The radvd auto-ignore CLI syntax has been added to VyOS, but a further enhancement could also be added to prevent duplicate prefix advertisements altogether.

As an extra safeguard, I propose the following:

When configuring set service router-advert for an interface - if the wildcard prefix ::/64 is used AND the administrator overrides a prefix, that overridden prefix should be immediately inserted into the

autoignoreprefixes {
};

block in /run/radvd/radvd.conf, regardless of whether or not the administrator also creates an auto-ignore config in the CLI. This would prevent the possibility of the prefix being accidentally advertised twice in the RA, if the administrator forgets to create the auto-ignore rule.

Otherwise, the administrator would need to remember to configure auto-ignore at the CLI for every prefix they are overriding configuration for.

For example, suppose I have the following addresses assigned to eth1:

2001:db8::1/64
fd00::1/64
fd01::1/64

If I run the following:

# Configure the wildcard prefix
set service router-advert interfaces eth1 prefix ::/64

# Override config for the fd00::/64 prefix
set service router-advert interface eth1 prefix fd00::/64 preferred-lifetime '5555'
set service router-advert interface eth1 prefix fd00::/64 valid-lifetime '9999'

After running these commands, VyOS should immediately add the fd00::/64 prefix to autoignoreprefixes in radvd.conf. The resulting radvd.conf should be:

### Autogenerated by service_router-advert.py ###

interface eth1 {
    IgnoreIfMissing on;
    AdvDefaultPreference medium;
    MaxRtrAdvInterval 600;
    AdvReachableTime 0;
    AdvIntervalOpt on;
    AdvSendAdvert on;
    AdvOtherConfigFlag off;
    AdvRetransTimer 0;
    AdvCurHopLimit 64;
    autoignoreprefixes {
        fd00::/64;
    };
    prefix ::/64 {
        AdvAutonomous on;
        AdvValidLifetime 2592000;
        AdvOnLink on;
        AdvPreferredLifetime 14400;
        DeprecatePrefix off;
        DecrementLifetimes off;
    };
    prefix fd00::/64 {
        AdvAutonomous on;
        AdvValidLifetime 9999;
        AdvOnLink on;
        AdvPreferredLifetime 5555;
        DeprecatePrefix off;
        DecrementLifetimes off;
    };
};

This should happen immediately when the overridden advertisement is added on eth1, since it also contains the wildcard prefix. It should happen automatically without my having to remember to run: set service router-advert interfaces eth1 auto-ignore fd00::/64

Otherwise, if I forgot to do this, the result would be duplicate fd00::/64 prefixes being advertised in the RA:

In my opinion, an RA with duplicate prefixes should never be possible, especially on an enterprise router. I couldn't find a relevant section in any RFC that outlines whether duplicate prefix advertisements are permissible or not. But I can't even imagine a use case or scenario where that would be desirable, as it causes unpredictable behavior in clients.

If these radvd.conf entries were inserted automatically, the admin wouldn't need to worry about it.

In fact, the only time the admin would ever need to manually use the auto-ignore CLI syntax is when they specifically want the wildcard to IGNORE a prefix altogether instead of overriding it. To me, this makes 100% perfect sense based on the wording of the radvd syntax for "auto ignore prefixes".

After overriding a prefix advertisement, VyOS should add the entries to autoignoreprefixes block in radvd.conf, but NOT ADD auto-ignore XXX::/64 to the CLI config tree. Otherwise, the admin could remove the auto-ignore CLI config (either accidentally or otherwise) and cause duplicate prefixes to be advertised.

Instead, the overidden prefix will ALWAYS exist in radvd.conf autoignoreprefixes block, regardless of whether an auto-ignore CLI config has been manually added. And it will remain there unless and until the administrator deletes the override (or deletes the wildcard prefix).

When generating the autoignoreprefixes block in radvd.conf, VyOS currently just uses all of the auto-ignore config nodes created by the administrator in the CLI.

Instead, it should be generated programmatically from the set union between auto-ignore CLI nodes AND overridden prefixes, so that each prefix is guaranteed to be only listed once in the autoignoreprefixes block.

It's important to note that this is NOT a bug in VyOS - this behavior is reproducible in pretty much any router OS that uses older versions of radvd as the back-end for generating RA packets. I was actually able to produce duplicate-prefix RAs in an EdgeRouter. As much as I love EdgeOS, with the seemingly slow pace of development in EdgeMAX, I'm not confident that Ubiquiti will ever get around to fixing this problem - but I digress.

This enhancement will make it effectively impossible to configure router advertisements with duplicate prefixes, whether accidentally or intentionally.

I'm open to other suggestions though. Please feel free to share your thoughts or critique.