Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

2014-07-09 Thread Florent Fourcot 
Hello,

for information, the new release of isc-dhcp provides an option to
change the prefix length:

 The prefix length passed to the dhclient script can now be modified
 at compile time by editing the includes/site.h file and #defineing
 DHCLIENT_DEFAULT_PREFIX_LEN.  By default it is set to 64 in order
 to minimize any disruptions to running systems.  A description of
 some of the issues and some other workarounds can be found at:
 https://kb.isc.org/article/AA-01141/31/How-to-workaround-IPv6-prefix-length-issues-with-ISC-DHCP-clients.html


However, since it has to be set at compiling time, it does not solve the
problem for Debian users.

Regards,

Florent.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

2014-01-15 Thread Ralf Schlatterbeck 
On Tue, Jan 14, 2014 at 02:11:55PM +0100, Florent Fourcot wrote:
 
 I did not see anything new in your patches, the patch of Arne Nordmark
 already includes your changes (and some others, covering more cases).
 
 Second, the /128 of ${new_ip6_address}/128 can probably be removed. An
 address without prefix is set to /128 by default.

Thanks, you're right, the other patch is more complete, I didn't notice
there already was a patch.

Do you know more than us mere mortals about ISC's plans to fix this bug?

Thanks
Ralf
-- 
Ralf Schlatterbeck email: r...@zoo.priv.at


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

2014-01-14 Thread Ralf Schlatterbeck 
Note that dhclient does not itself configures the interface but instead
calls the shellscript /sbin/dhclient-script to do the work. So a quick
workaround is to patch that script to use a fixed netmask of /128
(patch attached).

The real fix is to hand a fixed /128 netmask to the dhclient-script from
the daemon. This patches C-code in dhclient (patch attached).

Note that the dhcpv6 protocol doesn't have an option for a netmask. So
it is always /128 and routing is left to icmpv6 router advertisements.

That also means that the option accept_ra of the dhcp method for the
INET6 address family in /etc/network/interfaces (see interfaces(5) man
page) probably should be on by default or completely removed. In
addition maybe a fixed netmask should be configurable (see excerpts from
RFC5942 below).

Just some more facts regarding this issue:
RFC 5942 is very clear about a DHCP client inventing a prefix:

RFC5942, p.7 under Host Rules:

   1.  The assignment of an IPv6 address -- whether through IPv6
   stateless address autoconfiguration [RFC4862], DHCPv6 [RFC3315],
   or manual configuration -- MUST NOT implicitly cause a prefix
   derived from that address to be treated as on-link and added to
   the Prefix List.  ...


and on p.8 under the heading Observed Incorrect Implementation Behavior:

   ...  An address
   could be acquired through the DHCPv6 identity association for non-
   temporary addresses (IA_NA) option from [RFC3315] (which does not
   include a prefix length), or through manual configuration (if no
   prefix length is specified).  The host incorrectly assumes an
   invented prefix is on-link.  This invented prefix typically is a /64
   that was written by the developer of the operating system network
   module API to any IPv6 application as a default prefix length when
   a length isn't specified...


I sincerely hope this gets fixed in the next release of dhcpd. Note that
I've also filed an upstream report with issue number #35178 (before I
knew about this debian report) and I'm surprised the currently scheduled
4.3.0a1 release doesn't yet have the fix.

Ralf
-- 
Ralf Schlatterbeck email: r...@zoo.priv.at
--- /sbin/dhclient-script.orig	2013-05-27 23:00:32.0 +0200
+++ /sbin/dhclient-script	2014-01-10 17:08:13.0 +0100
@@ -344,9 +344,9 @@
 ;;
 
 BOUND6|RENEW6|REBIND6)
-if [ ${new_ip6_address} ]  [ ${new_ip6_prefixlen} ]; then
+if [ ${new_ip6_address} ]; then
 # set leased IP
-ip -6 addr add ${new_ip6_address}/${new_ip6_prefixlen} \
+ip -6 addr add ${new_ip6_address}/128 \
 dev ${interface} scope global
 fi
 
--- client/dhc6.c.orig	2014-01-14 13:18:41.0 +0100
+++ client/dhc6.c	2014-01-14 13:19:06.0 +0100
@@ -3841,11 +3841,8 @@
   piaddr(addr-address),
   (unsigned) addr-plen);
 		} else {
-			/* Current practice is that all subnets are /64's, but
-			 * some suspect this may not be permanent.
-			 */
 			client_envadd(client, prefix, ip6_prefixlen,
-  %d, 64);
+  %d, 128);
 			client_envadd(client, prefix, ip6_address,
   %s, piaddr(addr-address));
 		}

Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

2014-01-14 Thread Florent Fourcot 
Hello,


 Note that dhclient does not itself configures the interface but instead
 calls the shellscript /sbin/dhclient-script to do the work. So a quick
 workaround is to patch that script to use a fixed netmask of /128
 (patch attached).
 

I did not see anything new in your patches, the patch of Arne Nordmark
already includes your changes (and some others, covering more cases).

Second, the /128 of ${new_ip6_address}/128 can probably be removed. An
address without prefix is set to /128 by default.

Regards,

Florent.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

2012-08-06 Thread Arne Nordmark 

Package: isc-dhcp-client
Version: 4.2.2.dfsg.1-5
Severity: normal
Tags: upstream ipv6 patch

dhclient unconditionally assumes an on-link prefix matching the address 
and with a length of 64 when setting an IPv6 address. Like routing 
information, on-link prefix information is not part of the DHCPv6 
protocol, so this is just a guess from the part of dhclient.


RFC 5942 asserts that on-link prefixes and addresses are independent 
concepts, and on-link prefix information must only come from Router 
Advertisements or manual configuration. Section 5 specifically points 
out that a /64 prefix must not be assumed.


In my case where a /112 prefix is used, the routing table becomes

nordmark@strix:~$ ip -6 route
2001:6b0:1:1e90::40:0/112 dev wlan0  proto kernel  metric 256  expires 
2592301sec

2001:6b0:1:1e90::/64 dev wlan0  proto kernel  metric 256
default via fe80::92e6:baff:fe68:ce8f dev wlan0  proto kernel  metric 
1024 expires 1777sec


and hosts sharing the /64 prefix but not the /112 are falsely determined 
as being on-link, and have become unreachable.


This is (probably, the bug tracking is closed so I can not verify) 
reported upstream as ISC-Bugs #29468.


The corresponding bug where Network Manager wrongly trusts the prefix 
length information from dhclient is #661885.


The incuded patch removes the use of the bogus ip6_prefixlen variables 
from dhclient-script and uses /128 when setting an address. Should other 
programs use these variables, they are hard coded as 128 instead of 64.


Arne


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-client depends on:
ii  debianutils  4.3.2
ii  iproute  20120521-3
ii  isc-dhcp-common  4.2.2.dfsg.1-5
ii  libc62.13-33

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
ii  avahi-autoipd  0.6.31-1
ii  resolvconf 1.67

-- no debconf information
--- a/client/dhc6.c
+++ b/client/dhc6.c
@@ -3899,11 +3899,10 @@
   piaddr(addr-address),
   (unsigned) addr-plen);
 		} else {
-			/* Current practice is that all subnets are /64's, but
-			 * some suspect this may not be permanent.
+			/* Prefixlen set to 128 since this is only an address.
 			 */
 			client_envadd(client, prefix, ip6_prefixlen,
-  %d, 64);
+  %d, 128);
 			client_envadd(client, prefix, ip6_address,
   %s, piaddr(addr-address));
 		}
--- a/debian/dhclient-script.linux
+++ b/debian/dhclient-script.linux
@@ -344,9 +344,9 @@
 ;;
 
 BOUND6|RENEW6|REBIND6)
-if [ ${new_ip6_address} ]  [ ${new_ip6_prefixlen} ]; then
+if [ ${new_ip6_address} ]; then
 # set leased IP
-ip -6 addr add ${new_ip6_address}/${new_ip6_prefixlen} \
+ip -6 addr add ${new_ip6_address}/128 \
 dev ${interface} scope global
 fi
 
@@ -360,23 +360,19 @@
 ;;
 
 DEPREF6)
-if [ -z ${cur_ip6_prefixlen} ]; then
-exit_with_hooks 2
-fi
-
 # set preferred lifetime of leased IP to 0
-ip -6 addr change ${cur_ip6_address}/${cur_ip6_prefixlen} \
+ip -6 addr change ${cur_ip6_address}/128 \
 dev ${interface} scope global preferred_lft 0
 
 ;;
 
 EXPIRE6|RELEASE6|STOP6)
-if [ -z ${old_ip6_address} ] || [ -z ${old_ip6_prefixlen} ]; then
+if [ -z ${old_ip6_address} ]; then
 exit_with_hooks 2
 fi
 
 # delete leased IP
-ip -6 addr del ${old_ip6_address}/${old_ip6_prefixlen} \
+ip -6 addr del ${old_ip6_address}/128 \
 dev ${interface}
 
 ;;