NS and NA detect reachability and duplicate addresses on a link, themselves also a prerequisite for SLAAC autoconfig. 

disabled:    No NDP messages are proxied through to 'ndproxy_slave' true interfaces.
relay mode:  Proxies NDP messages from master to 'ndproxy_slave' true interfaces. Helps to support provider links without Prefix Delegation (PD), and to firewall proxied hosts.
hybrid mode: Relay mode is disabled unless the interface is a master interface, i.e. its boolean 'master' is 1.

DHCPv6 Mode:

stateless: Prefix is advertised and host uses SLAAC (a host assigns its own address) - Stateless Address Auto Config. No DHCPv6.
stateless + stateful: SLAAC. In addition, router assigns an IPv6 address to a host via DHCPv6.
stateful-only:  No SLAAC. Router assigns an IPv6 address to a host via DHCPv6. 

As i understood the ndp proxy setting covers only the NS and NA messages. That would mean that RA messages still get forwarded. So SLAAC should still works.
i tested ist (set RA to relay, dhcpv6 to disabled and ndp proxy to disabled) and the downstream clients still able to build a global ip6-address per SLAAC.

Ok - good. Still leaves hybrid mode as a mystery though.

8 posts were split to a new topic: How to configure PPPoE without PD prefix, only a /64

See the PR for final strings.