Good evening,
I have investigated the issue and found that there are NO problems with Verizon's Juniper gateway router (GWR) IPv6 Prefix Delegation (PD) implementation.
I have, however, found problems in your Sopho Firewall's DHCPv6 SARR (Solicit, Advertise, Request, and Reply) process.
Line 631 suggests IA_PD with a Valid lifetime of 7500, which exceeds Juniper's 7200 assignment as indicated on Line 639.
In fact, Sophos Firewall consistently inflated the Valid lifetime in IA_PD
Above Juniper's Advertise, Reply.
Above Sophos' Request, Renew message.
In case of disagreements, server's offer must be treated as authoritative. In addition, Sophos' claim of a longer Valid lifetime is a problem at Renewal due to Juniper treating such a renewal as inappropriate.
Per RFC 8415, 18.3.4, https://datatracker.ietf.org/doc/html/rfc8415
If the server finds that any of the delegated prefixes in the IA are not appropriate for the link to which the client is attached, the server returns the delegated prefix to the client with lifetimes of 0.
That's what happened on Line 632. Juniper revoked the Prefix.
A Status Code of NoPrefixAvail is appropriate given the following.
If the server is configured to create new bindings as a result of
processing Renew messages but the server will not assign any
leases to an IA, the server returns the IA option containing a
Status Code option (see Section 21.13) with the NoAddrsAvail or
NoPrefixAvail status code and a status message for a user.
@wfios wrote:At about 1 hour, my firewall attempts to renew the PD lease and gets an error that there is no existing lease.
This one hour renewal is agreed upon on T1 time. If you renew sooner, a conservative server can (per-RFC) discard that renewal request and do nothing.
I am also not recommending using a third party primary router as the SLA does not mandate support if you do that. There are static routing functions on all Verizon routers that you can point to internal routers.
Good evening,
I have investigated the issue and found that there are NO problems with Verizon's Juniper gateway router (GWR) IPv6 Prefix Delegation (PD) implementation.
I have, however, found problems in your Sopho Firewall's DHCPv6 SARR (Solicit, Advertise, Request, and Reply) process.
Line 631 suggests IA_PD with a Valid lifetime of 7500, which exceeds Juniper's 7200 assignment as indicated on Line 639.
In fact, Sophos Firewall consistently inflated the Valid lifetime in IA_PD
Above Juniper's Advertise, Reply.
Above Sophos' Request, Renew message.
In case of disagreements, server's offer must be treated as authoritative. In addition, Sophos' claim of a longer Valid lifetime is a problem at Renewal due to Juniper treating such a renewal as inappropriate.
Per RFC 8415, 18.3.4, https://datatracker.ietf.org/doc/html/rfc8415
If the server finds that any of the delegated prefixes in the IA are not appropriate for the link to which the client is attached, the server returns the delegated prefix to the client with lifetimes of 0.
That's what happened on Line 632. Juniper revoked the Prefix.
A Status Code of NoPrefixAvail is appropriate given the following.
If the server is configured to create new bindings as a result of
processing Renew messages but the server will not assign any
leases to an IA, the server returns the IA option containing a
Status Code option (see Section 21.13) with the NoAddrsAvail or
NoPrefixAvail status code and a status message for a user.
@wfios wrote:At about 1 hour, my firewall attempts to renew the PD lease and gets an error that there is no existing lease.
This one hour renewal is agreed upon on T1 time. If you renew sooner, a conservative server can (per-RFC) discard that renewal request and do nothing.
I am also not recommending using a third party primary router as the SLA does not mandate support if you do that. There are static routing functions on all Verizon routers that you can point to internal routers.
