---- On Sat, 27 Jul 2024 04:21:08 +0100 moto kawasaki wrote ---
>
> Hi Chris, all
>
> I am struggling the same problem too, and here is my working
> configuration for dhcp6c in my test environment.
> Hope this can be help.
>
>
> vtnet0 is uplink, where I expect to receive RA from ISP.
>
> If upstream router send RA with PD with 2001:db8:beef::/56, dhcp6c
> will add sla-len (8 in this configuration) to the prefix length (/56)
> to get the final prefix length of /64.
> Also, dhcp6c will add sla-id (11 and 12, decimal) to prefix, so that
> I will use 2001:db8:beef:b/64 and 2001:db8:beef:c/64 for assigning my
> internal network interfaces (vtnet1 and vtnet2).
>
> Well, I am wondering how I can tell "authentication isp_auth" entry to
> use the "isp_key", especially when I have multiple "keyinfo" entries.
>
>
>
> ===== /usr/local/etc/dhcp6c.conf =====
> keyinfo isp_key {
> realm "example.org";
> keyid 1;
> secret "JTY0XXXXXXXXXXXXXXX=="; # masked.
> };
>
> authentication isp_auth {
> protocol delayed;
> };
>
> interface vtnet0 {
> script "/usr/local/etc/dhcp6c-script.sh";
> send ia-pd 3;
> send authentication isp_auth;
> request domain-name-servers;
> request domain-name;
> request ntp-servers;
> #send rapid-commit;
> };
>
> id-assoc pd 3 {
> prefix-interface vtnet1 {
> sla-id 11;
> sla-len 8;
> };
> prefix-interface vtnet2 {
> sla-id 12;
> sla-len 8;
> };
> };
> =====
For dhcpcd you would do this:
interface vtnet0
ia_pd 3 vtnet1/11 vtnet2/12
option domain_name_servers, domain_name, ntp_servers
authproto delayed
authtoken 1 "example.org" forever "JTY0XXXXXXXXXXXXXXX=="
But please note that delayed authentication has now been obsoleted:
https://datatracker.ietf.org/doc/html/rfc8415#section-25
While dhcpcd supports it to some extend, it's not widely tested and could be
broken in any given release as I don't have a means of testing it right now.
The only real authentication support that is in the RFC's is the reconfigure
key.
https://datatracker.ietf.org/doc/html/rfc8415#section-20.4
Roy
