Core: No null route is created for delegated prefix

Created on 10 Mar 2019 · 4Comments · Source: opnsense/core

When a DHCPv6 WAN interface gets delegated a prefix, a null route should automatically be created for this prefix. This is best practice to prevent routing loops and is implemented in most routers.

Example:
ISP delegates prefix 2001:db8:1:a00::/56. OPNsense uses prefix ID 1 (2001:db8:1:a01::/64) for its tracking LAN interface. A host in this LAN sends packets to an address in any other (unused) subnet of the delegated prefix (e.g. 2001:db8:1:a02::/64). OPNsense routes these packets to the ISP who routes them back to OPNsense which routes them to the ISP... and so on. This can easily be reproduced using traceroute.

If you have a static prefix you can manually add a null route, but this is not possible with dynamic prefixes.

Just for reference, the RFCs which actually mandate this:

RFC 7084 (Basic Requirements for IPv6 Customer Edge Routers):

Any packet received by the CE router with a destination address in the prefix(es) delegated to the CE router but not in the set of prefixes assigned by the CE router to the LAN must be dropped. In other words, the next hop for the prefix(es) delegated to the CE router should be the null destination. This is necessary to prevent forwarding loops when some addresses covered by the aggregate are not reachable [RFC4632].

RFC 4632 (Classless Inter-domain Routing (CIDR)):

A router that generates an aggregate route for multiple, more-specific routes must discard packets that match the aggregate route, but not any of the more-specific routes. In other words, the "next hop" for the aggregate route should be the null destination. This is necessary to prevent forwarding loops when some addresses covered by the aggregate are not reachable.

cleanup

Source

maurice-w

👍3

Most helpful comment

@fichtner, we only have to add _one_ null route when we get delegated a prefix (and remove that route when the lease for the prefix delegation expires). Example:

OPNsense gets delegated 2001:db8:1:a00::/56 from upstream (ISP).
It should add the null route 2001:db8:1:a00::/56 via ::1 to its routing table, so any packet with a destination address in this prefix gets discarded.
It uses prefix ID 1 for a tracking LAN interface. It adds 2001:db8:1:a01::/64 via link#n to its routing table. This route is more specific than the null route, so routing to the LAN works.
It delegates 2001:db8:1:ab0::/60 to a downstream router. It adds 2001:db8:1:ab0::/60 via <downstream router WAN address> to its routing table. This route is more specific than the null route, so routing this prefix to the downstream router works.

Cheers
Maurice

maurice-w on 4 May 2019

👍3

All 4 comments

I can try, but I am unsure that we're able to hook into the right spot easily. All guidance welcome.

fichtner on 25 Apr 2019

@maurice-w so what does this delegated prefix null route look in a real world example? Because if we have to generate routes for all unused subnets that is going to be quite a bit of routes to be generated and set and to be kept in sync, especially tricky if we have PD to downstream as well...

fichtner on 4 May 2019

@fichtner, we only have to add _one_ null route when we get delegated a prefix (and remove that route when the lease for the prefix delegation expires). Example:

OPNsense gets delegated 2001:db8:1:a00::/56 from upstream (ISP).
It should add the null route 2001:db8:1:a00::/56 via ::1 to its routing table, so any packet with a destination address in this prefix gets discarded.
It uses prefix ID 1 for a tracking LAN interface. It adds 2001:db8:1:a01::/64 via link#n to its routing table. This route is more specific than the null route, so routing to the LAN works.
It delegates 2001:db8:1:ab0::/60 to a downstream router. It adds 2001:db8:1:ab0::/60 via <downstream router WAN address> to its routing table. This route is more specific than the null route, so routing this prefix to the downstream router works.

Cheers
Maurice

maurice-w on 4 May 2019

👍3

An interim solution would be to allow Firewall/Alias to be used as the Network Address in the System: Routes: Configuration.

In pfSense I would create an Alias manually for my /56 I would receive from my ISP called NET_IPV6_PREFIX.

I would then create a route using NET_IPV6_PREFIX as the network address to Null6-::1, so if my prefix was changed, then I could manually change it at one place in the Alias and my route would get update.