Community discussions

MikroTik App
 
AzureBlue
just joined
Topic Author
Posts: 4
Joined: Mon Oct 31, 2022 5:00 pm

Send Routes via RA (/ipv6/nd) RFC4191

Mon Nov 07, 2022 11:18 pm

I'm using RouterOS 7.6 on a CRS328-24P-4S+RM.

In /ipv6/nd, I don't see any way to push routes to hosts.
There is /ipv6/nd/prefix sub-menu, but this is for pushing prefixes (e.g. to make a host mount an SLAAC IP on the interface, and add a scope link route to that slash).

What I'm looking for is support for RFC4191, that is, to be able to put routes inside of RAs emitted by Mikrotik devices.

For example, for following topology:
Host 1 default route is CPE Router and Host 2 default route is Mikrotik
I've used 3 different symbols to show the different link scopes.
        ┌────────┐
        │Internet│
        └────────┘
            ;
            ;
            ;
            ;
      ┌────────────┐
      │ CPE Router │
      └─────┬──────┘
            │
            │         ┌──────────┐
            ├─────────┤ Mikrotik │......... Host 2
            │         └──────────┘
            │
Host 1 ─────┘
that would allow Host 2 to communicate with Host 1 without CPE Router emitting ICMP Redirects to Host 1 to tell him to reach Host 2 via Mikrotik.

To be more precise, that would allow Mikrotik to push a route to Host 1 like this:
2001:db8:2a2a:2::/64 via fe80::Mikrotik dev eth0
Host 1's own slash is another one: 2001:db8:2a2a:1::/64, and has been configured by RA coming from CPE router. The idea is: Mikrotik can push a route to Host1 without making itself become a default gateway for Host1 trafic (we just need to set RA Lifetime to zero, AND push a route at the same time, but without any prefix.)
Mikrotik is already sending RAs to configure Host2 with prefix 2001:db8:2a2a:2::/64.

radvd seems to support that. :)
https://linux.die.net/man/5/radvd.conf
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Tue Nov 08, 2022 3:43 am

It's not there. I'm sure they'll add it, eventually. But it may take a while. I like MikroTik, but they are not exactly IPv6 pioneers. Demand from users for this is probably not high. But if you ask support and mention that you need this for your network consisting of half a million MikroTik devices you're planning to buy, it might help. ;)
 
AzureBlue
just joined
Topic Author
Posts: 4
Joined: Mon Oct 31, 2022 5:00 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Sun Nov 13, 2022 10:56 am

What's the best way to send an official feature request to the Mikrotik devs?

Automatically pushing IPv6 routes to hosts doesn't seem important as long as people keep using IPv4 and forget about IPv6.
As soon as ones wants to do IPv6 setups, pushing IPv6 routes is kind of a basic need that can arise very quickly. We need a way to push IPv6 routes without using IGPs. Because IGPs are not really meant for end hosts on access ports. :)

What is the best way to turn this into an official feature request? Is this topic in the correct forum? Should we edit the topic's title to add "Feature request"?

If you guys also think this would be a useful feature, do not hesitate to say it!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Sun Nov 13, 2022 11:53 am

Go to https://mikrotik.com/support, select Contact support, create account if you don't have one already, select Suggest a new feature.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Sun Nov 13, 2022 12:13 pm

Automatically pushing IPv6 routes to hosts doesn't seem important as long as people keep using IPv4 and forget about IPv6.
As soon as ones wants to do IPv6 setups, pushing IPv6 routes is kind of a basic need that can arise very quickly. We need a way to push IPv6 routes without using IGPs.
I don't think the requirement is as common as you are suggesting.
I have only a single install under my management which has the same layout as you are depicting, and in that installation there never is a need for host1 to talk to host2. It is even firewalled to not allow that.

The internet is becoming more and more a cloud model where the MikroTik equipment is usually at the client side, and all clients only talk to servers on the internet, not to other systems at the same location. So I think over time the demand for such features at MikroTik clients will become less and less.
Also, in this case you know to enable ICMP redirects on host1 and the MikroTik, and it will work just fine.
 
User avatar
acruhl
Member
Member
Posts: 371
Joined: Fri Jul 03, 2015 7:22 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Sun Nov 13, 2022 6:10 pm

Disagree somewhat. Businesses need to be able to control what happens under their ISP. If you're implying Mikrotik is not for business, then I would agree.
 
RobstarUSA
newbie
Posts: 44
Joined: Sun Apr 15, 2018 5:42 am

Re: Send Routes via RA (/ipv6/nd) RFC4191

Sun Nov 13, 2022 6:32 pm

I'm using RouterOS 7.6 on a CRS328-24P-4S+RM.

In /ipv6/nd, I don't see any way to push routes to hosts.
There is /ipv6/nd/prefix sub-menu, but this is for pushing prefixes (e.g. to make a host mount an SLAAC IP on the interface, and add a scope link route to that slash).

What I'm looking for is support for RFC4191, that is, to be able to put routes inside of RAs emitted by Mikrotik devices.

For example, for following topology:
Host 1 default route is CPE Router and Host 2 default route is Mikrotik
I've used 3 different symbols to show the different link scopes.
        ┌────────┐
        │Internet│
        └────────┘
            ;
            ;
            ;
            ;
      ┌────────────┐
      │ CPE Router │
      └─────┬──────┘
            │
            │         ┌──────────┐
            ├─────────┤ Mikrotik │......... Host 2
            │         └──────────┘
            │
Host 1 ─────┘
that would allow Host 2 to communicate with Host 1 without CPE Router emitting ICMP Redirects to Host 1 to tell him to reach Host 2 via Mikrotik.

To be more precise, that would allow Mikrotik to push a route to Host 1 like this:
2001:db8:2a2a:2::/64 via fe80::Mikrotik dev eth0
Host 1's own slash is another one: 2001:db8:2a2a:1::/64, and has been configured by RA coming from CPE router. The idea is: Mikrotik can push a route to Host1 without making itself become a default gateway for Host1 trafic (we just need to set RA Lifetime to zero, AND push a route at the same time, but without any prefix.)
Mikrotik is already sending RAs to configure Host2 with prefix 2001:db8:2a2a:2::/64.

radvd seems to support that. :)
https://linux.die.net/man/5/radvd.conf
Instead of pushing a route, why not send out an addtl RA with like low/high priority as fits your situation?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Sun Nov 13, 2022 6:37 pm

Because Mikrotik should be gateway only for that one specific subnet, not default gateway for everything.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Sun Nov 13, 2022 7:27 pm

Disagree somewhat. Businesses need to be able to control what happens under their ISP. If you're implying Mikrotik is not for business, then I would agree.
The situation I depicted above is for a business. It has one system, which traditionally functioned as a proxy but not so much anymore, connected directly to the ISP router, and then behind that there is a MikroTik router for the VPN between the subsidiaries. There is no need for hosts on the local networks behind the MikroTik to communicate with the outside of the host.

In other locations the MikroTik is directly on the outside (not behind an ISP router which is there only because it is a modem as well). So that situation does not occur at all.
 
AzureBlue
just joined
Topic Author
Posts: 4
Joined: Mon Oct 31, 2022 5:00 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Tue Nov 15, 2022 9:33 am

Automatically pushing IPv6 routes to hosts doesn't seem important as long as people keep using IPv4 and forget about IPv6.
As soon as ones wants to do IPv6 setups, pushing IPv6 routes is kind of a basic need that can arise very quickly. We need a way to push IPv6 routes without using IGPs.
I don't think the requirement is as common as you are suggesting.
I have only a single install under my management which has the same layout as you are depicting, and in that installation there never is a need for host1 to talk to host2. It is even firewalled to not allow that.

The internet is becoming more and more a cloud model where the MikroTik equipment is usually at the client side, and all clients only talk to servers on the internet, not to other systems at the same location. So I think over time the demand for such features at MikroTik clients will become less and less.
Also, in this case you know to enable ICMP redirects on host1 and the MikroTik, and it will work just fine.
I agree that not everyone will need to push static routes, but it may still be useful for many people.
The drawing above is just a dummy example.
The need of pushing routes arises as soon as you have in your network a router which is not the default router, and is the only one to be able to access to another network.
Behind business network (and sometimes even homes), we have servers.
I called them Host1 Host2, but one of them is a server of course. By host, I just meant it's a "machine with a CPU plugged to the network".

About ICMP redirects: ICMP redirects can do the job here. But they kind of tell you: "Hey, why are you giving me that packet? You could have directly given it to the correct router that is in the same link scope as yourself, so you are using me for a job you can do yourself".
ICMP redirects depict an inefficient network configuration.
If possible, it's better to configure the network so that each host gives each packet to the correct router directly.
And because it doesn't scale to go in each host and manually configure a static route, we need a way to push this config.

For IPv4, the key is DHCPv4 Option 121 (Classless Route).
For IPV6, DHCPv6 doesn't support sending routes.
It seems the only way is by the "Route" option in RAs.

Instead of pushing a route, why not send out an addtl RA with like low/high priority as fits your situation?
RAs are very powerful. They can usually do 6 things:
- Make hosts put that router as their default gateway
- Advertise a prefix so that hosts can configure an IP themselves (SLAAC)
- Give a DNS server
- Tell hosts to do DHCPv6 for address configuration
- Tell hosts to configure themselves, and additionally request DHCPv6 only for other settings
- Send routes

The key here is the first point: I don't want Mikrotik to become the default gateway for that host. So for this, we need to set the RA Lifetime to 0 (this just tells the host not to change its default gateway).
And we don't send Prefix information either, because both public prefixes are distinct, we don't want a host to configure a wrong prefix in its network.
We only want to push a Route inside of the RA.
It's exactly what I'm requesting. :)

Here, we don't even need to play with preference settings. Because even if on one link scope we have 2 RAs simultaneously, none of them is overriding the other one. They are cumulative, all settings from both RAs will be kept and merged together by the host.
- Take default route from RA1
- Take prefix from RA1 and do SLAAC
- Take DNS from RA1
- But add an additional route coming from RA2

If I'm not mistaken, RouterOS is using radv under the hood. Radv supports sending routes in RAs, so it should not be too difficult to add that feature. :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Tue Nov 15, 2022 11:38 am

About ICMP redirects: ICMP redirects can do the job here. But they kind of tell you: "Hey, why are you giving me that packet? You could have directly given it to the correct router that is in the same link scope as yourself, so you are using me for a job you can do yourself".
ICMP redirects depict an inefficient network configuration.
Well, as long as the configuration of the hosts is not to ignore ICMP redirects (which is sometimes done to prevent adversaries on the network from snooping the traffic), it works quite well in practice. The ICMP redirect installs a temporary route that remains active for at least a couple of minutes, or even as long as there is actual traffic. The ICMP redirect "overhead" is not more than e.g. ARP and IPv6 ND.
I would not (and do not) worry about it, we have this situation in IPv4 on our company network, where there is a MikroTik router and a L3 routing switch (another manufacturer) and I see things like this:

ping 172.22.32.163
PING 172.22.32.163 (172.22.32.163) 56(84) bytes of data.
64 bytes from 172.22.32.163: icmp_seq=1 ttl=62 time=6.10 ms
From 172.22.16.1: icmp_seq=1 Redirect Host(New nexthop: 172.22.16.254)
64 bytes from 172.22.32.163: icmp_seq=2 ttl=62 time=5.94 ms

ip route list table cache
172.22.32.163 via 172.22.16.254 dev ens32
cache <redirected> expires 278sec

See? That remains active for 5 minutes. I do not worry about an extra packet exchange every 5 minutes. It would be tricky to tell all hosts which networks are reachable via 172.22.16.254 (the MikroTik), especially because that uses BGP dynamic routing.

With IPv6 the situation would be similarly complex, e.g. when you assign the network addresses from a pool which is received from the upstream (ISP) router using DHCPv6 PD (is the standard situation here). The route to be advertised would have to be dynamically determined.
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Tue Nov 15, 2022 11:46 am

I would use NDP/SLAAC as is and just run iBGP between the host and the router for pushing and learning routes. Routing should be handle routing protocols.

Run FRR on the host and configure.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Send Routes via RA (/ipv6/nd) RFC4191

Tue Nov 15, 2022 5:49 pm

I agree that not everyone will need to push static routes, but it may still be useful for many people.

The problem with suggested solution is that any router sending out RAs can "steal" routes towards any IPv6 network from legitimate gateway device. For example it could advertise "a better route" towards 2001:4860:4802::/48 ... and hijack IPv6 connections towards google's DNS servers (and possibly much more). Without knowledge of network administrator.
 
RobstarUSA
newbie
Posts: 44
Joined: Sun Apr 15, 2018 5:42 am

Re: Send Routes via RA (/ipv6/nd) RFC4191

Tue Dec 20, 2022 4:36 pm

I agree that not everyone will need to push static routes, but it may still be useful for many people.

The problem with suggested solution is that any router sending out RAs can "steal" routes towards any IPv6 network from legitimate gateway device. For example it could advertise "a better route" towards 2001:4860:4802::/48 ... and hijack IPv6 connections towards google's DNS servers (and possibly much more). Without knowledge of network administrator.
I think things such as "raguard" are supposd to prevent that. Not sure if that is supported on mikrotik switches, however.

Who is online

Users browsing this forum: Bing [Bot] and 49 guests