Open IPv6 Issues / questions

Question

- will the fix for issue NUTM-7187 be included with 9.5? 
 - is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands) 
 - what about the ability to change/edit the UID for IPv6 Delegation Requests? 
 - what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release. 
 
 thank you in advance.

bobbylam · Accepted Answer

Hi Ben, please see my answers inline below: 
 Ben said: 
 - will the fix for issue NUTM-7187 be included with 9.5? 
 [BL]: The fix for NUTM-7187 is not included in this current UTM 9.5 beta version. We are actively working on the fix right now though, so as soon as we have a confirmed fix it will be included in a subsequent release. 
 - is there a fix in the works for IPv6 Connections where the WAN Port is supposed to use an address out of the delegated prefix? Currently users of such ISPs do not get any IPv6 address. (for esxample KPN netherlands) 
 [BL]: This should be supported today, unless the ISP is doing both stateless & stateful. Is that the case for you? If so, we are fixing that as part of NUTM-7187 as well. 
 - what about the ability to change/edit the UID for IPv6 Delegation Requests? 
 [BL]: Unfortunately this isn't part of this 9.5 release. 
 - what about long standing feature requests such as 6tunnel integration, lets encrypt - is that on the roadmap? Users, myself included had high hopes for 9.5 but this seems to be more than a maintance release. 
 [BL]: Lets Encrypt is on our current roadmap, but it's mainly planned as a WAF feature. As for 6tunnel integration, it's currently not planned for any specific release. 
 
 thank you in advance.

bobbylam · Answer

Thank you Ben, that is extremely helpful info! The developer working on the issue was suspecting & investigating this same area as well, so looks like we're on the right track. 
 
 Rene: Please check out the patch Ben sent you, and let us know if it resolves the PPPoE issue for you.

PrakashSwamy · Answer

Hi Rene, 
 I looked into the capture file you provided and found that the box provided by your ISP directly sends out DHCPv6 solicit messages with IA_PD option, immediately after PPP IPV6CP is successful. The box provided by your ISP is probably configured to always use DHCPv6 IA_PD when connecting to the server. 
 On the other hand, the Sophos UTM has a need to first do IPv6 Neighbor Discovery to understand if the server (ISP end) supports SLAAC or stateless/stateful DHCPv6. Based on the RA and prefix flags it receives from the server during IPv6 ND, it would then setup the dhclient6 appropriately to use SLAAC or DHCPv6 or both. 
 In the absence of ICMPv6 RAs, the current code doesn&rsquo;t initiate stateful autoconfiguration by default. We will look into addressing this issue asap as a bug fix in a future release. 
 -Prakash

Ben · Answer

Hello Prakash, 
 thanks again for the swift reply, this fix indeed seems to fix all the issues! It did a rebind on reconnect instead of getting a new prefix. 
 I will now let this run for 2-3 days and than report back :) 
 THANK YOU! :-) and big thanks to any other developer involved in this fix!