Ip6hint not applied to all prefixes

hmof · November 21, 2018, 1:49am

I have two LAN interfaces defined. I want both to have separate IPv6 subnets. I have a /56 from my ISP, and a /48 ULA address generated by OpenWRT.

I have set ip6hint on both the LAN interfaces, but it only seems to be being applied on the ULA addresses. The delegated ISP addresses are getting automatically assigned prefixes.

My config is:

config globals 'globals'
	option ula_prefix 'fd5d:61f5:a84a::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'lan0 lan1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.42.1'
	option ip6assign '64'
	option ip6hint '1000'

config interface 'iotlan'
	option type 'bridge'
	option proto 'static'
	option ifname 'lan0.666 lan1.666'
	option ipaddr '192.168.66.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '6666'

but the resulting addresses on 'lan' are fd5d:61f5:a84a:1000::1/64 (the ULA) (good) and <isp_prefix>:101::1/64 (bad). Why is this not also assigned the 1000 prefix?

The same occurs on the other interface, which gets a prefix of 101.

Here is the full ip -6 addr show output:

104: br-iotlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 <isp_prefix>:100:1/64 scope global dynamic 
       valid_lft 3881sec preferred_lft 2881sec
    inet6 fd5d:61f5:a84a:6666::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f2ad:4eff:fe06:24db/64 scope link 
       valid_lft forever preferred_lft forever
107: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 <isp_prefix>:101::1/64 scope global dynamic 
       valid_lft 3881sec preferred_lft 2881sec
    inet6 fd5d:61f5:a84a:1000::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::f2ad:4eff:fe06:24db/64 scope link 
       valid_lft forever preferred_lft forever

thanks
Hamish

jow · November 21, 2018, 10:32am

Well is your ISP upstream prefix large enough to begin with? If its a /56 it can only fit 256 x /64 prefixes (...:0::/64 .. ...:100::/64), 1000 is well out of range there.

hmof · November 21, 2018, 10:08pm

Of course, that was the reason. Thanks.

Is there any reason to use /64 for the LAN prefixes, which seems to be the default? It's very large.

jeff · November 21, 2018, 10:21pm

A /64 is the "standard" equivalent of a "Class C" subnet for IPv6. Many consider the dense packing of IPv4 subnets to be a security risk. The large space in an IPv6 /64 not only reduces that risk, but makes things like self-selecting a link-local address without significant risk of collision a lot easier.

Even with 64 of the 128 bits allocated in a /64, there's still more than enough to go around -- 2^64 > 10^19

system · December 1, 2018, 10:22pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.