Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Tue, Jan 07, 2014 at 12:49:15PM +0100, Hannes Frederic Sowa wrote:
> Yes it is and I fixed that yesterday. I guess, I should ask that the patch
> should be pushed to stable.

Sorry, forgot the link:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=88ad31491e21f5dec347911d9804c673af414a09

Greetings,

  Hannes

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Tue, Jan 07, 2014 at 12:42:43PM +0100, Tore Anderson wrote:
> * Hannes Frederic Sowa
> 
> > It also had some affect of anycast address generation.
> > 
> >> But you are right, essentially it should work but some assumptions were
> >> made in the kernel which should have been checked first.
> > 
> > I guess they're switching back to 64 while suppressing automatically addding
> > prefix routes:
> > 
> >   
> > 
> > This feature should also be available in iproute then.
> 
> Could you elaborate on the anycast address generation problem?

Kernel did also install an subnet-all-router anycast address if the
prefixlen was 128. If you have NM and also e.g. libvirt, which may
enable ipv6 forwarding, the same /128 got installed as an anycast address
(see /proc/net/anycast6). I did not see any breakage, but it could defer ndisc
responses.

> Reason I'm asking is that even though the patch you linked to allow NM
> to return to adding /64s in the case of SLAAC, there's still DHCPv6
> IA_NA which are always /128, yet possibly in combination with arbitrary
> prefix length onlink routes (if PIO exists in RA with A=0, L=1). I'm
> thinking that perhaps this anycast address generation problem could be
> present in that case too?

Yes it is and I fixed that yesterday. I guess, I should ask that the patch
should be pushed to stable.

Greetings,

  Hannes

Re: IPv6 broken on Fedora 20?

[Tore Anderson]

* Hannes Frederic Sowa

> It also had some affect of anycast address generation.
> 
>> But you are right, essentially it should work but some assumptions were
>> made in the kernel which should have been checked first.
> 
> I guess they're switching back to 64 while suppressing automatically addding
> prefix routes:
> 
>   
> 
> This feature should also be available in iproute then.

Could you elaborate on the anycast address generation problem?

Reason I'm asking is that even though the patch you linked to allow NM
to return to adding /64s in the case of SLAAC, there's still DHCPv6
IA_NA which are always /128, yet possibly in combination with arbitrary
prefix length onlink routes (if PIO exists in RA with A=0, L=1). I'm
thinking that perhaps this anycast address generation problem could be
present in that case too?

Tore

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Thu, Dec 19, 2013 at 07:14:24PM +0100, Hannes Frederic Sowa wrote:
> > Once you're doing that, it's probably easier to handle L=1 by simply
> > adding the on-link route directly, rather than adding the address as a
> > /64 and relying on the kernel to add the route for you. The two should
> > result in the same functionality, though, so I'm don't really understand
> > what's actually broken here.
> 
> I guess it breaks generation of privacy addresses.

It also had some affect of anycast address generation.

> But you are right, essentially it should work but some assumptions were
> made in the kernel which should have been checked first.

I guess they're switching back to 64 while suppressing automatically addding
prefix routes:

  

This feature should also be available in iproute then.

Greetings,

  Hannes

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Thu, Dec 19, 2013 at 06:46:52PM +0100, Gert Doering wrote:
> Hi,
> 
> On Fri, Dec 20, 2013 at 01:28:20AM +0900, Lorenzo Colitti wrote:
> > Sigh. Why do we keep reinventing the wheel? What was wrong with the
> > in-kernel RA implementation?
> 
> On Linux, enough.  Like, not noticing when you change networks, and
> instead of flushing prefix information that is no longer valid
> (because you're not connected to that network anymore), blindly
> accumulating new prefixes for every network visited...  supposedly
> "this is for userland to notice and clean up", or so.

Yes, indeed, it is designed like that and notification hooks are available
to listen for such changes. Lorenzo did some work on autocleaning in the
kernel IIRC. Important thing is that TCP connections don't get dropped
when flushing the addresses. Seems like it was not accepted, Lorenzo?

Re: IPv6 broken on Fedora 20?

[Jason Berry]

Similar NM wonkiness going on in Ubuntu.
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1176415

Regards,
Jason


On Thu, Dec 19, 2013 at 10:14 AM, Hannes Frederic Sowa <
han...@stressinduktion.org> wrote:

> On Thu, Dec 19, 2013 at 06:59:56PM +0100, Tore Anderson wrote:
> > * Hannes Frederic Sowa
> >
> > > The kernel should install the IPv6 address with /64 prefixlen without
> also
> > > installing a prefix route for that subnet. Currently the kernel does
> this
> > > automatically.
> >
> > I don't think you can do that from user-space. If you add a /64 (any >
> > /128 really), you automatically get a on-link route too. At least I
> > cannot spot how to do it in ip-address(8). So the only way to deal with
> > the L=0 case when doing RA-processing in user-space is to add the
> > address as a /128.
>
> Since the current kernel has extended ifa_flags to 32 bit it is now very
> straightforward and easy to add such functionality (this was done for
> NM correctly supporting privacy addresses). I already had this on my
> todo list for some time but did not get to it.
>
> I still have to review how address and prefix route deletion should happen
> if
> this feature gets introduced.
>
> > Once you're doing that, it's probably easier to handle L=1 by simply
> > adding the on-link route directly, rather than adding the address as a
> > /64 and relying on the kernel to add the route for you. The two should
> > result in the same functionality, though, so I'm don't really understand
> > what's actually broken here.
>
> I guess it breaks generation of privacy addresses.
>
> But you are right, essentially it should work but some assumptions were
> made in the kernel which should have been checked first.
>
> Greetings,
>
>   Hannes
>
>

Re: IPv6 broken on Fedora 20?

[Simon Perreault]

Le 2013-12-19 11:46, Phil Mayers a écrit :

What does "ip -6 route" show on an affected box?


Ok, this is getting really strange. Maybe the "userspace RA listener" 
has just kicked in, because IPv6 is working, but config is still funny. 
A reboot doesn't change this, so it's a stable situation.



[simon@porto ~]$ ip -6 addr show scope global
3: em1:  mtu 1500 qlen 1000
inet6 2620:0:230:c000:3e97:eff:fe0b:dd8a/128 scope global dynamic
   valid_lft 2587315sec preferred_lft 2587315sec



[simon@porto ~]$ ip -6 route
[...]
2620:0:230:8000::2 via fe80::217:31ff:fe4d:f047 dev em1  proto static  metric 1
2620:0:230:c000::65 via fe80::217:31ff:fe4d:f047 dev em1  proto static  metric 1
2620:0:230:c000:3e97:eff:fe0b:dd8a dev em1  proto kernel  metric 256  expires 
2587222sec
2620:0:230:c000::/64 dev em1  proto static  metric 1
fe80::/64 dev em1  proto kernel  metric 256
default via fe80::217:31ff:fe4d:f047 dev em1  proto static  metric 1024


So my working hypothesis is that I did something that started the 
userspace RA listener and now things are working as intended by the 
NetworkManager devs. A bit funny-looking to me, but it still works.


Thanks all,
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
STUN/TURN server   --> http://numb.viagenie.ca

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Thu, Dec 19, 2013 at 06:59:56PM +0100, Tore Anderson wrote:
> * Hannes Frederic Sowa
> 
> > The kernel should install the IPv6 address with /64 prefixlen without also
> > installing a prefix route for that subnet. Currently the kernel does this
> > automatically.
> 
> I don't think you can do that from user-space. If you add a /64 (any >
> /128 really), you automatically get a on-link route too. At least I
> cannot spot how to do it in ip-address(8). So the only way to deal with
> the L=0 case when doing RA-processing in user-space is to add the
> address as a /128.

Since the current kernel has extended ifa_flags to 32 bit it is now very
straightforward and easy to add such functionality (this was done for
NM correctly supporting privacy addresses). I already had this on my
todo list for some time but did not get to it.

I still have to review how address and prefix route deletion should happen if
this feature gets introduced.

> Once you're doing that, it's probably easier to handle L=1 by simply
> adding the on-link route directly, rather than adding the address as a
> /64 and relying on the kernel to add the route for you. The two should
> result in the same functionality, though, so I'm don't really understand
> what's actually broken here.

I guess it breaks generation of privacy addresses.

But you are right, essentially it should work but some assumptions were
made in the kernel which should have been checked first.

Greetings,

  Hannes

Re: IPv6 broken on Fedora 20?

[Tore Anderson]

* Hannes Frederic Sowa

> The kernel should install the IPv6 address with /64 prefixlen without also
> installing a prefix route for that subnet. Currently the kernel does this
> automatically.

I don't think you can do that from user-space. If you add a /64 (any >
/128 really), you automatically get a on-link route too. At least I
cannot spot how to do it in ip-address(8). So the only way to deal with
the L=0 case when doing RA-processing in user-space is to add the
address as a /128.

Once you're doing that, it's probably easier to handle L=1 by simply
adding the on-link route directly, rather than adding the address as a
/64 and relying on the kernel to add the route for you. The two should
result in the same functionality, though, so I'm don't really understand
what's actually broken here.

Tore

Re: IPv6 broken on Fedora 20?

[Gert Doering]

Hi,

On Fri, Dec 20, 2013 at 01:28:20AM +0900, Lorenzo Colitti wrote:
> Sigh. Why do we keep reinventing the wheel? What was wrong with the
> in-kernel RA implementation?

On Linux, enough.  Like, not noticing when you change networks, and
instead of flushing prefix information that is no longer valid
(because you're not connected to that network anymore), blindly
accumulating new prefixes for every network visited...  supposedly
"this is for userland to notice and clean up", or so.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Thu, Dec 19, 2013 at 06:22:32PM +0100, S.P.Zeidler wrote:
> Thus wrote Hannes Frederic Sowa (han...@stressinduktion.org):
> 
> > The kernel should install the IPv6 address with /64 prefixlen without also
> > installing a prefix route for that subnet. Currently the kernel does this
> > automatically.
> 
> Thereby negating the point of netmasks, wouldn't it?

In some sense, yes. Maybe we have address generation for non /64 prefixes
someday. ;)

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Fri, Dec 20, 2013 at 01:47:44AM +0900, Lorenzo Colitti wrote:
> On Fri, Dec 20, 2013 at 1:34 AM, Hannes Frederic Sowa <
> han...@stressinduktion.org> wrote:
> 
> > > > NM has a user-space RA listener.
> > > >
> > >
> > > Sigh. Why do we keep reinventing the wheel? What was wrong with the
> > > in-kernel RA implementation?
> >
> > I wondered myself and got this response:
> > http://www.spinics.net/lists/netdev/msg255581.html
> 
> 
> Hmm. It looks like the answer is:
> 
> 1. "We want to be able to send RS whenever we feel like it." They could
> have used disable_ipv6 for that, or they could have made a write to
> accept_ra cause an RS to be sent out. Failing that, an RS is not hard to
> generate - it's a multicast packet with no information in it.
> 
> 2. "The kernel doesn't give us enough information to parse RDNSS and DNSSL
> options correctly". Fair enough, though this still could have been fixed in
> the kernel.

I think this is already fixed.

> 3. The kernel doesn't give userspace any say in the process. If the sysctls
> are on, it does what the RA tells it to, and if they're off, then userspace
> doesn't see any of the advertisements. This is a better reason than the
> ones above. I was looking into fixing this using multiple routing tables.

What is your idea?

Semantics of multiple routing tables are already very complex. Think e.g.
about doing L=0 announcements and getting back redirects from a router. Which
routing table should we apply this update on? Hold state in the stack on
pings? Or just update all routing tables with new on-link information?

Same for UDP pmtu discovery.

Re: IPv6 broken on Fedora 20?

[S.P.Zeidler]

Thus wrote Hannes Frederic Sowa (han...@stressinduktion.org):

> The kernel should install the IPv6 address with /64 prefixlen without also
> installing a prefix route for that subnet. Currently the kernel does this
> automatically.

Thereby negating the point of netmasks, wouldn't it?

regards,
spz
-- 
s...@serpens.de (S.P.Zeidler)

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Thu, Dec 19, 2013 at 05:59:45PM +0100, Tore Anderson wrote:
> * Simon Perreault wrote:
> 
> > Is there any other Fedora user on this list that could confirm this?
> 
> I can confirm that SLAAC-learned addresses are added as /128s on the
> interface, but I don't see how this is a problem, not to mention
> "broken"? The route to the on-link /64 does get correctly added here, at
> least.
> 
> FWIW: NetworkManager has started processing RAs in userspace, and
> without having confirmed it, I would guess that it simply deals with the
> A=1 and L=1 flags in two separate and independent passes, and that it's
> therefore easier to always do the A=1 part as /128. If it had always
> used /64 instead, you'd automatically get an on-link route, which in
> turn would break the A=1, L=0 case.

The kernel should install the IPv6 address with /64 prefixlen without also
installing a prefix route for that subnet. Currently the kernel does this
automatically.

Re: IPv6 broken on Fedora 20?

[Tore Anderson]

* Simon Perreault wrote:

> Is there any other Fedora user on this list that could confirm this?

I can confirm that SLAAC-learned addresses are added as /128s on the
interface, but I don't see how this is a problem, not to mention
"broken"? The route to the on-link /64 does get correctly added here, at
least.

FWIW: NetworkManager has started processing RAs in userspace, and
without having confirmed it, I would guess that it simply deals with the
A=1 and L=1 flags in two separate and independent passes, and that it's
therefore easier to always do the A=1 part as /128. If it had always
used /64 instead, you'd automatically get an on-link route, which in
turn would break the A=1, L=0 case.

Tore

Re: IPv6 broken on Fedora 20?

[Mikael Abrahamsson]

On Fri, 20 Dec 2013, Lorenzo Colitti wrote:

Sigh. Why do we keep reinventing the wheel? What was wrong with the 
in-kernel RA implementation?


If you want to support other ND/RA functionality than the kernel supports, 
this is a good idea. Personally I think having ND processing built into 
the kernel is a mistake.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: IPv6 broken on Fedora 20?

[Phil Mayers]

On 19/12/13 16:09, Simon Perreault wrote:

Is there any other Fedora user on this list that could confirm this?


Not on F20 yet.

What does "ip -6 route" show on an affected box?

I see why the NM guys might have gone down the "disable kernel autoconf, 
do it in userspace" but I wonder if they've shed their blindspots about 
legit but uncommon use-cases e.g. two routers on a prefix?

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Thu, Dec 19, 2013 at 11:30:42AM -0500, Simon Perreault wrote:
> Le 2013-12-19 11:22, Hannes Frederic Sowa a écrit :
> >NM has a user-space RA listener.
> 
> Any pointers to documentation? I'm trying to investigate...

I guess that is a bug and there is no documentation on it yet. ;)
One could check git commits between latest fedora 19 and current f20
release point.

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Fri, Dec 20, 2013 at 01:28:20AM +0900, Lorenzo Colitti wrote:
> On Fri, Dec 20, 2013 at 1:22 AM, Hannes Frederic Sowa <
> han...@stressinduktion.org> wrote:
> 
> > NM has a user-space RA listener.
> >
> 
> Sigh. Why do we keep reinventing the wheel? What was wrong with the
> in-kernel RA implementation?

I wondered myself and got this response:
http://www.spinics.net/lists/netdev/msg255581.html

How to unsubscribe from ipv6-ops (Was: IPv6 broken on Fedora 20?)

[Jeroen Massar]

On 2013-12-19 17:30 , McKnight, Joe wrote:
> Hi,  
> 
> I ended up on this listserve by mistake. Will someone please remove me? 

If you don't know how to unsubscribe from mailinglists you indeed do not
belong here.

>From the email-headers:

List-Id: IPv6 operators forum 
List-Unsubscribe: ,

List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,



That is standardized in RFC2369 btw.

Greets,
 Jeroen

Re: IPv6 broken on Fedora 20?

[Simon Perreault]

Le 2013-12-19 11:22, Hannes Frederic Sowa a écrit :

NM has a user-space RA listener.


Any pointers to documentation? I'm trying to investigate...

Thanks,
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
STUN/TURN server   --> http://numb.viagenie.ca

RE: IPv6 broken on Fedora 20?

[McKnight, Joe]

Hi,  

I ended up on this listserve by mistake. Will someone please remove me? 

Thanks. 


-Original Message-
From: ipv6-ops-bounces+jmcknight=warren-news@lists.cluenet.de 
[mailto:ipv6-ops-bounces+jmcknight=warren-news@lists.cluenet.de] On Behalf 
Of Simon Perreault
Sent: Thursday, December 19, 2013 11:29 AM
To: Jeroen Massar; IPv6 Ops list
Subject: Re: IPv6 broken on Fedora 20?

Le 2013-12-19 11:16, Jeroen Massar a écrit :
> On 2013-12-19 17:09 , Simon Perreault wrote:
>> Is there any other Fedora user on this list that could confirm this?
>>
>> I filed a bug here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1045118
>
> net.ipv6.conf.em1.accept_ra = 0
>
> How do you expect that to work?

NetworkManager is supposed to adjust the kernel parameters to something that 
works. I, the dumb user, am just supposed to click on buttons.

If I disable NetworkManager and just do it manually, everything works. 
It's not the kernel that's broken, obviously.

Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
STUN/TURN server   --> http://numb.viagenie.ca

Re: IPv6 broken on Fedora 20?

[Simon Perreault]

Le 2013-12-19 11:16, Jeroen Massar a écrit :

On 2013-12-19 17:09 , Simon Perreault wrote:

Is there any other Fedora user on this list that could confirm this?

I filed a bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=1045118


net.ipv6.conf.em1.accept_ra = 0

How do you expect that to work?


NetworkManager is supposed to adjust the kernel parameters to something 
that works. I, the dumb user, am just supposed to click on buttons.


If I disable NetworkManager and just do it manually, everything works. 
It's not the kernel that's broken, obviously.


Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
STUN/TURN server   --> http://numb.viagenie.ca

Re: IPv6 broken on Fedora 20?

[Hannes Frederic Sowa]

On Thu, Dec 19, 2013 at 05:16:51PM +0100, Jeroen Massar wrote:
> On 2013-12-19 17:09 , Simon Perreault wrote:
> > Is there any other Fedora user on this list that could confirm this?
> > 
> > I filed a bug here:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1045118
> 
> net.ipv6.conf.em1.accept_ra = 0
> 
> How do you expect that to work?

NM has a user-space RA listener.

Re: IPv6 broken on Fedora 20?

[Jeroen Massar]

On 2013-12-19 17:09 , Simon Perreault wrote:
> Is there any other Fedora user on this list that could confirm this?
> 
> I filed a bug here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1045118

net.ipv6.conf.em1.accept_ra = 0

How do you expect that to work?

Change to either 1 or 2 (in case you want forwarding enabled but accept
RA nevertheless).

Greets,
 Jeroen

IPv6 broken on Fedora 20?

[Simon Perreault]

Is there any other Fedora user on this list that could confirm this?

I filed a bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=1045118

Thanks,
Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
STUN/TURN server   --> http://numb.viagenie.ca

Re: IPv6 broken on Fedora 20?

[Jared Mauch]

I am using Fedora 20 but not with SLAAC, sorry.

- Jared

On Dec 19, 2013, at 11:09 AM, Simon Perreault  
wrote:

> Is there any other Fedora user on this list that could confirm this?
> 
> I filed a bug here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1045118
> 
> Thanks,
> Simon
> -- 
> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
> NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
> STUN/TURN server   --> http://numb.viagenie.ca