Feature request: ND Proxy (RFC 4389)

Okay, let’s think through this in detail from all vantage points: a provider-side perspective, a vendor-side perspective, a end-user-side perspective, and then try to tie them all together in to figure out what’s actually possible as well as what might actually matter in terms of user expectations, user experience, etc.

Maybe other providers/netadmins would disagree, but I see no reason for us to ever go out of our way to actively invalidate an address or prefix after a certain amount of time has passed (or whatever criteria). It’s not like we are going, “oooh, you’ve had those addresses for 48 hours now (or a week, or a month, or…whatever); that’s long enough & now it’s time for you to give those up and accept a new prefix.” That just doesn’t happen. As long as your PPP session remains up, your addresses aren’t going to change. Even if that happens to be, say, 2 years. At least in IPv4-land, I frequently see much the same thing with many other providers who standardize on dynamic assignment, where many customers frequently get the same address handed back to them every time they make a DHCP request, even if they let their lease lapse for a little bit. Contrary to popular myth, dynamic addressing isn’t some grand conspiracy invented by ISPs as a way to make our users’ lives more miserable, or to try to extract more money out of them.

If something causes your PPP connection to us to drop, then of course we cannot guarantee that once it has been re-established that you will be able to have the same prefix routed to you. Again, we aren’t against it if it does happen, and we aren’t going out of our way to prevent it, but in an environment where prefixes are assigned dynamically, at least some of the circumstances that determine what address(es) you get assigned upon re-connection are quite outside of our control. Also again, we aren’t doing dynamic assignment for any reason other than that’s the best that our current network architecture can scale to at the present time, while still balancing other considerations such as service reliability and redundancy (for example, we happen to think that if something catastrophic happens on our network, where your two hypothetical choices are going to be wait hours to get reconnected with the same address or wait seconds to get reconnected with a different address, that it’s better if you can get service re-established fast, even if with a different set of IP addresses, than to endure a potentially multi-hour-long outage…fancy that!)

Some of the factors that determine whether we can continue to route the same address(es) to you include things like…well, how does (closed-source, sealed-black-box) RouterOS itself behave? In our experience, if a customer disconnects from a RouterOS access concentrator, then reconnects to the same one a short while later, RouterOS tries its very best to give them back the same addresses they had before, assuming they’re still available. (It seems to try to avoid re-assigning that same address/prefix to another user for as long as it possibly can hold out; if there are new connections coming in and addresses within the pool that haven’t been assigned to anyone yet, it tends to pick those other addresses first, before it reaches back and recycles a previously-assigned address that now just happens to technically be free at that particular moment.) That’s great. However, if it didn’t behave that way…we would have little power to do anything about it ourselves, outside of perhaps getting extremely creative and really MacGyver’ing something up. Again: we are often stuck with the choices that our vendors make for us on our behalf.

Now, let’s consider the circumstance where a customer disconnects from one of our access concentrators (for whatever reason), and happens to re-connect to a completely different one. Maybe you just happened to get assigned a different access concentrator by luck of the draw. Or maybe the concentrator you were connected to moments before isn’t online anymore, because…it took a dirt-nap? the building’s on fire? a fiber trunk link got cut somewhere by a backhoe? Take your pick. It really doesn’t matter the reason. Regardless, in that case, it is literally impossible for us to re-assign the same address(es) to you the customer that you had before…the prefix in question isn’t even being routed to the access concentrator that you’re talking to now. The different access concentrators each have their own completely separate pools of (contiguous) address space that they can assign prefixes to clients from, and now you’re talking to a different one with a completely different set of addresses. Sorry, nothing we can do about that.

That last example shows that the whole “valid prefix grace period” thing is a total pipe dream to begin with. The only scenario in which ANY network operator could conceivably honor that would be if what we are talking about was a CONTROLLED re-numbering event, where they wanted to swap out an entire set of prefixes on a segment of their network for some reason, and had the whole thing planned in advance, likely occurring during a scheduled maintenance window, and could have both old and new address space overlap and be “live” and available from the same gateway, at the same time, for a period of time. That’s just not what we are talking about here. For UNplanned network events, if the prefix is available on the access concentrator when the customer re-connects, they’ll get it back. If it’s not because someone else now has it (their connection’s been down for hours for some reason…power outage / they unplugged their router / whatever), tough luck. If they connect to a completely different access concentrator that doesn’t even HAVE that prefix to hand to them that they want back, tough luck. So, no, there is no real scenario within which it even makes sense for us to try to honor such a “grace period”. The entire concept just doesn’t even make sense in any context where we are talking about completely uncontrolled or unplanned outage events.

So you may be thinking, well, doesn’t that lead to a crappy end-user experience? Here’s the thing: this is entirely no different than the experience they would have had with IPv4 up to this point in history anyway. If there is an unplanned network disconnect/reconnect in an environment where IPv4 addresses are assigned dynamically, nobody guarantees you get the same address back, and nobody expects there to be a “grace period” where you can still use the old address for a bit. And, honestly, even if there was, how many people would that practically benefit in most cases? If the connection outage is long enough, all of their existing TCP sessions that they had established with the old source IP timed out long ago ANYway. Connection tracking tables on gateways & firewalls normally get purged when an IPv4 WAN address changes. This whole dynamic delegated prefix thing is just a slightly different spin on that. From my perspective, RFC 6204/9096 takes care of this problem by informing all hosts on the customer’s LAN that the prefix they were using is no longer available, and should be invalidated IMMEDIATELY. No grace period. Then once the new prefix has been acquired, all of the hosts pick it up via RAs and SLAAC themselves a new address from it. If a connection/flow to something on the internet got interrupted, the software responsible for that flow will have to re-make that connection to the remote host…which is exactly the same thing it would have needed to do if the dynamic public IPv4 address sitting on a NATting gateway had changed. Same-same.

The kinds of end-to-end / ducks-in-a-row testing I’m talking about are about making sure that rolling out IPv6 doesn’t suddenly result in a WORSE experience than what they already had pre-IPv6. Yes, it would be nice if we could also make their experience even better…and anytime we are given the opportunity to do that in a way that makes sense, we take it. But the experience needs at the very least to not DEGRADE below what they are used to having with IPv4 connectivity. So basic things like…computers shouldn’t suddenly lose IPv6 connectivity simply because multicast on (W)LANs is unreliable & IPv6 depends on RAs getting through in order to work at a fundamental level, or leaving the IPv4 firewall rules on their dual-stack-capable CPE (many of which are RouterOS-based) on the “default accept” config, or having IPv6 forwarding perform noticeably worse than IPv4 because RouterOS didn’t have IPv6 Fast Path support until like 5 seconds ago, etc. There are all sorts of NEW problems that IPv6 can potentially ADD to the equation, and we need to unearth what those are, anticipate them, and address them ahead of time, before they inconvenience users.


I don’t think this is a thing, though? Given the way that the whole NDP/RAs/SLAAC system is made to work, I’m not aware of any way that a netadmin can try to “break” it so that it doesn’t work on their network, and make DHCPv6 the only option available to hosts. As far as I’m aware, it is by-definition impossible to make a DHCPv6-only network. That was my point. Your choices are: SLAAC only, or SLAAC+DHCPv6. Android has decided to remove the second choice from their users, and thus also from the network administrators who have to maintain the networks these clients need to connect to.


I’m not familiar with what you are referring to; if you have some resources to point me to, I’d be interested to take a look and see what they are talking about.

i agree with your arguments about renumbering and why it’s not practical to preserve addresses/prefixes in some scenarios, especially for smaller ISPs and ones that have grown their networks organically. One thing I would like to point out however, is that not preserving the allocation and allocating it to another client are different things, and the latter can be done with much less effort than the former.

Maybe it was not well articulated, but my point was that with the apparent insistence of the architects of ipv6 on carrying the prefix allocated by the provider into your network, the end-user in the cases I outlined is actually worse off than with ipv4. With an ipv6 prefix change, my connections fully internal to my network will be broken. If my connection is through a site-to-site tunnel - as long as the VPN connection is reestablished - it can survive an (external) ipv4 address change, with an ipv6 prefix carried into the network it can’t survive a prefix allocation change. If I use DNS internally, I don’t have to change records with an ipv4 address change.

In this sense, ipv6 (as it should be done) does put additional onus on the provider. I can’t read the standards and recommendations any other way than that there is a hidden assumption that the allocated prefix will change at most in the event of a major natural disaster.

With regard to the slaac/dhcp Android thing. Again, this is very subjective, but the way I read one of the longest threads on the subject on the Android dev mailing list, many of the most aggrieved people were the ones using “next generation firewall” appliances (such as FortiGate, Palo Alto, etc.) that do things like filter connections unless the address was provided by them via DHCP. (And yes, these are also the firewalls that don’t allow an outgoing connection to an IP unless it was obtained through their DNS, man in the middle TLS connections, etc.) These people also made claims such as (paraphrasing - but believe it or not, not that much) “no responsible admin worth their salt would allow devices to use this [SLAAC]”

So technically SLAAC occurs (because it’s client-side, there’s nothing that can prevent it) however packets are discarded, so in practice devices that only support this will not work.

And I believe that Android devs were against this, not against using dhcpv6-pd on their provider side connections. Maybe the two got unfairly lumped together?

EDIT: With regard to the CPE L2TP thing: I’ll be sure to pass along anything interesting if I come across it.

My hunch is that even those in the IPv6 idealist camps would say this isn’t the case, since if you are using it “as intended”, you will have multiple addresses per interface, and that intra-LAN, your hosts should all be using link-local, or ULA, or something else to talk to each other. The GUA addresses are intended for internet communication. In fact, I’ve seen it argued that the proper way to do internet connection failover with IPv6 (when you don’t have your own independent address space) is to announce the prefixes you have received from BOTH of your internet providers to all of your LAN hosts. Your LAN hosts will then SLAAC addresses for themselves from both prefixes. One of the two default routes that they install into their own tables will have a higher priority / lower cost than the other. When your primary connection goes down, your hosts will then send internet traffic out the secondary gateway, while also switch to sourcing traffic from their secondary address.

Hey, I’m just the messenger.


Even if I may disagree with the actions taken by said admins, …it’s their network. How arrogant is it of the Android network stack engineers to dictate how everybody’s networks should work, and what their policies should be? If your interpretation is correct, then Android devs are throwing the baby out with the bathwater, merely because of what some netadmins MIGHT do. Shameful.

The problem is of course source address selection. It has changed once in 2012, and there are again standards track changes (that would elevate ULAs above IPv4, or at least above RFC1918). It changes roughly once every 10 years, and that’s not an eternity in networking protocols. The only good side is the forethought put into things like suggesting that the hosts should allow the user to change address selection preferences. Good luck with that.

Well, again, they say that ipv6 basically expects slaac to work for endpoints, so if it’s not working on your network that’s not their problem. I generally dislike the fact that an app cannot be installed for it without rooting though.

I think the more general problem is that no one is actually interested in what the ipv6 gurus have to say anymore. Many think they had their chance, and sadly this increasingly includes me.

When a host has more than one address, to my knowledge, most hosts that have a direct presence/address-assignment within the same prefix as the destination they are trying to reach will properly source from the address they possess within that same subnet/prefix. So, trying to talk to link-local will result in your host sourcing from its link-local. If all of your LAN hosts in the same broadcast domain / VLAN have ULA from the same prefix, they’ll all source from their ULA address when talking to somebody else on the LAN at its ULA address. Et cetera.

The ambiguity with sourcing when a host has multiple addresses tends to arise when something between your host and the destination has to gateway your traffic. For most residential/SMB network, this is not going to be an issue. I could see how this could get sticky, though, for larger LANs with multiple segments or VLANs.

The other thing that occurs to me about this whole topic is that, even if the whole “graceful prefix transition” bit of IPv6 could actually be depended upon for most changes, it still isn’t really that helpful. What if you are in the middle of a transfer of an extremely large file that is going to take multiple hours to complete? It is no comfort that you have, say, a 2-hour grace period before you have to vacate the old prefix if you still have 8 hours remaining on this transmission. And that doesn’t change regardless of whether that transfer is between you and another host on the internet, or between two hosts on your LAN. So, another argument in favor of not relying on GUAs (at least PA ones) for intra-LAN comms…


That’s a tangentially-related-but-different subject. (Though not one that is any less important, to be sure.) We were talking about source address selection, but you suddenly shifted gears to destination address selection, which also includes the additional spin of protocol selection if you are in a dual-stacked environment. The whole matter of which destination address to use can only come into play if the host making the connection even knows that there are multiple possibilities in the first place, which in turn implies some sort of directory lookup / abstraction system (DNS) that is being used which can inform the host about those different options. So we are suddenly talking about a lot of different things!

The context up to this point also (at least as I took it) included the implication that whatever hypothetical intra-LAN session we are talking about is explicitly an IPv6 exchange. If it is explicitly IPv6, then how certain IPv6 prefix classes are prioritized relative to other IPv4 prefix classes when a host is trying to choose what destination to talk to doesn’t factor in…that decision already got made a long time ago (either someone typed in a raw address, which locks the protocol in, or the protocol choice got made when the answer to the DNS query was returned). On the sourcing side, it’s kind of a non-sequitur to talk about…you could theoretically have one host with multiple IPv6 addresses source its traffic from any of them when talking to another IPv6 host, but a dual-stacked host is obviously not going to source from any of its IPv4 addresses when trying to talk IPv6 to another host.


Sounds like you’re saying they want to have it both ways: it’s “their problem” (or at least they consider it “their business”) that your network only work the One True Way™, but not “their problem” that their product becomes useless on anybody’s networks who won’t comply with their demands. Got it.

I don’t think the Android guys are coming at this from a position of strength here, myself. IT departments typically have a lot of say in what devices can or cannot be used on the networks they support. On top of that, when it comes to mobile platforms, Apple (as much as it pains me) IS in a position of strength and are much harder for IT to say “no” to, due especially to their popularity in the C-suite. So if iPhone has DHCPv6 support, Android doesn’t, IT isn’t going to budge on their position that it’s DHCPv6 or take a hike, and everybody at the company wants corporate to issue iPhones ANYWAY…

…then it sounds like Android deployments at corporations and universities are going to be few and far between. And if Android doesn’t work well on their network, that’s “not their problem” & door’s to the left. Cuts both ways.


I…have no idea what you’re talking about here? Now you’ve completely lost me.

+1. ND Proxy is simply vital, since there is only a /64 network

relate update 7.20beta2

*) ipv6 - added support for IPv6 ND proxying of individual addresses;

http://forum.mikrotik.com/t/v7-20beta-testing-is-released/183944/1

That’s a start. Nice.

But this really needs to be a switch that’s flippable on a per-interface basis, and which encompasses the prefixes directly attached to that interface under /ipv6/address. Just like how proxy-arp works for IPv4.

If I have a MT attached to an internet connection that I only get a single /64 on, and so I use that same /64 on both WAN and LAN, an ndp-proxy needs to be able to proxy responses for either side, automatically. If I have to manually maintain a list of individual addresses on the LAN that the MT needs to proxy on the WAN-side, this is not going to prove to be very useful (unless paired with some scripting that can frequently comb through /ipv6/neighbor and auto-populate the ndp-proxy address list with any new entries it finds).

You can enable container mode in router and try use proxylite/ndppd - Docker Image | Docker Hub

Hi, I’m interested in the container but it’s only in arm64 arch, would you mind support more archs like x86, arm or just share the Dockerfile? Thanks very much!

This is what I'm doing currently, using a script to populate/depopulate but I'm wondering if this is still necessary or has it been implemented in a way where scripting is no longer needed?