Discussion:
[c-nsp] Assigning a static IPv6 address to a PPP session
Victor Lyapunov
2010-03-14 21:55:00 UTC
Permalink
Hello all

I am trying to test IPv6 configuration for PPPoE / DHCP-PD
termination. I have trouble assigning a "static" /128 IPv6 address
through radius.

I use the following simple config for the LNS

interface Virtual-Template100
ip unnumbered Loopback4
no ipv6 nd prefix framed-ipv6-prefix
ipv6 enable
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server LAN
peer default ip address pool v4_POOL
peer default ipv6 pool PPPOE
ppp authentication chap
ppp ipcp dns 10.0.1.1

ipv6 local pool PPPOE 2001:100::/64 128 shared
ipv6 local pool LAN 2001:200::/48 64

Using the Radius-Attribute Cisco-AVPair = "ipv6:prefix#1=2001:1::/64 0
0 onlink autoconfig" the router can statically define the prefix
assigned through the DHCP-PD to the CPE

I cannot find the appropriate Radius-Attribute for statically defining
the IPv6 address for the CPE's PPP interface.

Does anyone knows how to define through radius the IPv6 address that
can assigned to a PPP user?

Thanx for your help
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Gert Doering
2010-03-14 22:40:58 UTC
Permalink
Hi,
Post by Victor Lyapunov
Does anyone knows how to define through radius the IPv6 address that
can assigned to a PPP user?
There is no IPv6 address assignment on PPP links. IPv6CP just has no
mechanism for that (it only negotiates interface IDs, to ensure uniqueness).

What you can do is to put a /64 on the PPP link and have the CPE do
stateless autoconfiguration - or do DHCP PD of a /56 and have the CPE
pick a /64 from there for its WAN side.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Bjørn Mork
2010-03-15 17:30:42 UTC
Permalink
Post by Victor Lyapunov
Using the Radius-Attribute Cisco-AVPair = "ipv6:prefix#1=2001:1::/64 0
0 onlink autoconfig" the router can statically define the prefix
assigned through the DHCP-PD to the CPE
I cannot find the appropriate Radius-Attribute for statically defining
the IPv6 address for the CPE's PPP interface.
Does anyone knows how to define through radius the IPv6 address that
can assigned to a PPP user?
We are using Framed-IPv6-Prefix + Framed-Interface-Id (RFC 3162) to
achieve this with Juniper ERXes. The Framed-Interface-Id is used by
IPV6CP and Framed-IPv6-Prefix is used by SLAAC. Together they force a
full /128 static adress on the ppp-interface.

I assume something similar is possible with Cisco boxes.


Bjørn

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pip
Gert Doering
2010-03-15 18:19:14 UTC
Permalink
Hi,
Post by Bjørn Mork
Post by Victor Lyapunov
I cannot find the appropriate Radius-Attribute for statically defining
the IPv6 address for the CPE's PPP interface.
[..]
Post by Bjørn Mork
We are using Framed-IPv6-Prefix + Framed-Interface-Id (RFC 3162) to
achieve this with Juniper ERXes. The Framed-Interface-Id is used by
IPV6CP and Framed-IPv6-Prefix is used by SLAAC. Together they force a
full /128 static adress on the ppp-interface.
Does Framed-Interface-ID configure the *client* side via IPv6CP?

Now that's interesting indeed.

(I'm not sure we would something else than "::1" there, to ensure
the CPE has a well-known and pingable address, but it's definitely
a nice tool).

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Bjørn Mork
2010-03-15 19:02:01 UTC
Permalink
Post by Gert Doering
Does Framed-Interface-ID configure the *client* side via IPv6CP?
Now that's interesting indeed.
(I'm not sure we would something else than "::1" there, to ensure
the CPE has a well-known and pingable address, but it's definitely
a nice tool).
Yes. With this RADIUS account (the prefix is statically configfured in
this case):

***@ipv6.online.no Cleartext-Password := verysecret
Framed-Interface-Id := 0:0:0:c


I get this on the client side:


ipv6-pppoe-1:~# pppd nodetach debug noip call ipv6-1
Serial connection established.
using channel 2
Using interface ppp0
Connect: ppp0 <--> /dev/pts/0
sent [LCP ConfReq id=0x1 <magic 0xea58b813> <pcomp>]
rcvd [LCP ConfReq id=0xb2 <mru 1492> <auth pap> <magic 0x442c1e2>]
sent [LCP ConfAck id=0xb2 <mru 1492> <auth pap> <magic 0x442c1e2>]
rcvd [LCP ConfAck id=0x1 <magic 0xea58b813> <pcomp>]
sent [LCP EchoReq id=0x0 magic=0xea58b813]
sent [PAP AuthReq id=0x1 user="***@ipv6.online.no" password=<hidden>]
rcvd [LCP EchoRep id=0x0 magic=0x442c1e2]
rcvd [PAP AuthAck id=0x1 "Nextra dialin"]
Remote message: Nextra dialin
PAP authentication succeeded
sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
sent [IPV6CP ConfReq id=0x1 <addr fe80::5254:06ff:fe66:0000>]
rcvd [LCP ProtRej id=0x8 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
rcvd [IPV6CP ConfNak id=0x1 <addr fe80::0000:0000:0000:000c>]
sent [IPV6CP ConfReq id=0x2 <addr fe80::0000:0000:0000:000c>]
rcvd [IPV6CP ConfAck id=0x2 <addr fe80::0000:0000:0000:000c>]
rcvd [IPV6CP ConfReq id=0x40 <addr fe80::0090:1a00:0141:70f7>]
sent [IPV6CP ConfAck id=0x40 <addr fe80::0090:1a00:0141:70f7>]
local LL address fe80::0000:0000:0000:000c
remote LL address fe80::0090:1a00:0141:70f7
Script /etc/ppp/ipv6-up started (pid 1439)
Script /etc/ppp/ipv6-up finished (pid 1439), status = 0x0




And the expected ::c ifid is used both on the link local and the global
address:


ipv6-pppoe-1:~# ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet6 addr: 2001:4600:10:11::c/64 Scope:Global
inet6 addr: fe80::c/10 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1452 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:138 (138.0 B) TX bytes:105 (105.0 B)



Bjørn

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive a
Victor Lyapunov
2010-03-15 23:00:07 UTC
Permalink
Hello Bjørn, Gert

Bjørn have you tried using the "Framed-Interface-Id" with a Cisco CPE?

I have tried the combination Framed-Interface-Id + Framed-IPv6-Prefix
with no luck so far
(The /64 prefix is applied to the dialer interface but the last 64
bits of the PPP interface
address are not affected by the Framed-Interface-Id attribute)

In the ERX which attribute do you use for defining the Prefix
delegated through DHCP-PD?



In the Cisco config that I have tried so far, I can statically define
the IPv6 prefixes for either

the Dialer (assigned through autoconfiguration)
or the Ethernet Interface (assigned through DHCP-PD)

Specifically if I include the "no ipv6 nd prefix framed-ipv6-prefix"
statement in the virtual-template
the prefix is advertised to the CPE through DHCP-PD.
Without this command the prefix is advertised through the
router-advertisements during the
autoconfiguration phase and assigned to the PPP interface of the CPE

I have not found the necessary commands that will enable me to assigh
through radius both PPP
and DHCP-PD addresses of the CPE.

====The config for the LNS

aaa authorization configuration default group radius
ipv6 dhcp pool LAN
prefix-delegation aaa
dns-server 163::1
domain-name ipv6.test.com


interface Virtual-Template100
ip unnumbered Loopback4
ipv6 enable
no ipv6 nd prefix framed-ipv6-prefix
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server LAN
peer default ip address pool v4_POOL
peer default ipv6 pool PPPOE
ppp authentication pap
ppp ipcp dns 10.0.1.1


====Config for the CPE

interface Dialer100
ip address negotiated
encapsulation ppp
dialer pool 100
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd LAN
ppp pap sent-username user1 password 0 user1
ppp ipcp dns request
ppp ipcp route default

interface FastEthernet0/1
ip address 10.0.100.100 255.255.255.0
duplex auto
speed auto
ipv6 address LAN ::1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server TEST






Gert in your approach (using DHCP for both LAN and WAN interfaces of
the CPE) how can have the
CPE peek for the WAN, a /64 subnet from the /56 assigned through the DHCP-PD?

I have tried using the command "ipv6 address LAN ::2/64" in the Dialer
interface but with no success.
With the Cisco-AVPair = "ipv6:prefix#1=2001:1::/56" the CPE tries to
assign the first /64 subnet for
both WAN and F0/1 interface and so an error is generated.
Is there a specialI can use to force the Dialer choose the second /64
subnet of the 2001:1::/56 prefix?

Thnx both for the help
Post by Gert Doering
Does Framed-Interface-ID configure the *client* side via IPv6CP?
Now that's interesting indeed.
(I'm not sure we would something else than "::1" there, to ensure
the CPE has a well-known and pingable address, but it's definitely
a nice tool).
Yes.  With this  RADIUS account (the prefix is statically configfured in
               Framed-Interface-Id := 0:0:0:c
ipv6-pppoe-1:~# pppd nodetach debug noip call ipv6-1
Serial connection established.
using channel 2
Using interface ppp0
Connect: ppp0 <--> /dev/pts/0
sent [LCP ConfReq id=0x1 <magic 0xea58b813> <pcomp>]
rcvd [LCP ConfReq id=0xb2 <mru 1492> <auth pap> <magic 0x442c1e2>]
sent [LCP ConfAck id=0xb2 <mru 1492> <auth pap> <magic 0x442c1e2>]
rcvd [LCP ConfAck id=0x1 <magic 0xea58b813> <pcomp>]
sent [LCP EchoReq id=0x0 magic=0xea58b813]
rcvd [LCP EchoRep id=0x0 magic=0x442c1e2]
rcvd [PAP AuthAck id=0x1 "Nextra dialin"]
Remote message: Nextra dialin
PAP authentication succeeded
sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
sent [IPV6CP ConfReq id=0x1 <addr fe80::5254:06ff:fe66:0000>]
rcvd [LCP ProtRej id=0x8 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]
Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
rcvd [IPV6CP ConfNak id=0x1 <addr fe80::0000:0000:0000:000c>]
sent [IPV6CP ConfReq id=0x2 <addr fe80::0000:0000:0000:000c>]
rcvd [IPV6CP ConfAck id=0x2 <addr fe80::0000:0000:0000:000c>]
rcvd [IPV6CP ConfReq id=0x40 <addr fe80::0090:1a00:0141:70f7>]
sent [IPV6CP ConfAck id=0x40 <addr fe80::0090:1a00:0141:70f7>]
local  LL address fe80::0000:0000:0000:000c
remote LL address fe80::0090:1a00:0141:70f7
Script /etc/ppp/ipv6-up started (pid 1439)
Script /etc/ppp/ipv6-up finished (pid 1439), status = 0x0
And the expected ::c ifid is used both on the link local and the global
ipv6-pppoe-1:~# ifconfig ppp0
ppp0      Link encap:Point-to-Point Protocol
         inet6 addr: 2001:4600:10:11::c/64 Scope:Global
         inet6 addr: fe80::c/10 Scope:Link
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1452  Metric:1
         RX packets:4 errors:0 dropped:0 overruns:0 frame:0
         TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:3
         RX bytes:138 (138.0 B)  TX bytes:105 (105.0 B)
Bjørn
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Bjørn Mork
2010-03-15 23:13:40 UTC
Permalink
Post by Victor Lyapunov
Hello Bjørn, Gert
Bjørn have you tried using the "Framed-Interface-Id" with a Cisco CPE?
No, I'm afraid I haven't.
Post by Victor Lyapunov
I have tried the combination Framed-Interface-Id + Framed-IPv6-Prefix
with no luck so far
(The /64 prefix is applied to the dialer interface but the last 64
bits of the PPP interface
address are not affected by the Framed-Interface-Id attribute)
In the ERX which attribute do you use for defining the Prefix
delegated through DHCP-PD?
That would be the Delegated-IPv6-Prefix (RFC 4818). This is not a
default configuration, but must be configured using

aaa ipv6-nd-ra-prefix framed-ipv6-prefix
aaa dhcpv6-delegated-prefix delegated-ipv6-prefix


The ERX default is to use the Framed-IPv6-Prefix for PD.




Bjørn

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archiv

Gert Doering
2010-03-15 23:04:04 UTC
Permalink
Hi,
Post by Bjørn Mork
Yes. With this RADIUS account (the prefix is statically configfured in
[..]
Post by Bjørn Mork
ipv6-pppoe-1:~# ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet6 addr: 2001:4600:10:11::c/64 Scope:Global
inet6 addr: fe80::c/10 Scope:Link
Cool. Thanks a lot for pointing this out. Learned something new today :-)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
Loading...