Hot!IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD

Author
dhnz
Bronze Member
  • Total Posts : 29
  • Scores: 6
  • Reward points: 0
  • Joined: 2011/08/14 20:34:54
  • Status: offline
2014/09/07 01:38:04 (permalink)
5 (3)

IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD

These are mutually exclusive but both exceptionally important features, required for ISPs to dynamically allocate IPv6 addresses. Required in most situations to deploy the FortiGate as an IPv6 CPE with PPP.

Supported by pfSense, Mikrotik, Cisco in IOS, as well as Juniper in ScreenOS and JunOS. Also supported by a large number of CPE vendor hardware (Apple, D-link, Linksys, Netgear, Draytek, Fritz, Huawei as examples I' ve seen in production and lost projects to personally).

(Optional Step 1). Once the PPP session is established, the CPE uses IPv6CP to allocate an IP address to the interface. This gives the CPE a routable IPv6 address in much the same way as IPCP does for IPv4. I noticed 5.2 added support for DHCPv6 Client here, so Fortinet clearly understands the importance of this functionality.

Most of the deployments I' ve seen in New Zealand aren' t actually doing this, relying on link-local addressing - but we' re just weird and it is used globally.

Step 2 - DHCPv6 requests a subnet via DHCPv6-PD which the ISP or upstream router delegates (Typically a /48, /56, /60 or /64) which may be allocated to clients. These subnets are divided and the CPE allocates /64 networks to internal interfaces sequentially. One address from the final 64 bits is allocated to the interface with the remaining allocated to clients via either SLAAC or DHCPv6 Server.

In CSCO' s implementation you can choose which networks are allocated where (First 48-64 bits remain as a wildcard, next 0-16 bits remain consistent.

(Optional Step 3) - Downstream DHCPv6 enabled routers, including downstream FortiGates or VDOMs, may request a subnet from the CPE, allowing downstream routers to also access with IPv6 internet. Usually requires a /48 from your ISP, the first /56 being reserved for local networks and additional /56 networks being allocated sequentially as requested.

Several features are required to make this solution complete:
- IPv6CP in addition to DHCPv6 Client on PPP interfaces
- DHCPv6 Client Prefix Delegation Request
- Should be able to handle any ISP delegation, reducing functionality for smaller subnets. Comcast in the USA gives you either a /60 or /64 as an example.
- New interface IPv6 Address Mode " Delegated" when this is enabled on the WAN.
- $Prefix::1/64 setting for wildcard subnets on interfaces
- Should allow multiple instances, each bound to a specific WAN interface to optionally allow for multiple upstream ISPs
- $Prefix::/64 option on DHCPv6 server
- $Prefix support on IPv6 Firewall Address Objects
- $Prefix on FortiAnalyzer, FortiCloud and FortiView to merge internal hosts.
#1

8 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5457
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2014/09/08 02:18:45 (permalink)
    0
    David

    Have you spoken to your SSE team? If fortinet get' s enough users asking for this feature, than they might put it on the milestone board and maybe 5.2.X will have this as a new feature in the near future.

    IPv6 DHCP/S and PD has been a weak and sore spot in fortinet offering. Why I really don' t know and specially when they have probably the biggest SOHO lineup.

    PCNSE 
    NSE 
    StrongSwan  
    #2
    dhnz
    Bronze Member
    • Total Posts : 29
    • Scores: 6
    • Reward points: 0
    • Joined: 2011/08/14 20:34:54
    • Status: offline
    RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2014/09/09 12:12:11 (permalink)
    0
    I understand that with the 5.2 release Fortinet have finally " Feature Frozen" their major releases, so i don' t anticipate any new features until the 5.4 release.

    My SE team, and their manager, are all well aware of the request - it' s just hard to get any real motivation for a feature when neither Checkpoint, PAN or Watchguard offer it either.
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6154
    • Scores: 504
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2014/09/09 15:06:30 (permalink)
    0
    No chance to have a new feature in 5.2 for all that Fortinet has communicated about ' feature freeze, bug fix only' in the 5.2 line of FortiOS. But it might be incorporated in 5.1 or 5.3 if enough user demand is signalled to Fortinet.

    So people, open support cases and make a feature request. State that big deals are lost in case this feature is not offered and see how flexible FTN can be.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    noname
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/01/21 10:40:04
    • Status: offline
    Re: RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2016/01/21 10:58:03 (permalink)
    0
    I persuaded a company to replace fully working Linux router with FGT-92D (with 3-year UTM) in good faith this 'feature request' will be resolved in FOS 5.4.. But it seems IPv6 compatibility isn't a top priority for Fortinet.
     
    So... Almost a year and a half after OP in this topic - is Fortinet planning FOS support for IPv6CP + DHCPv6-PD?
    #5
    Sam11123
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/09/12 19:56:39
    • Status: offline
    Re: RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2016/01/23 21:26:12 (permalink)
    0
    I have a similar request! I need dhcpv6 IA_PD option for Comcast to work properly. I paid a ton of money for my fortigate unit (considering im a hardcore home user) and just wanted capable equipment that's fast and reliable with three years of utm services and support. I assumed by now these routers would be able to to run dual stack fairly simply by selecting the options required by the ISP, Comcast in my case just as in ipv4. I hear a lot of talk about how similar ipv6 is to ipv4.... If they are so similar why doesn't it just work like ipv4? Network gurus at Fortinet cant preconfigure the interfaces for ipv6 as in ipv4? Or do some research and have straight forward guides on exacty how to configure the wan interface and lan interface via the gui or cli something concrete that works? I realize there are differences in networks and how interfaces are set up and going to be used, but if that is the problem or complexity of establishing a ipv6 connection set on dhcp on wan and dhcp on lan and not have proper connectivity, like ipv4, what's the use? For ipv4, as soon as I hooked up the unit when I recieved it, the wan interface set on dhcp was assigned an ip address the nessecary policies were already configured and boom, all the devices in my home, and there are quite a few, were assigned addresses and connecting to the internet! believe me I don't say this without having already trying numerous configurations and done tons of reading of all kinds of fotinet docs and web blogs , forums ipv6 sites etc. I think for ipv6 to work properly I need the following to be supported by my router.
     
    "Brucew wrote:
    if your local Comcast system and your cable modem support IPv6 --
     
    - A computer connected directly to the modem should get a /128
    - A router that supports IPv6, DHCPv6 and Prefix Delegation (PD) should get a /64 block of addresses.
    True plus:
    The router's WAN interface will get a/128, the router will get a /64 for the LAN side. If you have a router that supports IA_PD your router can request anything from /64- /60.. So if you have more than 1 LAN interface you can have more /64s.
     
    I personally currently have set my ipv6 mode on Wan1 set to dhcp. I get a /128 address. With no IA_PD option ipv6 will not work properly. I have all the recommended policies enabled to allow ipv6 traffic flow the best I know how. And believe me I've played around with this enough to give up on it. my current ipv6 lan config is below
    config ipv6
        set ip6-allowaccess ping https ssh snmp http fgfm capwap
        set ip6-retrans-time 4000
        set ip6-address fd0b:7186::/64
        set ip6-send-adv enable
            config ip6-prefix-list
                edit fd0b:7186::/64
                    set autonomous-flag enable
                    set onlink-flag enable
                next
            end
    end
    as a last resort with that configuration being my last attempt to completely abandon ipv6. I decided to turn NAT on for my ipv6 traffic policies and got clients to have some ipv6 connectivity. Why? I've read NAT is not needed for ipv6! But that must pertain to properly configured ipv6 set ups. so I can access some sites, not all, browsers prefer, and go to ipv4 instead of 6 unless you specify an ipv6 address. ipv6 test sites, Netalizer etc., report problems with icmp filtering which I've tried to disable to fix those errors, then there are DNS errors which I have no idea, not connecting at all to some sites and always using ipv4 over ipv6 when both are avaible.  I'm sure all the problems that remain are tied to the unsupported ipv6 IA_PD on the fortigate unit. sounds like the next update for forti os doesn't address an of these issues if I read the release notes correctly. there is one thing we account on for now though, and that is that IPV4 still works, is esay to set up and automatic on amost all devices and is supported by just about every device.
     
     
    #6
    flathill
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/13 17:51:32
    • Status: offline
    Re: RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2020/01/13 18:40:48 (permalink)
    0
    In Fortigate 60E v5.6.8, I am trying to connect with IPv6 PPPoE and get an address assignment with DHCPv6-PD.
    Since there is no answer in this thread, I asked a question.
     
    To perform DHCPv6-PD, it is necessary to support the following functions. Is it supported by FortiOS?
    - DHCPv6 (RFC3315), DHCPv6-PD (RFC3633)
    - Point the default gateway to the address obtained by IPv6CP
     
    Option code used when obtaining IPv6 prefix
      25 Information about the Identity Association for Prefix Delegation IA_PD
      26 Identity Association for Prefix Delegation prefix IPv6 prefix
     
    Best regards,
    #7
    Andy Bailey
    Bronze Member
    • Total Posts : 60
    • Scores: 4
    • Reward points: 0
    • Joined: 2016/06/27 11:21:22
    • Status: offline
    Re: RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2020/01/13 23:54:08 (permalink)
    0
    flathill,
     
    I had a look at this topic some time back with support. I think the functionality you need was added to the 5.6 release. Here's the response I had from support at the time:-
     
    Dear Andy,

    I may have some good news. It seems that with the support of multiple PPPoE connections on a single interface that has been added to 5.6 we can now configure DHCPv6 client mode on a PPPoE interface.

    It could be configured like this:



    config system pppoe-interface
    edit pppoe1
    set ipv6 enable
    set device port4
    ...
    end

    config system interface
    edit pppoe1
    config ipv6
    set ip6-mode dhcp
    set dhcp6-prefix-delegation enable
    end
    next
    end


    With that configuration you will be able to request DHCPv6 IA_NA request over the pppoe1 interface.

    Also with that configuration, pppoe1 will be considered as a physical interface, so you will firewall policies etc as the other interfaces.
     
     
    #################################
     
    I'm still using this config in the 6.2.X releases and it certainly seems to work ok. The PPPOE interface becomes a logical inteface from which ever port you are using (in my case in the above CLI snippet it was port4 on an FGT-80D).
     
    I hope that helps.
     
    Kind Regards,
     
     
    Andy.
     
     
    #8
    flathill
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/13 17:51:32
    • Status: offline
    Re: RE: IPv6 CPE Enhancements - IPv6CP + DHCPv6-PD 2020/01/15 16:38:22 (permalink)
    0
    Andy
    Thank you for the advice.
    When the interface was set based on the advice and the default route of IPv6 was set to pppoe1 interface, IPv6CP and DHCPv6-PD operated, and connection to IPv6 Internet became possible.
     
    Best Regards,
    #9
    Jump to:
    © 2020 APG vNext Commercial Version 5.5