Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address
Hello, for information, the new release of isc-dhcp provides an option to change the prefix length: The prefix length passed to the dhclient script can now be modified at compile time by editing the includes/site.h file and #defineing DHCLIENT_DEFAULT_PREFIX_LEN. By default it is set to 64 in order to minimize any disruptions to running systems. A description of some of the issues and some other workarounds can be found at: https://kb.isc.org/article/AA-01141/31/How-to-workaround-IPv6-prefix-length-issues-with-ISC-DHCP-clients.html However, since it has to be set at compiling time, it does not solve the problem for Debian users. Regards, Florent. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address
On Tue, Jan 14, 2014 at 02:11:55PM +0100, Florent Fourcot wrote: I did not see anything new in your patches, the patch of Arne Nordmark already includes your changes (and some others, covering more cases). Second, the /128 of ${new_ip6_address}/128 can probably be removed. An address without prefix is set to /128 by default. Thanks, you're right, the other patch is more complete, I didn't notice there already was a patch. Do you know more than us mere mortals about ISC's plans to fix this bug? Thanks Ralf -- Ralf Schlatterbeck email: r...@zoo.priv.at -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address
Note that dhclient does not itself configures the interface but instead calls the shellscript /sbin/dhclient-script to do the work. So a quick workaround is to patch that script to use a fixed netmask of /128 (patch attached). The real fix is to hand a fixed /128 netmask to the dhclient-script from the daemon. This patches C-code in dhclient (patch attached). Note that the dhcpv6 protocol doesn't have an option for a netmask. So it is always /128 and routing is left to icmpv6 router advertisements. That also means that the option accept_ra of the dhcp method for the INET6 address family in /etc/network/interfaces (see interfaces(5) man page) probably should be on by default or completely removed. In addition maybe a fixed netmask should be configurable (see excerpts from RFC5942 below). Just some more facts regarding this issue: RFC 5942 is very clear about a DHCP client inventing a prefix: RFC5942, p.7 under Host Rules: 1. The assignment of an IPv6 address -- whether through IPv6 stateless address autoconfiguration [RFC4862], DHCPv6 [RFC3315], or manual configuration -- MUST NOT implicitly cause a prefix derived from that address to be treated as on-link and added to the Prefix List. ... and on p.8 under the heading Observed Incorrect Implementation Behavior: ... An address could be acquired through the DHCPv6 identity association for non- temporary addresses (IA_NA) option from [RFC3315] (which does not include a prefix length), or through manual configuration (if no prefix length is specified). The host incorrectly assumes an invented prefix is on-link. This invented prefix typically is a /64 that was written by the developer of the operating system network module API to any IPv6 application as a default prefix length when a length isn't specified... I sincerely hope this gets fixed in the next release of dhcpd. Note that I've also filed an upstream report with issue number #35178 (before I knew about this debian report) and I'm surprised the currently scheduled 4.3.0a1 release doesn't yet have the fix. Ralf -- Ralf Schlatterbeck email: r...@zoo.priv.at --- /sbin/dhclient-script.orig 2013-05-27 23:00:32.0 +0200 +++ /sbin/dhclient-script 2014-01-10 17:08:13.0 +0100 @@ -344,9 +344,9 @@ ;; BOUND6|RENEW6|REBIND6) -if [ ${new_ip6_address} ] [ ${new_ip6_prefixlen} ]; then +if [ ${new_ip6_address} ]; then # set leased IP -ip -6 addr add ${new_ip6_address}/${new_ip6_prefixlen} \ +ip -6 addr add ${new_ip6_address}/128 \ dev ${interface} scope global fi --- client/dhc6.c.orig 2014-01-14 13:18:41.0 +0100 +++ client/dhc6.c 2014-01-14 13:19:06.0 +0100 @@ -3841,11 +3841,8 @@ piaddr(addr-address), (unsigned) addr-plen); } else { - /* Current practice is that all subnets are /64's, but - * some suspect this may not be permanent. - */ client_envadd(client, prefix, ip6_prefixlen, - %d, 64); + %d, 128); client_envadd(client, prefix, ip6_address, %s, piaddr(addr-address)); }
Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address
Hello, Note that dhclient does not itself configures the interface but instead calls the shellscript /sbin/dhclient-script to do the work. So a quick workaround is to patch that script to use a fixed netmask of /128 (patch attached). I did not see anything new in your patches, the patch of Arne Nordmark already includes your changes (and some others, covering more cases). Second, the /128 of ${new_ip6_address}/128 can probably be removed. An address without prefix is set to /128 by default. Regards, Florent. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address
Package: isc-dhcp-client Version: 4.2.2.dfsg.1-5 Severity: normal Tags: upstream ipv6 patch dhclient unconditionally assumes an on-link prefix matching the address and with a length of 64 when setting an IPv6 address. Like routing information, on-link prefix information is not part of the DHCPv6 protocol, so this is just a guess from the part of dhclient. RFC 5942 asserts that on-link prefixes and addresses are independent concepts, and on-link prefix information must only come from Router Advertisements or manual configuration. Section 5 specifically points out that a /64 prefix must not be assumed. In my case where a /112 prefix is used, the routing table becomes nordmark@strix:~$ ip -6 route 2001:6b0:1:1e90::40:0/112 dev wlan0 proto kernel metric 256 expires 2592301sec 2001:6b0:1:1e90::/64 dev wlan0 proto kernel metric 256 default via fe80::92e6:baff:fe68:ce8f dev wlan0 proto kernel metric 1024 expires 1777sec and hosts sharing the /64 prefix but not the /112 are falsely determined as being on-link, and have become unreachable. This is (probably, the bug tracking is closed so I can not verify) reported upstream as ISC-Bugs #29468. The corresponding bug where Network Manager wrongly trusts the prefix length information from dhclient is #661885. The incuded patch removes the use of the bogus ip6_prefixlen variables from dhclient-script and uses /128 when setting an address. Should other programs use these variables, they are hard coded as 128 instead of 64. Arne -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages isc-dhcp-client depends on: ii debianutils 4.3.2 ii iproute 20120521-3 ii isc-dhcp-common 4.2.2.dfsg.1-5 ii libc62.13-33 isc-dhcp-client recommends no packages. Versions of packages isc-dhcp-client suggests: ii avahi-autoipd 0.6.31-1 ii resolvconf 1.67 -- no debconf information --- a/client/dhc6.c +++ b/client/dhc6.c @@ -3899,11 +3899,10 @@ piaddr(addr-address), (unsigned) addr-plen); } else { - /* Current practice is that all subnets are /64's, but - * some suspect this may not be permanent. + /* Prefixlen set to 128 since this is only an address. */ client_envadd(client, prefix, ip6_prefixlen, - %d, 64); + %d, 128); client_envadd(client, prefix, ip6_address, %s, piaddr(addr-address)); } --- a/debian/dhclient-script.linux +++ b/debian/dhclient-script.linux @@ -344,9 +344,9 @@ ;; BOUND6|RENEW6|REBIND6) -if [ ${new_ip6_address} ] [ ${new_ip6_prefixlen} ]; then +if [ ${new_ip6_address} ]; then # set leased IP -ip -6 addr add ${new_ip6_address}/${new_ip6_prefixlen} \ +ip -6 addr add ${new_ip6_address}/128 \ dev ${interface} scope global fi @@ -360,23 +360,19 @@ ;; DEPREF6) -if [ -z ${cur_ip6_prefixlen} ]; then -exit_with_hooks 2 -fi - # set preferred lifetime of leased IP to 0 -ip -6 addr change ${cur_ip6_address}/${cur_ip6_prefixlen} \ +ip -6 addr change ${cur_ip6_address}/128 \ dev ${interface} scope global preferred_lft 0 ;; EXPIRE6|RELEASE6|STOP6) -if [ -z ${old_ip6_address} ] || [ -z ${old_ip6_prefixlen} ]; then +if [ -z ${old_ip6_address} ]; then exit_with_hooks 2 fi # delete leased IP -ip -6 addr del ${old_ip6_address}/${old_ip6_prefixlen} \ +ip -6 addr del ${old_ip6_address}/128 \ dev ${interface} ;;