For the last few years, I have been confused about Palo Alto NGFWs’ various options for configuring an IPv6 address on a layer 3 interface. Let’s have a look at some details:
I’m using a PA-220 with PAN-OS 10.2.4-h2.
My Defaults
Normally, I’m enabling IPv6 on the interface (of course), leaving the Interface ID as “EUI-64”, adding a single GUI IPv6 address along with “Send RA” with its default values, while leaving the Duplicate Address Detection (DAD) unchecked (since it’s a firewall and you definitely want its address to be online) but enabling the NDP monitoring. I “Enable Router Advertisement” in general for this interface and include DNS information within the RAs. This looks like follows:
A show interface <interface name> shows the interface IPv6 addresses (link-local based on EUI-64 as well as the just configured global unicast) along with the advertised prefix:
weberjoh@pa> show interface ethernet1/8.21 -------------------------------------------------------------------------------- Name: ethernet1/8.21, ID: 257, 802.1q tag: 21 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address: 192.168.21.1/24 Interface IPv6 address: fe80::286:9cff:fee7:5517/64 2a00:6020:5004:2621::1/64 DAD: disabled NDP Monitoring: enabled IPv6 Client Mode: disabled Router Advertisement: enabled Advertised IPv6 prefix: 2a00:6020:5004:2621::1/64 DNS Support: enabled DNS Server(s): 2a00:6020:5004:2600:1e69:7aff:fe0f:cc5e DNS Suffix(es): weberlab.de [...]
Use interface ID as host portion
So far, so good. But I was confused about this “Use interface ID as host portion” option, which I enabled on another (sub)interface on the Palo for testing purposes:
For whatever reason, this option is named “Prefix” in the overview, which actually confused me even more:
In the end, this simply ignored the manually configured host portion of the IPv6 address and used the “Interface ID” option from the (sub)interface (which defaults to EUI-64) as the host portion. Hence the name. ;) The advertised prefix (line 16) still uses the manually configured IPv6 address rather than the one with the interface ID option:
weberjoh@pa> show interface ethernet1/8.22 -------------------------------------------------------------------------------- Name: ethernet1/8.22, ID: 259, 802.1q tag: 22 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address: 192.168.22.1/24 Interface IPv6 address: fe80::286:9cff:fee7:5517/64 2a00:6020:5004:2622:286:9cff:fee7:5517/64 DAD: disabled NDP Monitoring: enabled IPv6 Client Mode: disabled Router Advertisement: enabled Advertised IPv6 prefix: 2a00:6020:5004:2622::1/64 DNS Support: enabled DNS Server(s): 2a00:6020:5004:2600:1e69:7aff:fe0f:cc5e DNS Suffix(es): weberlab.de
I have no clue why someone explicitly wants the host portion to be the EUI-64 one. Do you have any ideas, other than cosmetic? Maybe to have the same host portion for the link-local and the global unicast addresses? While the router advertisements are sent from the link-local address anyway. 🤷
With #IPv6, Palo Alto NGFWs have the option to "use interface ID as host portion" which replaces the statically configured one with the EUI-64 one. Any idea what the use case is for this? The RAs are sent from the LL anyway. @ehorley @Enno_Insinuator @PacketJay pic.twitter.com/kZ4L7UdWhC
— Johannes Weber 🎸 (@webernetz) June 1, 2023
Anycast?!?
To be honest, I don’t have any idea what this “Anycast” checkmark is all about at the IPv6 address configuration here. The doc states “Select to include routing through the nearest node.” Eh? Will this add this router address into some routing protocols as an additional host route? Any ideas someone?
Prefix Information
One more thing I noticed: The prefix information options within the ICMPv6 Router Advertisements are sent with the manually configured IPv6 address in both scenarios. That is: It is sent with the actual *address* of the router’s interface rather than the mere /64 prefix. While this is perfectly valid as of RFC 4861 (“An IP address or a prefix of an IP address.”), I personally prefer having the /64 prefix without a filled-in host portion in the RAs. Here are screenshots with the RAs from both interfaces I tested with. Wireshark decodes it as “Prefix”, which is not 100 % correct at this time (though unambiguous to my mind; no change required):
Photo by Thiago Palia on Unsplash.