On 2017-04-03, Harald Dunkel <ha...@afaics.de> wrote:
>
> Hi folks,
>
> AFAICT adding 2 lines to hostname.pppoe0 (as shown in the man
> page) doesn't give you a full featured IPv6 subnet yet. Is there
> some support for IPV6CP (RFC 5072) in OpenBSD?
pppoe(4) does exactly use IPV6CP. But IPV6CP doesn't do what you think!
All it does is negotiate an interface identifier which is used to set a
link-local address.
" The negotiated interface identifier is used by the local end of the
PPP link to autoconfigure an IPv6 link-local unicast address for the
PPP interface. "
With some ISPs you can run autoconf on the pppoe interface to get a
global routable address for that interface. If so, that would give you
enough to do NATted IPv6 with a single address your side. But it's
not all that unusual for the ISP to use "unnumbered" ppp interfaces
(in the case of ipv6 that is "with a link-local address only") and
only put a routable address on an internal interface. And even if
they do, most people using IPv6 would expect to have routable
addresses on their other machines.
To get addresses for *other* interfaces, e.g. your LAN, the method
used by most ISPs is DHCPv6-PD "prefix delegation". This can be handled
by wide-dhcpv6 or dhcpcd (or dibbler, not in ports, and I think isc-dhcp
should be able to do it as well but I haven't tested that myself).
Something important to be aware of: none of these have privilege
separation (and I'm not aware of another DHCPv6 client that does).
A process running as root parses packets coming from the ISP and
handles address changes.
With that in mind I would not recommend wide-dhcpv6 at all; it has
been untouched for 9 years and I'm not aware of any auditing done on
it. (Reading build-time output from "scan-build make" suggests a few
possible mistakes). Also it misses some features that dhcpcd has,
notably it doesn't add a blocking route for the rest of the subnet,
so if you receive traffic to an address which is part of your wider
prefix, often a /56 or /48, but isn't configured on an interface,
it'll flip-flop out over the default route and back again until
the hop-limit expires.
I'm happier with dhcpcd than wide-dhcp6 but it still does a lot more
than the basics that are all that a typical ISP-facing router needs
(i.e. bigger surface), and misses the nice segregation between priv
& unpriv that OpenBSD's dhclient has.
In short, I think this is an area that could really do with improving.
