Page MenuHomeVyOS Platform
Create Task
Maniphest T3040

NHRP IPv6 Support
On hold, WishlistPublicFEATURE REQUEST
Actions

Description

Support for NHRP mapping IPv6 addresses would allow DMVP to work with IPv6. Current you can create an IPv6 DMVPN but NHRP doesn't support IPv6

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 In progressFEATURE REQUESTv.hutiT2326 Migrate NHRP(DMVPN) to FRR
 On holdFEATURE REQUESTv.hutiT3040 NHRP IPv6 Support

Event Timeline

francis created this task.Nov 3 2020, 4:33 AM
pasik added a subscriber: pasik.Nov 3 2020, 8:26 AM
c-po added a subscriber: c-po.Nov 8 2020, 7:40 PM

Hi @francis,

as we rely on OpenNHRP this looks like a dead end as of now. Maybe IPv6 support will get introduced and supported when we can migrate to FRR based NHRP - there is another task about that (T2326).

c-po changed the task status from Open to On hold.Nov 8 2020, 7:40 PM
c-po triaged this task as Wishlist priority.
francis mentioned this in T2326: Migrate NHRP(DMVPN) to FRR.EditedJun 4 2021, 4:44 PM

@c-po with this merge on FRR https://github.com/FRRouting/frr/pull/8153#event-4589485067 is migration possible? Possibly related to https://phabricator.vyos.net/T2326

c-po added a comment.Jun 4 2021, 6:33 PM

Hi @francis the latest FRR version lacks support for Cisco authentication https://github.com/FRRouting/frr/blob/master/nhrpd/nhrp_peer.c#L1212

kevinrausch added a subscriber: kevinrausch.Aug 11 2021, 9:12 PM
erkin set Issue type to Feature (new functionality).Aug 29 2021, 12:22 PM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM
dogboy21 added a subscriber: dogboy21.Mar 21 2023, 8:18 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:40 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:37 PM
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.6).Dec 21 2023, 1:19 PM
martafolf added a subscriber: martafolf.Jan 23 2024, 6:49 PM
a.apostoliuk added a parent task: T2326: Migrate NHRP(DMVPN) to FRR.Mar 13 2024, 1:53 PM
a.apostoliuk added a subscriber: a.apostoliuk.Mar 13 2024, 3:13 PM

I have tested FRR NHRP with IPv6 as an overlay and I found some issues.

1. FRR as a spoke
My Lab
Cisco HUB--- FRR Spoke

Cisco HUB

interface Tunnel100
 ipv6 address 2001:DB8::1/64
 ipv6 tcp adjust-mss 1360
 ipv6 nhrp map multicast dynamic
 ipv6 nhrp network-id 1
 ipv6 nhrp holdtime 60
 ipv6 nhrp redirect
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 42

FRR Spoke
VyOS CLI

set interfaces tunnel tun100 address '2001:DB8::20/128'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 ipv6 address no-default-link-local
set interfaces tunnel tun100 ipv6 adjust-mss '1360'
set interfaces tunnel tun100 mtu '1400'
set interfaces tunnel tun100 parameters ip key '42'
set interfaces tunnel tun100 source-interface 'eth0'
set protocols static route6 2001:db8::/64 next-hop 2001:db8::1 distance '200'

FRR CLI

interface tun100
 ipv6 address 2001:db8::20/128
 ipv6 nhrp holdtime 60
 ipv6 nhrp network-id 1
 ipv6 nhrp nhs dynamic nbma 192.168.100.100
 ipv6 nhrp registration no-unique
 ipv6 nhrp shortcut
 no link-detect
 tunnel source eth0

At first everything looks ok.
FRR register and add new ipv6 routes

N>* 2001:db8::1/128 [10/0] is directly connected, tun100, weight 1, 00:06:40

But there is a problem with neighbor's table
After some time the record of 2001:db8::1 changes status from REACHABLE to STALE then to DELAY, PROBE, and finally to FAILED.

ip -6 neigh
2001:db8::1 dev tun100 lladdr 192.168.100.100 REACHABLE proto nhrp
 ip -6 neigh
2001:db8::1 dev tun100 FAILED proto nhrp

I checked Spoke to Spoke conversation. It works. but with the same issue.
It looks like a bug in FRR, the neighbor's status never changes to PROBE in IPv4. It takes Reachable - STALE - DELAY - and then again REACHABLE. And it looks like FRR NHRP controls it.
I tried to change nhrp holdtime and it did not help.

2. My second Lab was FRR as a HUB and two spokes (FRR and Cisco)

Cisco Spoke ---- FRR HUB----------FRR Spoke
All routers in one network.

Cisco Spoke config

interface Tunnel100
 no ip address
 no ip redirects
 ip mtu 1400
 ipv6 address 2001:DB8::15/64
 ipv6 nhrp map 2001:DB8::1/128 192.168.100.100
 ipv6 nhrp map multicast 192.168.100.100
 ipv6 nhrp network-id 1
 ipv6 nhrp nhs 2001:DB8::1
 ipv6 nhrp shortcut
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 42

FRR Spoke config is the same as in the example โ„–1

FRR HUB config
VyOS CLI config

set interfaces tunnel tun100 address '2001:DB8::1/128'
set interfaces tunnel tun100 disable-link-detect
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 ipv6 adjust-mss '1360'
set interfaces tunnel tun100 mtu '1400'
set interfaces tunnel tun100 parameters ip key '42'
set interfaces tunnel tun100 source-interface 'eth0'

FRR CLI

interface tun100
 ipv6 address 2001:db8::1/128
 ipv6 nhrp holdtime 60
 ipv6 nhrp network-id 1
 ipv6 nhrp redirect
 ipv6 nhrp registration no-unique
 no link-detect
 tunnel source eth0
vyos# show ipv6 nhrp
Iface    Type     Protocol                 NBMA                     Claimed NBMA             Flags  Identity
tun100   dynamic  fe80::ea7:caff:fec4:0    192.168.100.115          192.168.100.115           T
tun100   dynamic  2001:db8::20             192.168.100.120          192.168.100.120           T
tun100   local    2001:db8::1              192.168.100.100          192.168.100.100                 -

I found 2 issues. The first issue is the same as in the example โ„–1
The second issue
FRR HUB registers CISCO only by its link-local address.

vyos# show ipv6 nhrp
Iface    Type     Protocol                 NBMA                     Claimed NBMA             Flags  Identity
tun100   dynamic  fe80::ea7:caff:fec4:0    192.168.100.115          192.168.100.115           T

Link local address must exist on cisco side
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16-12/sec-conn-dmvpn-xe-16-12-book/ip6-dmvpn-xe.pdf

I also found a bug in FRR NHRP with dual stack as an overlay. I will describe it later.

fernando added a subscriber: fernando.Mar 14 2024, 12:56 PM
v.huti added a subscriber: v.huti.Thu, Mar 21, 2:51 PM

I have checked in with @sharpd, he mentioned that it might not be supported to use v4 nexthop for v6 route.
From local testing:

vova | ip r
default via 192.168.0.1 dev wlp4s0 proto dhcp metric 600 
192.168.0.0/24 dev wlp4s0 proto kernel scope link src 192.168.0.102 metric 600 

vova | sudo ip route add 1::2/64 via 192.168.0.102 dev wlp4s0
Error: inet6 address is expected rather than "192.168.0.102".

vova | ip nexthop
id 13 dev wlp4s0 scope link proto zebra 
id 16 via 192.168.0.1 dev wlp4s0 scope link proto zebra 

vova | sudo ip route add 1::2/64 nhid 16
Error: IPv6 routes can not use an IPv4 nexthop.

I will look at how Kernel handles this and if there is a way around it before fixing the NHRP.

v.huti claimed this task.Thu, Mar 21, 2:51 PM