Advanced wicked configuration

I’m trying to get get wicked-dhcp6 to send a request for IPv6 prefix delegation. My ISP has provided me with a sample PCAP that works for they normal modems/routers, so I know what the request should look like.

It seems that I have to specific some custom DHCPv6 options with <define> in the XML configuration file, but I can’t find any decent documentation on the XML structure and layout. Eg. I would expect this option to be specific for an interface, I can get the current configuration with “wicked show-config” but I can’t find any documentation on where to put modified interface configuration. “wicked show-config” says "…origin=“compat:suse” so it’s currently taking the configuration from /etc/sysconfig/network.

Q1: Is Yast only able to generate the traditional files in /etc/sysconfig/network and not the more powerful wicked XML configuration?

Q2: Can anyone give a link to the documentation or and example or some hints on how to configure a single interface with XML?

Q3: Where does “wicked iaid set eth4 1” store that setting? Is it persistent?

It is always better to start with what you are trying to achieve, not how. PD is useless on a standalone host. Why do you need it? What are you going to do with this information?

Q1: Is Yast only able to generate the traditional files in /etc/sysconfig/network and not the more powerful wicked XML configuration?

Yes. XML is not needed in this case - wicked should request PD if “prefix” is enabled in DHCLIENT6_MODE and DHCLIENT6_PREFIX_HINT is set (see “man ifcfg-dhcp”).

Q2: Can anyone give a link to the documentation or and example or some hints on how to configure a single interface with XML?

I am not aware of it. Examples in source code may provide some starting points

Q3: Where does “wicked iaid set eth4 1” store that setting?

/var/lib/wicked/iaid.xml

It’s on a router - not a standalone host. I use that router instead of an ISP-provided one (which couldn’t handle some of the things I need it to do) I need the prefix delegation so I can assign sub-prefixes to subnets on the inner networks.

(XML configuration)

Somehow I missed DHCLIENT6_PREFIX_HINT. That may be enough to get wicked-dchp6 to request one.

(Documentation on the XML configuration)

Yes, there are some samples in the source tree, but I think I have to dig into the code to see what it actually expects.

Ah good, so it is persistent. The man page is unclear on that.

Well, if you manage to implement it with wicked, I am quite interested in results. You need some software that actually assigns and announces prefixes because wicked does not do it. Something like radvd and some integration with wicked to dynamically update its configuration based on DHCPv6 updates. There is no turnkey solution I am aware of.

You may consider NetworkManager or systemd-networkd, both of which implement client and server functionality internally, although both have their limitations.

Some routers support prefix delegation out of the box: https://www.o-schroeder.de/sysadmin/DSLite/fritzbox.php

Good to know that others might be interested

The router previously used Sixxs for IPv6 connectivity so I have the backend scripts to deal with that by modifying radvd configuration and restarting it.

I tried the DHCLIENT6_PREFIX_HINT you mentioned option earlier but wicked-dhcp6 still doesn’t include a “Identity Association for Prefix Delegation” in the DHCP6 Solicit packet, so I have some debugging to do. The ISP requirements are also a bit unusual in that they use SLAAC for autonomous address assignment and routing, but DHCP6 for prefix delegation (and only that), so I already have to override some things to get Wicked to even consider sending a DHCP6 request…

NetworkManager is out of the question because it’s “not supported on servers” (source: Opensuse docs). systemd-networkd is tempting but I don’t want to add another unknown right now.

Yes, but I already have a router running Linux, and extra box only adds cost and complexity.

Show your ifcfg file.

but DHCP6 for prefix delegation (and only that)

I am not sure I understand. Prefix delegation is DHCPv6 option, how else are you going to obtain it?

NetworkManager is out of the question because it’s “not supported on servers”

Supported by whom? Whoever happened to write this particular statement? If you think this person is going to support you with your wicked questions, why do not you try to contact him? And how “server” is defined in the first place?

Tumbleweed new installation won’t even have wicked anymore (by default). It is NetworkManager everywhere including containers.

BOOTPROTO='dhcp'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR=''
MTU=''
NAME='82574L Gigabit Network Connection'
NETMASK=''
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'
POST_UP_SCRIPT='/root/eth4_post_up.sh'
PRE_DOWN_SCRIPT='/root/eth4_pre_down.sh'
DHCLIENT6_MODE="managed+prefix"
DHCLIENT6_PREFIX_HINT=::/48

ISP uses RA / SLAAC for autonomous address assignment. Wicked-dhcp6 interprets that as it should not send DHCP6 requests. I had to force it with DHCLIENT6_MODE=“managed+prefix” to make even “/usr/lib/wicked/bin/wickedd-dhcp6 --test --test-mode managed eth4” send out a request. But so far no response because the upstream router only responds to prefix delegation requests.

That is interesting. I read it at Basic networking | Reference | openSUSE Leap 15.5 “NetworkManager is not supported by SUSE for server workloads.”

I just now googled for “opensuse wicked deprecated” and saw that tumbleweed and next Leap will use NetworkManager. Maybe I should wait for the next Leap release and then see if I can get prefix delegation to work.

A single click switches to prefix delegation with FRITZ!Box7360:

May 30 12:43:44 erlangen systemd-networkd[742]: eth0: DHCPv6 address 2001:xxxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx/128 (valid for 1h 59min 59s, preferred for 59min 59s) conflicts the address xxxx:xxx:xxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 assigned by NDisc. Please try to use or update IPv6Token= setting to change the address generated by NDISC, or disable UseAutonomousPrefix=. 
May 30 12:43:44 erlangen systemd-networkd[742]: eth0: DHCP: received delegated prefix xxxx:xxx:xxx:xxxx::/62

Works for me.

Client:

leap15:/etc/sysconfig/network # cat ifcfg-eth1
BOOTPROTO='auto6+dhcp6'
STARTMODE='auto'
DHCLIENT6_MODE="prefix"
DHCLIENT6_PREFIX_HINT=::/48
leap15:/etc/sysconfig/network # cat /var/lib/wicked/lease-eth1-dhcp-ipv6.xml 
<lease>
  <family>ipv6</family>
  <type>dhcp</type>
  <uuid>ceaa9562-c6bc-0400-3524-000005000000</uuid>
  <state>granted</state>
  <acquired>1653975761</acquired>
  <update>0x00000000</update>
  <ipv6:dhcp>
    <client-id>00:01:00:01:24:6c:5a:c1:52:54:00:12:34:56</client-id>
    <server-id>00:01:00:01:2a:28:67:3d:de:ad:be:ef:01:01</server-id>
    <server-address>fe80::dcad:beff:feef:102</server-address>
    <server-preference>0</server-preference>
    <ia-pd>
      <interface-id>3203334402</interface-id>
      <acquired>1653975761</acquired>
      <renewal-time>0</renewal-time>
      <rebind-time>0</rebind-time>
      <ia-prefix>
        <prefix>fc00:501:ffff:111::/64</prefix>
        <preferred-lft>27000</preferred-lft>
        <valid-lft>43200</valid-lft>
      </ia-prefix>
    </ia-pd>
  </ipv6:dhcp>
</lease>
leap15:/etc/sysconfig/network # ip a show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether de:ad:be:ef:01:02 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet6 fe80::dcad:beff:feef:102/64 scope link 
       valid_lft forever preferred_lft forever
leap15:/etc/sysconfig/network # 

Server:

Solicit message from fe80::dcad:beff:feef:102 port 546, transaction ID 0xE1040300
Picking pool prefix fc00:501:ffff:111::/64
Advertise PD: address fc00:501:ffff:111::/64 to client with duid 00:01:00:01:24:6c:5a:c1:52:54:00:12:34:56 iaid = -1091632894 valid for 43200 seconds
Sending Advertise to fe80::dcad:beff:feef:102 port 546
Request message from fe80::dcad:beff:feef:102 port 546, transaction ID 0x13C8B200
Reply PD: address fc00:501:ffff:111::/64 to client with duid 00:01:00:01:24:6c:5a:c1:52:54:00:12:34:56 iaid = -1091632894 valid for 43200 seconds
Sending Reply to fe80::dcad:beff:feef:102 port 546

I’m not surprised. My ISP’s upstraem router is very picky about the requests.The ISP knows it and are not too happy with it either but replacing it is not cost-effective for them. Instead they provide all the information they can for us who don’t use their CPEs.

(snip)
Thanks! that will be helpful in my debugging.

I guess this is tcpdump/dumpcap time. Make available full binary capture of “wicked ifup”.

One challenge with that is that when an interface is down tcpdump refuses to sniff it, so capturing the first few packets is difficult. I probably have to set up a software ethernet bridge to capture the packets.

Today I succeed in getting it to send a PD request but so far it’s missing the IA-PD and IA-NA fields.

ip link set up dev eth1

so far it’s missing the IA-PD

Here is what wicked sends:

DHCPv6
    Message type: Solicit (1)
    Transaction ID: 0xac43ce
    Elapsed time
        Option: Elapsed time (8)
        Length: 2
        Elapsed time: 8300ms
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 00010001246c5ac1525400123456
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: May 13, 2019 19:41:37.000000000 MSK
        Link-layer address: 52:54:00:12:34:56
    Rapid Commit
        Option: Rapid Commit (14)
        Length: 0
    Option Request
        Option: Option Request (6)
        Length: 22
        Requested Option code: Preference (7)
        Requested Option code: SOL_MAX_RT (82)
        Requested Option code: DNS recursive name server (23)
        Requested Option code: Domain Search List (24)
        Requested Option code: Simple Network Time Protocol Server (31)
        Requested Option code: Network Information Server (27)
        Requested Option code: Network Information Server Domain Name (29)
        Requested Option code: Time Zone (41)
        Requested Option code: Time Zone Database (42)
        Requested Option code: Boot File URL (59)
        Requested Option code: Boot File Parameters (60)
    Client Fully Qualified Domain Name
        Option: Client Fully Qualified Domain Name (39)
        Length: 8
        Flags: 0x01  [CLIENT wants SERVER to update both its AAAA and PTR RRs]
            .... .0.. = N bit: Server SHOULD perform PTR RR updates
            .... ...1 = S bit: Server SHOULD perform AAAA RR updates
        Partial domain name: leap15
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: beef0102
        T1: 0
        T2: 0
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: 0
            Valid lifetime: 0
            Prefix length: 48
            Prefix address: ::

IA-PD is most certainly there.

IA-NA fields.

Earlier you said that DHCPv6 is not used for address assignment, why do you expect this?

Interesting. The ISP says this:

  • Stateful Address Assignment | IA-NA = 1 (on)

  • Identity Association for Prefix Delegation | IA-PD = 1 (on)

  • Non-temporary address | IAID for NA = 1

Normally they use autonomous address assignment, but apparently for the upstream route to be happy I have to request stateful address assignment. The IA-PD is cited as a boolean and not a complete option - perhaps that is misleading.

Hmmm. When I set DHCLIENT6_MODE=“managed” then wicked-dhcp6 sends a IA-NA, with
DHCLIENT6_MODE=“prefix” it sends IA-PD, but with DHCLIENT6_MODE=“managed+prefix” it only sends IA-NA. As I rad the documentation the options can be combined with a + Do you have any insight on this?

I cannot reproduce it. Show full facts instead of your interpretation of them. This includes your discussion with ISP and capture you got from them. I cannot comment on what you say someone else have said.

I spent half an hour preparing detailed message with actual package capture but this forum ********** it up again and I am not going to waste another half an hour on this. Sorry.