IPv6 PD issues renewing where it gives an error

Using a third-party firewall that supports IPv6 PD, and getting an odd error. I've captured packets and it appears that Verizon is using Juniper routers and they've set the IPv6 lease to two hours. At about 1 hour, my firewall attempts to renew the PD lease and gets an error that there is no existing lease.

So the firewall turns around and attempts to get a new lease and sometimes it gets lucky and Verizon ignores the requests and then turns around and says that the lease is valid for another two hours. This can happen for 12+ hours. But inevitably, it will reject the renewal but then accept the new lease request, changing the delegated prefix.

Could this be a mis-setting on a particular Juniper or does Verizon do weird stuff with IPv6 PD and decide to treat leases as strangely expired at one hour?

Accepted answers

Cang_Household

Good evening,

I have investigated the issue and found that there are NO problems with Verizon's Juniper gateway router (GWR) IPv6 Prefix Delegation (PD) implementation.

I have, however, found problems in your Sopho Firewall's DHCPv6 SARR (Solicit, Advertise, Request, and Reply) process.

Line 631 suggests IA_PD with a Valid lifetime of 7500, which exceeds Juniper's 7200 assignment as indicated on Line 639.

In fact, Sophos Firewall consistently inflated the Valid lifetime in IA_PD

Above Juniper's Advertise, Reply.

Screenshot 2025-05-12 at 11.27.44 PM.png

Above Sophos' Request, Renew message.

In case of disagreements, server's offer must be treated as authoritative. In addition, Sophos' claim of a longer Valid lifetime is a problem at Renewal due to Juniper treating such a renewal as inappropriate.

Per RFC 8415, 18.3.4, https://datatracker.ietf.org/doc/html/rfc8415

If the server finds that any of the delegated prefixes in the IA are
   not appropriate for the link to which the client is attached, the
   server returns the delegated prefix to the client with lifetimes
   of 0.

That's what happened on Line 632. Juniper revoked the Prefix.

Screenshot 2025-05-12 at 11.33.46 PM.png

A Status Code of NoPrefixAvail is appropriate given the following.

If the server is configured to create new bindings as a result of
      processing Renew messages but the server will not assign any
      leases to an IA, the server returns the IA option containing a
      Status Code option (see Section 21.13) with the NoAddrsAvail or
      NoPrefixAvail status code and a status message for a user.

@wfios
wrote:
At about 1 hour, my firewall attempts to renew the PD lease and gets an error that there is no existing lease.

This one hour renewal is agreed upon on T1 time. If you renew sooner, a conservative server can (per-RFC) discard that renewal request and do nothing.

I am also not recommending using a third party primary router as the SLA does not mandate support if you do that. There are static routing functions on all Verizon routers that you can point to internal routers.

All comments

wfios

Any help? It's still happening a month later and after extensive debugging with the firewall manufacturer -- I have an annual support contract with them -- they can't understand why Verizon's prefix delegation is working strangely, from the unusually short lifetime to the error when a renewal is attempted.

Any actual Verizon technical folks here? The first-level folks stop listening as soon as you say "third-party" so there will never be an investigation if my local Verizon Juniper has a misconfiguration, or what. Thanks for any help you can render, I'd like to use IPv6 and have had extremely bad experience with Verizon's user firewalls.

Cang_Household

I would need to see a packet dump about this issue. Juniper is centrally managed and configurations are pushed out en masse to the whole CO.

wfios

I have PCAPs if you want.

Cang_Household

Good evening,

I have investigated the issue and found that there are NO problems with Verizon's Juniper gateway router (GWR) IPv6 Prefix Delegation (PD) implementation.

I have, however, found problems in your Sopho Firewall's DHCPv6 SARR (Solicit, Advertise, Request, and Reply) process.

Line 631 suggests IA_PD with a Valid lifetime of 7500, which exceeds Juniper's 7200 assignment as indicated on Line 639.

In fact, Sophos Firewall consistently inflated the Valid lifetime in IA_PD

Above Juniper's Advertise, Reply.

Screenshot 2025-05-12 at 11.27.44 PM.png

Above Sophos' Request, Renew message.

Per RFC 8415, 18.3.4, https://datatracker.ietf.org/doc/html/rfc8415

If the server finds that any of the delegated prefixes in the IA are
   not appropriate for the link to which the client is attached, the
   server returns the delegated prefix to the client with lifetimes
   of 0.

That's what happened on Line 632. Juniper revoked the Prefix.

Screenshot 2025-05-12 at 11.33.46 PM.png

A Status Code of NoPrefixAvail is appropriate given the following.

If the server is configured to create new bindings as a result of
      processing Renew messages but the server will not assign any
      leases to an IA, the server returns the IA option containing a
      Status Code option (see Section 21.13) with the NoAddrsAvail or
      NoPrefixAvail status code and a status message for a user.

@wfios
wrote:
At about 1 hour, my firewall attempts to renew the PD lease and gets an error that there is no existing lease.

This one hour renewal is agreed upon on T1 time. If you renew sooner, a conservative server can (per-RFC) discard that renewal request and do nothing.

wfios

Thank you so much, that's AMAZING!

I've reported two bugs to Sophos: 1) Requesting a T2 larger than what was delegated, and 2) not passing an RA with lifetime 0 on to clients if a renewal is refused renewal, to deprecate the PD for the clients. My guess is the root issue is #1: what looks like a refusal to renew -- requiring re-negotiation -- is actually a rejection of an improper renewal request. The PD is still valid for its lifetime, as if a renewal hadn't occurred.

Unfortunately, I can't use a Verizon router in good conscience. I was with Verizon for years and paid monthly rental for their router. They never updated the router, and when I finally became more informed and decided to leave Verizon, they told me to throw the router away and not return it because it was obsolete. I'd been paying every month for an obsolete router, which was an enormous security issue and also a business/moral issue. On top of this, they had a back door that extracted the router's admin password so they could have it available in My Verizon, which is also a security issue.

So thanks so much for your expert help! But I can't use Verizon routers, and if it were possible to hook the fiber directly to an SFP+ port I would ditch the ONT as well, but that's not really possible.