Android supports SLAAC and has good support transitional tech like xlat464 and DHCP option 108.
I have used these on my network and office to move to IPv6-only for Android.
What about lack of DHCPv6 prevents you from using IPv6 on Android?
Android supports SLAAC and has good support transitional tech like xlat464 and DHCP option 108.
I have used these on my network and office to move to IPv6-only for Android.
What about lack of DHCPv6 prevents you from using IPv6 on Android?
I can't run SLAAC and DHCPv6 at the same time without giving devices multiple addresses, and Android doesn't support DHCPv6, so I'd have to carve out a separate, SLAAC-based, android-only network. And then figure out firewall rules, multicast reflection, etc.
Why is giving multiple addresses a problem?
No control over which source address is used. I'm assigning a lot of clients DHCP reservations so I can use static addresses for monitoring and firewall rules. With multiple addresses on the same network, clients may use their SLAAC address which won't match the firewall rule.
That still doesn’t really make sense. Why not run SLAAC on one subnet and have a single firewall rule for the whole thing? You’re not running any major servers on an Android phone, so it won’t be anything complex.
SLAAC can only run on a subnet that's larger than /64, which they might not have access to.
Strictly speaking it can and does run on subnets that are exactly /64. Does anyone actually hand out smaller delegations today?
My point is that they might only be getting 1 /64 from their ISP; or getting a /62 or something small, and needing more subnets anyway. In these situations, you may not have an extra /64 to dedicate to SLAAC for certain devices.
Right. I was merely correcting your statement that SLAAC needs more than 64 bits to work with. But my question remains; do any ISPs hand out smaller delegations than a /64?
There are APIs in Linux to control source address selection but might be fiddly https://www.davidc.net/networking/ipv6-source-address-select...
Ah, this makes sense.
I thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else.
Works great for me.
Don't you have problems with clients using the wrong source address and not matching firewall rules?
Different person here, but no. I never write firewall rules based on individual source addresses. They’re too easy to fake. And with IPv6’s privacy extensions, you never know what source address a given machine will have anyway.
Interesting. How do you deal with destination addresses on your local network? DHCPv6 like the other poster and myself?
I haven’t had a need for DHCPv6. I’d use DNS (or better, mDNS) to assign a hostname to the destination’s fixed IPv6 address or ULA, both of which are static. I don’t ever manually assign an IPv6 address to a host, though. I just let SLAAC do the thing it was designed for.
No. Admittedly, my firewall rules are all about granting something extra beyond the basics. I only do this for clients I care about anyway, so I can always tell them to use the right address.