In general I've been pretty impressed with the IPv6 "it just works" world of router advertisements etc. But I ran into a case where things didn't "just work" and I recognized that I wasn't sure how they were supposed to work... so I thought i'd ask some ipv6 experts ...
Suppose you have a main network A which is an ipv6 network that has a gateway to the internet GWA..
Now suppose you connect to this A a router, like maybe an OpenWrt router, call it OWR, and it has its own LAN B, where it sends router advertisements for a prefix... so that everything in LanB automatically configures itself, like with SLAAC or something.
Internet ----- GWA ----- LAN A ---- OWR --- LAN B
Now suppose you have a host HB on lan B and it sends a ping to host A on LAN A
LAN A {hostA} ---- OWR ---- LANB {<<<Ping HostB}
the router OWR receives the ping, sends it to HostA... but HostA doesn't know about OWR being the router, so it routes its response through GWA...
But GWA also doesn't know about OWR being the router unless it somehow does... like manually someone enters the info in the GWA route table, or OWR and GWA both run a routing protocol like OSPF or something.
If GWA does know about it, it will send redirects... so Host A figures out where to send its ping response...
So, how should a router like OWR make itself known to its "upstream" network that it routes for its downstream network? Is the right way OSPF or static routes? Or is there some built-in mechanism to "router advertise" that you can route for some downstream network like LAN B?
Route advertisements can be used for announcing prefixes which isn't used for SLAAC by not specifying the A flag. https://tools.ietf.org/html/rfc4861#section-4.6.2
But GWA might not accepts route advertisement on the LAN interface. Usually you want to use global IPv6 addresses which means OWR need a prefix delegation from via dhcpv6-pd if GWA has a dynamic prefix. In this case GWA will insert a route automatically ä.
yes if OWR is getting a prefix from GWA then it would make sense that gwa knows to use OWR to route that prefix but the case I'm thinking of is where owr is an appliance that has a VPN connection to a remote location so it knows the prefix on the remote location and wants to provide access to that remote location for the local lan but it did not get its prefix from gwa. or similar cases perhaps without the encryption but with a peering connection of some sort
Also isn't there a kind of security issue here? If anyone who gets access to your network can start announcing routes, they can MITM attack all your traffic no?
EDIT:
Well, here's some practical info on what actually happens.
I enabled routed prefix advertising on my raspberry pi 4 (using systemd) it advertised the prefix it was using on its "LAN". My PC didn't pick up a route... so it must be ignoring it... I sent a ping to google.com, it routed the ping to the main router, the main router redirected to the raspi, the raspi redirected to the main router... they bounced back and forth... no ipv6 traffic could leave my network. I turned off the raspi's prefix advertisement and restarted its network... everything returned to normal...
Ideally I'd have thought that my main router would see the prefix advertisement and then when anyone on the network tried to ping something on the RPi's LAN it would redirect to the RPi and the RPi would happily forward it... But if I tried to ping google... I certainly didn't expect the main router to reroute that to the RPi...
Turns out that I had accidentally set the main router to accept_ra=2 so that's why it was doing what it was doing... so fixed that... but now it doesn't accept the RA from the Pi at all... so the router doesn't know where to route anything... but it also doesn't take my LAN offline if someone starts advertising they're a router... so that's good
Depends on the complexity. If it is just a single path and a handful of routes, you'll go with static.
If you have multiple paths, multiple routers then some routing protocol would seem more reasonable choice.
Depending on the environment this might not be a good idea. At home it could work fine, but in a more strict network you don't want anyone to be able to advertise routes and the main router to blindly accept them. So I would go with explicit route declaration, static routes or dynamic routing, like I would do in IPv4.
That's correct. If you want to protect your devices against rough IPv6 routers (or hosts) you need to use IPv6 router advertisement guard (or similar) in the switch. I don't know the best way to implement it in openwrt, but if you use a managed switch it may be possible to configure IPv6 router advertisement guard.
