Skip to content

Instantly share code, notes, and snippets.

@NiKiZe

NiKiZe/README.md

Last active November 24, 2024 23:21
Show Gist options
  • Save NiKiZe/3da6bbc9bd54c79645d833b9ed271ef9 to your computer and use it in GitHub Desktop.
Save NiKiZe/3da6bbc9bd54c79645d833b9ed271ef9 to your computer and use it in GitHub Desktop.
Download ZIP
Journey of iPXE boot using IPv6
Raw
README.md

Journey of iPXE boot using IPv6

In IPv6 the boot path is always given as a URL in DHCPv6 option 59 So we need to run a DHCPv6 service for this

option dhcp6.bootfile-url code 59 = string;
option dhcp6.client-arch-type code 61 = array of unsigned integer 16;

# match arch to send correct booturl https://ipxe.org/cfg/platform#notes
if exists dhcp6.client-arch-type and
   option dhcp6.client-arch-type = 00:07 {
   option dhcp6.bootfile-url "tftp://[2001:db8::69]/snponly.efi";
}

subnet6 2001:db8::/64 {
   range6 2001:db8::ff00/120;
}

Debug DHCP server: dhcpd -6 -d -f brInt -cf /etc/dhcp/dhcpd6.conf Run the server and try booting but also check whats on the wire with: tcpdump -vni brInt port 547 tcpdump isn't verry good at expanding this data and only show that options exist, but not contents: (opt_59) Let's grab the actuall contents as well to verify what is sent: tcpdump -vni brInt -A port 547

No boot here, lets also grab TFTP transfers: tcpdump -vni brInt -A port 547 or port 69 There are requests, but not transfers...

Lets check that we have a tftp server running (this actually took a good while to figure out)

ss -lnu
State                      Recv-Q                     Send-Q                                                      Local Address:Port                                           Peer Address:Port
UNCONN                     0                          0                                                                 0.0.0.0:69                                                  0.0.0.0:*

We do, at port 69, but only on IPv4, that explains it,

After some resarch, it turns out that atftp dont have any IPv6 support, lets switch to a different server.

 /etc/init.d/atftp stop; emerge -c atftp; emerge -vk tftp-hpa

Modify /etc/conf.d/in.tftpd to set INTFTPD_PATH and add --secure Also update service start and start the service

rc-update del atftp
rc-update add in.tftpd
/etc/init.d/in.tftpd start

Ok thats better

ss -lnu
State                      Recv-Q                     Send-Q                                                      Local Address:Port                                           Peer Address:Port
UNCONN                     0                          0                                                                 0.0.0.0:69                                                  0.0.0.0:*
UNCONN                     0                          0                                                                       *:69                                                        *:*

I have not 100% been able to verify if radvd also requires AdvOtherConfigFlag on; it might be, espacially on newer firmware.

Some takebacks from this:

  • tcpdump don't know much about DHCPv6
  • Use -A to check packet contents when tcpdump fails decoding
  • Verify that services are actually listening on IPv6

There is a few things we can do to clean this up, and also improvements in conditional logic, which is a revisit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment