Re: DHCPDv6 in non-vnet jail
On Wed, Mar 30, 2022 at 02:45:17PM +0200, Ronald Klop wrote:
> Hi,
>
> First. I'm not an IPv6 expert. Got it running at home. Although with SLAAC,
> not DHCP yet.
> Another disclaimer is that I use VNET-jails nowadays.
> But I like to try and think along with you.
>
> What surprises me is that your non-vnet jail does not have a LINKLOCAL
> fe80::: address. These addresses are used for configuration in the local
> network (AFAIK).
> And your routing table does not contain a line like this:
> ff02::/16 ::1 UGRS
> lo0
>
> So how is the ff02:: multicast routed in your network?
>
> But the tcpdump shows that the multicast solicit message is received on the
> non-vnet dhcp-server so that seems to work:
> 18:02:51.229813 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
> ff02::1:2.dhcpv6-server: dhcp6 solicit
> I don't know if the dhcp-server program also sees this request coming in on
> its interface. Maybe extra logging can help there.
>
> According to https://en.wikipedia.org/wiki/DHCPv6#Example the dhcp-server
> would reply with a link-local fe80:: address.
> "Server replies with an advertise from [fe80::0011:22ff:fe33:5566]:547 to
> [fe80::aabb:ccff:fedd:eeff]:546."
> But your dhcp-server does not have an fe80::.
>
> So I'm wondering how that would work.
>
> More questions than answers. But I hope it helps.
>
> Regards,
> Ronald.
Hello,
It helps narrow down the search! I created a small lab and this is
jail.conf:
path = "/usr/jails/${name}";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
dhcp {
host.hostname= dhcp.hal9000.meka.rs;
host.domainname = hal9000.meka.rs;
ip4.addr = 'bridge0|172.16.0.250';
ip6.addr = 'bridge0|fd10:6c79:8ae5:8b91::3';
ip6.addr+= 'bridge0|fe80::dead:beef';
enforce_statfs = 1;
sysvshm = new;
sysvsem = new;
devfs_ruleset= 7;
allow.chflags;
allow.mount.devfs;
allow.mount.procfs;
allow.mount;
allow.mount.devfs;
allow.mount.procfs;
allow.mount.nullfs;
allow.mount.tmpfs;
allow.socket_af;
allow.raw_sockets;
persist;
}
client {
$id = 10;
host.hostname= client.hal9000.meka.rs;
host.domainname = hal9000.meka.rs;
enforce_statfs = 1;
sysvshm = new;
sysvsem = new;
devfs_ruleset= 8;
allow.chflags;
allow.mount.devfs;
allow.mount.procfs;
allow.mount;
allow.mount.devfs;
allow.mount.procfs;
allow.mount.nullfs;
allow.mount.tmpfs;
allow.socket_af;
allow.raw_sockets;
persist;
vnet;
vnet.interface = "epair${id}b";
exec.prestart= "ifconfig epair${id} create up";
exec.prestart += "ifconfig epair${id}a up descr vnet-${name}";
exec.prestart += "ifconfig bridge0 addm epair${id}a up";
exec.prestop = "ifconfig epair${id}b -vnet ${name}";
exec.poststop= "ifconfig bridge00 deletem epair${id}a";
exec.poststop += "ifconfig epair${id}a destroy";
}
Note the "dead:beef" address. Even if I remove that line I get the same
output of ifconfig inside dhcp jail:
ifconfig
re0: flags=8843 metric 0 mtu 1500
options=8209b
ether bc:ae:c5:e1:31:d0
media: Ethernet autoselect (1000baseT )
status: active
nd6 options=23
lo0: flags=8049 metric 0 mtu 16384
options=680003
groups: lo
nd6 options=21
bridge0: flags=8843 metric 0 mtu 1500
description: re0
ether 58:9c:fc:10:ff:90
inet 172.16.0.250 netmask 0x broadcast 172.16.0.250
inet6 fd10:6c79:8ae5:8b91::3 prefixlen 128
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair10a flags=143
ifmaxaddr 0 port 5 priority 128 path cost 2000
groups: bridge
nd6 options=21
pflog0: flags=141 metric 0 mtu 33160
groups: pflog
epair10a: flags=8943 metric 0
mtu 1500
description: vnet-client
options=8
ether 02:82:6f:d8:f0:0a
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T )
status: active
nd6 options=29
And this is relevant portion of /etc/rc.conf:
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 172.16.0.254 netmask 255.255.255.0 description re0"
ifconfig_bridge0_ipv6="inet6 -ifdisabled auto_linklocal fd10:6c79:8ae5:8b91::1"
The following is ifconfig on host
re0: flags=8843 metric 0 mtu 1500
options=8209b
ether bc:ae:c5:e1:31:d0
inet6 fe80::beae:c5ff:fee1:31d0%re0 prefixlen 64 scopeid 0x1
inet6 2001:470:1f1a:ae:beae:c5ff:fee1:31d0 prefixlen 64 autoconf
inet 192.168.111.3 netmask 0xff00 broadcast 192.168.111.255
media: Ethernet autoselect (1000baseT )
status: active
nd6 options=23
lo0: flags=8049 metric 0 mtu 16384
Re: DHCPDv6 in non-vnet jail
Hi,
First. I'm not an IPv6 expert. Got it running at home. Although with SLAAC, not
DHCP yet.
Another disclaimer is that I use VNET-jails nowadays.
But I like to try and think along with you.
What surprises me is that your non-vnet jail does not have a LINKLOCAL fe80:::
address. These addresses are used for configuration in the local network
(AFAIK).
And your routing table does not contain a line like this:
ff02::/16 ::1 UGRSlo0
So how is the ff02:: multicast routed in your network?
But the tcpdump shows that the multicast solicit message is received on the
non-vnet dhcp-server so that seems to work:
18:02:51.229813 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
I don't know if the dhcp-server program also sees this request coming in on its
interface. Maybe extra logging can help there.
According to https://en.wikipedia.org/wiki/DHCPv6#Example the dhcp-server would
reply with a link-local fe80:: address.
"Server replies with an advertise from [fe80::0011:22ff:fe33:5566]:547 to
[fe80::aabb:ccff:fedd:eeff]:546."
But your dhcp-server does not have an fe80::.
So I'm wondering how that would work.
More questions than answers. But I hope it helps.
Regards,
Ronald.
Van: "Goran Mekic"
Datum: dinsdag, 29 maart 2022 18:11
Aan: Ronald Klop
CC: freebsd-current@freebsd.org, "Bjoern A. Zeeb"
Onderwerp: Re: DHCPDv6 in non-vnet jail
On Tue, Mar 29, 2022 at 12:14:20PM +0200, Ronald Klop wrote:
> I think it will help if you share more of your configuration/logs.
Inside non-vnet jail, this is ifconfig output
cbsd0: flags=8843 metric 0 mtu 1500
description: lagg0
ether 58:9c:fc:10:9b:75
inet 172.16.0.253 netmask 0x broadcast 172.16.0.253
inet6 fd10:6c79:8ae5:8b91::2 prefixlen 128
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000
member: epair5a flags=143
ifmaxaddr 0 port 11 priority 128 path cost 2000
member: epair4a flags=143
ifmaxaddr 0 port 10 priority 128 path cost 2000
member: epair3a flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000
member: epair2a flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000
groups: bridge
nd6 options=21
There are bunch of other interfaces, but only cbsd0 (bridge interface)
is set up with ip address.
netstat -rn
Routing tables
Internet:
DestinationGatewayFlags Netif Expire
172.16.0.253 link#4 UHcbsd0
Internet6:
Destination Gateway Flags Netif
Expire
fd10:6c79:8ae5:8b91::2link#4UHS lo0
grep -v '^#' /usr/local/etc/dhcpd6.conf
default-lease-time 2592000;
preferred-lifetime 604800;
option dhcp-renewal-time 3600;
option dhcp-rebinding-time 7200;
allow leasequery;
option dhcp6.name-servers 3ffe:501::100:200:ff:fe00:3f3e;
option dhcp6.domain-search "test.example.com","example.com";
option dhcp6.info-refresh-time 21600;
dhcpv6-lease-file-name "/var/db/dhcpd6/dhcpd6.leases";
subnet6 fd10:6c79:8ae5:8b91::/64 {
range6 fd10:6c79:8ae5:8b91::/64;
}
ls -l /dev
total 1
crw--- 1 root wheel 0x26 Mar 29 17:35 bpf
lrwxr-xr-x 1 root wheel 3 Mar 28 09:31 bpf0 -> bpf
crw-rw-rw- 1 root wheel 0x4a Mar 26 15:54 crypto
dr-xr-xr-x 2 root wheel512 Mar 29 03:38 fd
crw-rw-rw- 1 root wheel 0x2a Mar 29 18:00 null
crw-rw 1 root nsd0x1a5 Mar 24 23:45 pf
crw-rw 1 root nsd 0x4b Mar 26 15:54 pfil
dr-xr-xr-x 2 root wheel512 Mar 28 09:31 pts
crw-r--r-- 1 root wheel0x8 Mar 24 23:45 random
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stderr -> fd/2
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stdin -> fd/0
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stdout -> fd/1
lrwxr-xr-x 1 root wheel 6 Mar 28 09:31 urandom -> random
crw-rw-rw- 1 root wheel 0x2b Mar 26 15:54 zero
On the host I have /etc/rtadvd.conf:
cbsd0:addr="fd10:6c79:8ae5:8b91::":raflags="m"
On the host ifconfig cbsd0
cbsd0: flags=8843 metric 0 mtu 1500
description: lagg0
ether 58:9c:fc:10:9b:75
inet 172.16.0.254 netmask 0xff00 broadcast 172.16.0.255
inet 172.16.1.254 netmask 0xff00 broadcast 172.16.1.255
inet 172.16.0.253 netmask 0x broadcast 172.16.0.253
inet6 fe80::5a9c:fcff:fe10:9b75%cbsd0 prefixlen 64 scopeid 0x4
inet6 fd10:6c79:8ae5:8b91::1 prefixlen 64
inet6 fd10:6c79:8ae5:8b91::2 prefixlen 128
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00
Re: DHCPDv6 in non-vnet jail
On Tue, Mar 29, 2022 at 05:21:13PM +0200, Marek Zarychta wrote: > Running DHCPv6 in a jail is possible and pretty straigtforward if > /dev/bpf is exposed, but I have never tried to run rtadvd(8) in the > jail. The net/isc-dhcp44-server works flawlessy in dedicated DHCPv6 > reduntant jails without VNET, but the RA is always done on the core > switches for all suppoted subnets in my case. Please consider that > DHCPv6 is never replacement, but addition to properly confiugred RA. I ran rtadvd inside jail just to see if RA messages are going back and forth as I suspected I'm blocking something. Otherwise, I'm running rtadvd on the host. If I understand it right, rtadvd's raflags="m" should tell rtsold to run external script. I'm just running it by hand so I use the least amount of software possible. Is that wrong? Should dhcp6c be run with rtsold -M? I tried with rtsold_flags="-a -M /usr/local/bin/dhcp6c" without luck. Regards, meka signature.asc Description: PGP signature
Re: DHCPDv6 in non-vnet jail
On Tue, Mar 29, 2022 at 12:14:20PM +0200, Ronald Klop wrote:
> I think it will help if you share more of your configuration/logs.
Inside non-vnet jail, this is ifconfig output
cbsd0: flags=8843 metric 0 mtu 1500
description: lagg0
ether 58:9c:fc:10:9b:75
inet 172.16.0.253 netmask 0x broadcast 172.16.0.253
inet6 fd10:6c79:8ae5:8b91::2 prefixlen 128
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000
member: epair5a flags=143
ifmaxaddr 0 port 11 priority 128 path cost 2000
member: epair4a flags=143
ifmaxaddr 0 port 10 priority 128 path cost 2000
member: epair3a flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000
member: epair2a flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000
groups: bridge
nd6 options=21
There are bunch of other interfaces, but only cbsd0 (bridge interface)
is set up with ip address.
netstat -rn
Routing tables
Internet:
DestinationGatewayFlags Netif Expire
172.16.0.253 link#4 UHcbsd0
Internet6:
Destination Gateway Flags Netif
Expire
fd10:6c79:8ae5:8b91::2link#4UHS lo0
grep -v '^#' /usr/local/etc/dhcpd6.conf
default-lease-time 2592000;
preferred-lifetime 604800;
option dhcp-renewal-time 3600;
option dhcp-rebinding-time 7200;
allow leasequery;
option dhcp6.name-servers 3ffe:501::100:200:ff:fe00:3f3e;
option dhcp6.domain-search "test.example.com","example.com";
option dhcp6.info-refresh-time 21600;
dhcpv6-lease-file-name "/var/db/dhcpd6/dhcpd6.leases";
subnet6 fd10:6c79:8ae5:8b91::/64 {
range6 fd10:6c79:8ae5:8b91::/64;
}
ls -l /dev
total 1
crw--- 1 root wheel 0x26 Mar 29 17:35 bpf
lrwxr-xr-x 1 root wheel 3 Mar 28 09:31 bpf0 -> bpf
crw-rw-rw- 1 root wheel 0x4a Mar 26 15:54 crypto
dr-xr-xr-x 2 root wheel512 Mar 29 03:38 fd
crw-rw-rw- 1 root wheel 0x2a Mar 29 18:00 null
crw-rw 1 root nsd0x1a5 Mar 24 23:45 pf
crw-rw 1 root nsd 0x4b Mar 26 15:54 pfil
dr-xr-xr-x 2 root wheel512 Mar 28 09:31 pts
crw-r--r-- 1 root wheel0x8 Mar 24 23:45 random
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stderr -> fd/2
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stdin -> fd/0
lrwxr-xr-x 1 root wheel 4 Mar 28 09:31 stdout -> fd/1
lrwxr-xr-x 1 root wheel 6 Mar 28 09:31 urandom -> random
crw-rw-rw- 1 root wheel 0x2b Mar 26 15:54 zero
On the host I have /etc/rtadvd.conf:
cbsd0:addr="fd10:6c79:8ae5:8b91::":raflags="m"
On the host ifconfig cbsd0
cbsd0: flags=8843 metric 0 mtu 1500
description: lagg0
ether 58:9c:fc:10:9b:75
inet 172.16.0.254 netmask 0xff00 broadcast 172.16.0.255
inet 172.16.1.254 netmask 0xff00 broadcast 172.16.1.255
inet 172.16.0.253 netmask 0x broadcast 172.16.0.253
inet6 fe80::5a9c:fcff:fe10:9b75%cbsd0 prefixlen 64 scopeid 0x4
inet6 fd10:6c79:8ae5:8b91::1 prefixlen 64
inet6 fd10:6c79:8ae5:8b91::2 prefixlen 128
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143
ifmaxaddr 0 port 7 priority 128 path cost 2000
member: epair5a flags=143
ifmaxaddr 0 port 11 priority 128 path cost 2000
member: epair4a flags=143
ifmaxaddr 0 port 10 priority 128 path cost 2000
member: epair3a flags=143
ifmaxaddr 0 port 9 priority 128 path cost 2000
member: epair2a flags=143
ifmaxaddr 0 port 8 priority 128 path cost 2000
groups: bridge
nd6 options=21
> Besides you can take a look with tcpdump/wireshark on what happens on
> different interfaces of your machines to see the traffic flow between client
> and server.
Running tcpdump -i cbsd0 ip6 inside the non-vnet:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on cbsd0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:02:29.081325 IP6 fe80::5a9c:fcff:fe10:9b75.10482 > ff12::8384.21027: UDP,
length 322
18:02:51.229813 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:52.338420 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:54.444709 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:58.449268 IP6 fe80::2a0:98ff:fe7d:cad.dhcpv6-client >
ff02::1:2.dhcpv6-server: dhcp6 solicit
18:02:59.083071
Re: DHCPDv6 in non-vnet jail
Dnia Tue, Mar 29, 2022 at 10:11:29AM +0200, Goran Mekić napisał(a): > On Sun, Mar 27, 2022 at 02:34:11PM +, Bjoern A. Zeeb wrote: > > I assume you have /dev/bpf available inside that jail by a devfs rule so > > effectively you have all network interfaces and traffic available? > As a form of test I've put rtadvd inside the same non-vnet jail and I > can see RA message arrive to the vnet jail. I though I "disconnected" > something concerning IPv6, but that's obviously not the case. > > Let's take a step back. Is there any howto/tutorial on how to put > isc-dhcpd6 in a non-vnet jail? I don't care if it's jail.conf or some > jail manager. Can I somehow see where packets end up, like dtrace? > Should I try some other server/client for DHCPv6? If I can make it work > in any scenario, that would be good starting point for me to figure out > what's wrong with my current setup. > > Regards, > meka Running DHCPv6 in a jail is possible and pretty straigtforward if /dev/bpf is exposed, but I have never tried to run rtadvd(8) in the jail. The net/isc-dhcp44-server works flawlessy in dedicated DHCPv6 reduntant jails without VNET, but the RA is always done on the core switches for all suppoted subnets in my case. Please consider that DHCPv6 is never replacement, but addition to properly confiugred RA. Best regards, -- Marek Zarychta
Re: DHCPDv6 in non-vnet jail
Van: "Goran Mekic" Datum: dinsdag, 29 maart 2022 10:11 Aan: "Bjoern A. Zeeb" CC: freebsd-current@freebsd.org Onderwerp: Re: DHCPDv6 in non-vnet jail On Sun, Mar 27, 2022 at 02:34:11PM +, Bjoern A. Zeeb wrote: > I assume you have /dev/bpf available inside that jail by a devfs rule so > effectively you have all network interfaces and traffic available? As a form of test I've put rtadvd inside the same non-vnet jail and I can see RA message arrive to the vnet jail. I though I "disconnected" something concerning IPv6, but that's obviously not the case. Let's take a step back. Is there any howto/tutorial on how to put isc-dhcpd6 in a non-vnet jail? I don't care if it's jail.conf or some jail manager. Can I somehow see where packets end up, like dtrace? Should I try some other server/client for DHCPv6? If I can make it work in any scenario, that would be good starting point for me to figure out what's wrong with my current setup. Regards, meka Hi, I think it will help if you share more of your configuration/logs. Besides you can take a look with tcpdump/wireshark on what happens on different interfaces of your machines to see the traffic flow between client and server. Regards, Ronald.
Re: DHCPDv6 in non-vnet jail
On Sun, Mar 27, 2022 at 02:34:11PM +, Bjoern A. Zeeb wrote: > I assume you have /dev/bpf available inside that jail by a devfs rule so > effectively you have all network interfaces and traffic available? As a form of test I've put rtadvd inside the same non-vnet jail and I can see RA message arrive to the vnet jail. I though I "disconnected" something concerning IPv6, but that's obviously not the case. Let's take a step back. Is there any howto/tutorial on how to put isc-dhcpd6 in a non-vnet jail? I don't care if it's jail.conf or some jail manager. Can I somehow see where packets end up, like dtrace? Should I try some other server/client for DHCPv6? If I can make it work in any scenario, that would be good starting point for me to figure out what's wrong with my current setup. Regards, meka signature.asc Description: PGP signature
Re: DHCPDv6 in non-vnet jail
On Sun, Mar 27, 2022 at 02:34:11PM +, Bjoern A. Zeeb wrote: > I assume you have /dev/bpf available inside that jail by a devfs rule so > effectively you have all network interfaces and traffic available? You assume right, as I needed it for IPv4 DHCPD. > You could send the error isc-dhcpd6 gives you? > > /bz Up until now I didn't see it (I probably missed it before) but I have this: unable to create icmp socket: Operation not permitted I changed jail settings to allow raw_sockets but I still see no log on the daemon side and same "Sending Solicit" on client side (dhcp6c -d -f). Daemon side is non-vnet jail, client side is vnet jail. Same two jails have successfull IPv4 DHCP working. I have rtadvd working on host and the same vnet jail picks it up via rtsold, so I'm just guessing the client side is working. Regards, meka signature.asc Description: PGP signature
Re: DHCPDv6 in non-vnet jail
On 26 Mar 2022, at 22:29, Goran Mekić wrote: Hello, I'm trying to run isc-dhcpd6 service inside a non-vnet jail without success. I already have isc-dhcpd in the same jail working, so I hoped v6 is similar enough for it not to require anything special, and I'm obviously wrong, as running the same config on the host itself works. I am using bridge interface in the non-vnet jail to set IPv4 and IPv6 address and as an interface for isc-dhcpd. I assume you have /dev/bpf available inside that jail by a devfs rule so effectively you have all network interfaces and traffic available? I know I can't just assume that if something works on IPv4 will work on IPv6 too, but could you help me understand what is missing? Is it even possible to have isc-dhcpd6 in a non-vnet jail? If not, why, if yes, what am I doing wrong? Forgive me for not sending the full config as it would make this mail huge. I'm thinking if there's something obviously wrong in my asumption that isc-dhcpd6 can work in non-vnet jail, config wouldn't be much of the help, but if that's not the case I'll be happy to send any jail and related configuration. You could send the error isc-dhcpd6 gives you? /bz
DHCPDv6 in non-vnet jail
Hello, I'm trying to run isc-dhcpd6 service inside a non-vnet jail without success. I already have isc-dhcpd in the same jail working, so I hoped v6 is similar enough for it not to require anything special, and I'm obviously wrong, as running the same config on the host itself works. I am using bridge interface in the non-vnet jail to set IPv4 and IPv6 address and as an interface for isc-dhcpd. I know I can't just assume that if something works on IPv4 will work on IPv6 too, but could you help me understand what is missing? Is it even possible to have isc-dhcpd6 in a non-vnet jail? If not, why, if yes, what am I doing wrong? Forgive me for not sending the full config as it would make this mail huge. I'm thinking if there's something obviously wrong in my asumption that isc-dhcpd6 can work in non-vnet jail, config wouldn't be much of the help, but if that's not the case I'll be happy to send any jail and related configuration. Regards, meka signature.asc Description: PGP signature
