Community discussions

MikroTik App
 
torrent
just joined
Topic Author
Posts: 11
Joined: Wed Mar 23, 2016 8:39 am

IPv6 SLAAC, Router Solicitation

Wed Oct 03, 2018 11:25 am

Hello.
Tell me, please, who knows: does radvd in RouterOS not service Router Solicitation requests from hosts on the LAN and not send responses to Unicast addresses? Only sends announcements Router Advertisement to multicast listeners ?
I tried to set up the network in such a way as to block the announcements from the mikrotik (inside mikrotik) to the multicast listeners, but in this case SLAAC does not work at all.
Thank you.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: IPv6 SLAAC, Router Solicitation

Wed Oct 03, 2018 2:09 pm

It's unicast NDP message from router to client.
 
torrent
just joined
Topic Author
Posts: 11
Joined: Wed Mar 23, 2016 8:39 am

Re: IPv6 SLAAC, Router Solicitation

Wed Oct 03, 2018 3:26 pm

It's unicast NDP message from router to client.
Sure ?
I tried to simulate the situation again: linux-host and mikrotik with RouterOS 6.42.6;
On a Linux host, I blocked the reception of the Router Advertisement using a firewall.
Linux host periodically sends Router Solicitation.
Mikrotik ignores requests and sends multicast listeners to Router Advertisement.
http://rgho.st/74glFLZRB - .cap file from the sniffer: the first two packets is Router Advertisement from mikrotik; 3rd packet - Router Solicitation from Linux host; the rest is again Router Advertisement from mikrotik.
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: IPv6 SLAAC, Router Solicitation

Wed Oct 03, 2018 3:49 pm

Yes. Solicitation sends by the client to router from client src mac to link local multicast address. After router receives this frame, it will sends advertisement from it's unicast src address to unicast destination mac address of client. After user populate it's nd base, it will "talk" with router with unicast frames only.
 
torrent
just joined
Topic Author
Posts: 11
Joined: Wed Mar 23, 2016 8:39 am

Re: IPv6 SLAAC, Router Solicitation

Thu Oct 04, 2018 6:47 am

Yes. Solicitation sends by the client to router from client src mac to link local multicast address. After router receives this frame, it will sends advertisement from it's unicast src address to unicast destination mac address of client. After user populate it's nd base, it will "talk" with router with unicast frames only.
Maybe if the router is not a mikrotik. If the mirkotik router, then only multicast - you can look at the captured traffic in the previous post. Or maybe is nesessary to apply special settings on mikrotik to enable unicast? I was looking for such settings and could not find.
Thank you anyway
 
proximus
Member Candidate
Member Candidate
Posts: 119
Joined: Tue Oct 04, 2011 1:46 pm

Re: IPv6 SLAAC, Router Solicitation

Thu Oct 04, 2018 3:02 pm

I tried to set up the network in such a way as to block the announcements from the mikrotik (inside mikrotik) to the multicast listeners, but in this case SLAAC does not work at all.
For the curious ... why would you want to do this in a SLAAC environment anyway?

The intended function of Router Solicitations is to allow a host to come online without having to wait for the next RA .... ex: when the interface initially comes up, some change is applied, etc.. Not to be a heartbeat.

While I agree with your analysis of exchange in the PCAP, to block normal multicast RA behavior is essentially breaking the intended design of the protocol. Yes the response to a RS should be a unicast RA.
 
torrent
just joined
Topic Author
Posts: 11
Joined: Wed Mar 23, 2016 8:39 am

Re: IPv6 SLAAC, Router Solicitation

Thu Oct 04, 2018 3:20 pm

I tried to set up the network in such a way as to block the announcements from the mikrotik (inside mikrotik) to the multicast listeners, but in this case SLAAC does not work at all.
For the curious ... why would you want to do this in a SLAAC environment anyway?
In my case, the goal is to have several hosts on the LAN, identified by their MAC address, disable to use of SLAAC and IPv6.
If mikrotik could send RA answers to Unicast, then I would solve the task like this:
1. I would block sending multicast RA packets from mikrotik (in /ipv6 nd I cannot disable multicast sending, but this can be done in /ipv6 firewall filter)
2. Block on mikrotik reception and processing RS from the list of hosts on the LAN, which disabled to use IPv6 and SLAAC - using a firewall on mikrotik.
 
proximus
Member Candidate
Member Candidate
Posts: 119
Joined: Tue Oct 04, 2011 1:46 pm

Re: IPv6 SLAAC, Router Solicitation

Thu Oct 04, 2018 3:38 pm

If all you want to do is disable to use of SLAAC and IPv6 on specific hosts, would it not be much easier to just disable IPv6 SLAAC at the OS level on the desired hosts? Just seems like you are taking the much harder approach that will probably result in unintended consequences.

From what I've found, windows and ubuntu have config options to not accept RA's thereby preventing SLAAC.
 
torrent
just joined
Topic Author
Posts: 11
Joined: Wed Mar 23, 2016 8:39 am

Re: IPv6 SLAAC, Router Solicitation

Fri Oct 05, 2018 8:18 am

If all you want to do is disable to use of SLAAC and IPv6 on specific hosts, would it not be much easier to just disable IPv6 SLAAC at the OS level on the desired hosts?
No, it will not be easier: at the moment they are two different operating systems: 1) android-smartphone and 2) macbook with its own operating system. There are several difficulties: it is unclear how to prohibit android for using IPv6, and the OS on the macbook is also not very familiar to me (I have more competences in Linux); further, IPv6 operation is undesirable in our office only - let it work in other places (in our office, IPv6 is provided through a tunnel that has another end in another country, as a result of which google frequently sends security alerts due to the rapid movement of a user from one country to another ).
Unfortunately, using the standard radvd-demon, mikrotik developers have removed the availability of some of the functionality of this service.

Who is online

Users browsing this forum: A9691, AshuGite, AtisE, Bing [Bot], sebus46, VinceKalloe and 80 guests