8

I am working in a lab and have configured a series of /125 subnets between routers. Lets ignore the best practice for this discussion of using /64 for everything.

When I assign fd00:f9a8:ffff::257 to an interface, there is no issue with the configuration, however when I assign fd00:f9a8:ffff::254 the OS reports that DAD has failed and does not permanently assign the interface.

I've seen a number of sources indicate that the all zero address fd00:f9a8:feed:beef::/64 is just as valid as a host address as fd00:f9a8:feed:beef::1/64. Is this inaccurate and if so, what would cause DAD to fail with the first address in this /125 subnet?

Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
ACiD GRiM
  • 83
  • 1
  • 4
  • Based on a /125 subnet, all your addresses are reserved anycast addresses that must not be assigned as host interface addresses. – Ron Maupin Nov 17 '19 at 03:48
  • Your examples are using IPv6 ULA addressing, but seem to be using it incorrectly. You are allowed to use addressing in the fd00::/8 prefix, but the requirement is that the next 40 bits (Global ID) must be randomly chosen. This is detailed in RFC 4193, Unique Local IPv6 Unicast Addresses: "Locally assigned Global IDs MUST be generated with a pseudo-random algorithm consistent with [RANDOM]." Remember that the "U" in ULA is for "Unique," which is why the Global ID must be random to have a high probability of uniqueness. – Ron Maupin Nov 17 '19 at 04:09

2 Answers2

9

The first IPv6 address in a network is assignable, but it is the router anycast address, one of several required anycast addresses. (Anycast addresses are unicast addresses that are assigned to multiple hosts.) This is defined by RFC 4291, IP Version 6 Addressing Architecture:

2.6.1. Required Anycast Address

The Subnet-Router anycast address is predefined. Its format is as follows:

|                         n bits                 |   128-n bits   |
+------------------------------------------------+----------------+
|                   subnet prefix                | 00000000000000 |
+------------------------------------------------+----------------+

The "subnet prefix" in an anycast address is the prefix that identifies a specific link. This anycast address is syntactically the same as a unicast address for an interface on the link with the interface identifier set to zero.

Packets sent to the Subnet-Router anycast address will be delivered to one router on the subnet. All routers are required to support the Subnet-Router anycast addresses for the subnets to which they have interfaces.

The Subnet-Router anycast address is intended to be used for applications where a node needs to communicate with any one of the set of routers.

Some devices, e.g. Cisco routers, require special handling of the router anycast address. Cisco requires the anycast keyword be placed on the address, but you also assign another address to the interface because the anycast address is shared among the routers.

There are also some reserved subnet anycast addresses:

They MUST NOT be used for unicast addresses assigned to any interface.

See RFC 2526, Reserved IPv6 Subnet Anycast Addresses:

2. Format of Reserved Subnet Anycast Addresses

Within each subnet, the highest 128 interface identifier values are reserved for assignment as subnet anycast addresses.

The construction of a reserved subnet anycast address depends on the type of IPv6 addresses used within the subnet, as indicated by the format prefix in the addresses. In particular, for IPv6 address types required to have 64-bit interface identifiers in EUI-64 format, the universal/local bit MUST be set to 0 (local) in all reserved subnet anycast addresses, to indicate that the interface identifier in the address is not globally unique. IPv6 addresses of this type are currently specified to be those having format prefixes 001 through 111, except for Multicast Addresses (1111 1111) [3].

Specifically, for IPv6 address types required to have to have 64-bit interface identifiers in EUI-64 format, these reserved subnet anycast addresses are constructed as follows:

|              64 bits            |      57 bits     |   7 bits   |
+---------------------------------+------------------+------------+
|           subnet prefix         | 1111110111...111 | anycast ID |
+---------------------------------+------------------+------------+
                                  |   interface identifier field  |

For other IPv6 address types (that is, with format prefixes other than those listed above), the interface identifier is not in EUI-64 format and may be other than 64 bits in length; these reserved subnet anycast addresses for such address types are constructed as follows:

|              n bits             |    121-n bits    |   7 bits   |
+---------------------------------+------------------+------------+
|           subnet prefix         | 1111111...111111 | anycast ID |
+---------------------------------+------------------+------------+
                                  |   interface identifier field  |

The subnet prefix here consists of all fields of the IPv6 address except the interface identifier field. The interface identifier field in these reserved subnet anycast addresses is formed from a 7-bit anycast identifier ("anycast ID"), with the remaining (highest order) bits filled with all one's; however, for interface identifiers in EUI-64 format, the universal/local bit in the interface identifier MUST be set to 0. The anycast identifier identifies a particular reserved anycast address within the subnet prefix, from the set of reserved subnet anycast addresses.

The motivation for reserving the highest addresses from each subnet rather than the lowest addresses, is to avoid conflicting with some existing official and unofficial uses of the low-numbered addresses in a subnet. For example, these low-numbered addresses are often used for the ends of a point-to-point link, for tunnel endpoints, for manually configured unicast addresses when a hardware token is not available for the network interface, and even for manually configured static addresses for the routers on a link. Reserving only 128 values for anycast identifiers (rather than perhaps 256) means that the minimum possible size of interface identifiers in an IPv6 address is 8 bits (including room in the subnet for unicast addresses as well as reserved subnet anycast addresses), allowing the division between subnet prefix and interface identifier in this case to be byte-aligned.

As with all IPv6 anycast addresses [3], these reserved subnet anycast addresses are allocated from the IPv6 unicast address space. All reserved subnet anycast addresses as defined in this document are reserved on all links, with all subnet prefixes. They MUST NOT be used for unicast addresses assigned to any interface.

3. List of Reserved Subnet Anycast Addresses

Currently, the following anycast identifiers for these reserved subnet anycast addresses are defined:

 Decimal   Hexadecimal     Description
 -------   -----------     -----------
  127         7F           Reserved
  126         7E           Mobile IPv6 Home-Agents anycast [4]
  0-125       00-7D        Reserved

Additional anycast identifiers are expected to be defined in the future.

There are a couple of exceptions to the above router and reserved subnet anycast addresses. One is the use of /128 addresses on interface such as loopback interfaces. The other exception is the use of /127 networks for point-to-point links that is allowed in RFC 6164, Using 127-Bit IPv6 Prefixes on Inter-Router Links:

On inter-router point-to-point links, it is useful, for security and other reasons, to use 127-bit IPv6 prefixes. Such a practice parallels the use of 31-bit prefixes in IPv4. This document specifies the motivation for, and usages of, 127-bit IPv6 prefix lengths on inter-router point-to-point links.

Community
  • 1
Ron Maupin
  • 99,565
  • 26
  • 120
  • 195
  • Thank you for the amazing answer sourced from the RFCs. I did not know that a range of addresses had a purpose within a IPv6 subnet. If I understand correctly, the smallest network must have 128+3 addresses (128 anycast, 2 hosts, 1 anycast address at the subnet) except for /127 adn /128? This seems to make any network between /126 and /120 invalid since they cannot have 128+3 addresses. – ACiD GRiM Nov 17 '19 at 03:51
  • I will accept it, but can you please clarify a question I added above? – ACiD GRiM Nov 17 '19 at 03:55
  • If I understand what you want to clarify, there are 129 reserved anycast addresses in an IPv6 subnet, but the way IPv6 is designed (you wrote, "best practice," but there are some IPv6 features that require /64 networks or they break), This answer has some references about that. Remember that the IPv6 addressing space is far larger that anyone can really imagine (there is a section in this answer about that), and IPv6 is actually designed to waste addresses. – Ron Maupin Nov 17 '19 at 04:03
  • I was ready to quote an RFC recommending against /127, but RFC 6164, which you quoted, supersedes that. Thanks for bringing it to my attention. – Darrell Root Nov 17 '19 at 04:12
  • The one you are thinking about has been moved to Historic Status by RFC 6574, RFC 3627 to Historic Status. The use of /126 networks on point-to-point links actually allows a ping-pong attack that /30 IPv4 gets around because of the network and broadcast addresses. – Ron Maupin Nov 17 '19 at 04:15
0

IPv6 has no concept of broadcast or network addresses -- multicast is used for those services. Every address is just as valid as the rest.

DAD failure would usually mean something else is claiming that address. Check your system's logs for a reason why it's failing.

Ricky
  • 32,147
  • 2
  • 43
  • 85
  • Every router is required to support the IPv6 all-zeroes (router anycast) address, so it should fail DAD when assigning it to an interface. Also, the last 128 addresses in a network are not allowed to be assigned as interface addresses. – Ron Maupin Nov 17 '19 at 21:38
  • On every device at my disposal, anycast has to be explicitly configured. – Ricky Nov 18 '19 at 00:56