The basic bricks are there, but a complete, smooth working solution for home users is absolutely not yet ready. I hope that my IPv6 articles are a small step in that direction.

RFC 3756 details the security considerations of an implementation of NDP. Of the three models described therein, we would want to consider ourselves as a “Corporate Internet”, as we trust ourself and the private-side devices attached to us. And, anyway, in the home environment we will only typically have a single router: our gateway device itself. So I think that this model is correct.

The IETF’s Secure Neighbor Discovery will likely form the basis of NDP in the longer term. But in the shorter term it would seem that we could perform NDP as per RFC 4861 and fill a bit of a hole that exists today.

The hole is that IPv6 implementations to date seems to assume that a device is either a full-fledged router or it is an end-point. While “our” gateway device can and does act as a full-fledged router (I can kick out via RADVD router advertisements to my heart’s content) my ISP sees me as an end-point. It sends me router advertisements, but isn’t interested in seeing any back (which, from a security model point of view, is not wholly unreasonable!) When it wants to “route” anything within the /64 range to me it first requires a satisfactory neighbor solicitation/advertisement exchange to take place.

Hence the need to proxy the IPv6 neighbour discovery.

Watch this space. I might just rustle something up…! In the near future I might be after a beta tester or two.

When writing up my mini IPv6 howtos one of the things that has genuinely surprised me is the relative immaturity of IPv6 implementation for a small home device, when taken a a whole. Most of the elements themselves are robust and have actually been around for years now. But hanging them all together is clearly something that not too many people have yet done!

I do not yet know of a Linux service which will allow me to respond to Neighbor Solicitations for a range of addresses. Sure, with RAD I can myself act as a router and advertise networks, as I do to my internal network. But the specific function of sending a neighbor advertisement based upon a range of addresses? I currently simply do not know. I guess what you (and I) are really looking for is a command along the lines of:

ip -6 neigh add proxy 1111:2222:3333:4444/64

so that any neighbor solicitation received for an address within the subnet gets responded to?

I’ll keep looking – I find it hard to believe it’s not possible. But I do not know how today.

Good post, very userful. I’ve been struggling with ipv6 routing for some time, and the problem was that my router wasn’t answering the ICMPv6 Neighbour Solicitation messages.

I made it work on a per host basis, with “ip -t neigh add …”, e.g.:
ip -6 neigh add proxy 2001:xxxx:2:yyyy:a000::2 dev eth0

But how can it be done to proxy for a subnet?

Scenario:

Router with a /64 native ipv6 network assigned.
Behind the router, 2 different networks, each a /68

How could I make the router answer neighbor solicitations for each /68 subnet, so that the packets can reach the router and can be forwarded to the specific subnet?

Thanks!

In the first instance all my client will be dual-stack IPv4 & IPv6. They already have the IPv4 DNS known and active so we will let them continue to use that. Of course if IPv4 does one day disappear, and we run as single-stack IPv6, this would need to be addressed.

I’ll say again what I wrote previously: the adoption of children is not in any way a religious issue. It should have nothing to do with it. I do not doubt that many of the people working for Catholic adoption agencies are decent, well-meaning people who have the best interests of children at heart. In which case I applaud them for their work. But leave your religious beliefs and moral hang-ups outside. And if you say you can’t do that, then stay away altogether.