Re: Linux and ULA support and default route

2016-10-14 Thread Brian E Carpenter
On 15/10/2016 00:57, Holger Zuleger wrote:
>> If the delegated prefix changes, you'll be simply postponing the local
>> communication failure, not prevent it.
> Only if the new prefix is different to the old one.
> 
>> The last year has convinced me that the best user experience is
>> achieved by having an in-home stable ULA prefix to complement the
>> ISP-delegated global prefix[es] [if any], and that all the internal
>> hostnames should resolve to the IPv6 addresses assigned from the ULA
>> prefix.
> Yes, but this is probably a bit different to the AVM behavior. I have in
> mind that the default configuration on Fritzboxes is to announce the ULA
> *only* if the upstream is down. 

Correct, there is an option to change that however.

   Brian

> Then your local active sessions breaks
> twice.




Re: Linux and ULA support and default route

2016-10-14 Thread Holger Zuleger


On 14.10.2016 15:20, sth...@nethelp.no wrote:
>> At the end, the whole behavior is because some host have problems in
>> handling situations where they have an IPv6 address configured and now
>> internet connectivity. But the solution to this requires that the host
>> is able to understand and work with RIO options, which seams to be "at
>> the time" not generally the case.
>>
>> Do we replace one evil by another?
> 
> I like Tore's solution of using ULA for local communication even when
> the external link is down.
That's not the question. The question is: Should a router stop
advertising a default route if the (or better say "his") upstream link
is down.

 Holger




smime.p7s
Description: S/MIME Cryptographic Signature


Re: Linux and ULA support and default route

2016-10-14 Thread sthaug
> At the end, the whole behavior is because some host have problems in
> handling situations where they have an IPv6 address configured and now
> internet connectivity. But the solution to this requires that the host
> is able to understand and work with RIO options, which seams to be "at
> the time" not generally the case.
> 
> Do we replace one evil by another?

I like Tore's solution of using ULA for local communication even when
the external link is down.

Steinar Haug, AS2116


Re: Linux and ULA support and default route

2016-10-14 Thread otroan
Holger,

>>> Imagine a setup with *two* routers.  One of them has broken Internet,
>>> the other is working.  How can the hosts decide if both keep announcing
>>> themselves as "I can reach anything"?
>> 
>> in the general case the host still has to take the 'I can reach anything' 
>> announcement with a pinch of salt.
>> and it should be able to try both (or more) connections and react 
>> accordingly when one fails.
> ...which is the default host behaviour if the OS supports RFC4861.
> Sadly some "user friendly" network mangers breaks this and setting a
> static route with a better metric to just one(!) router.

not really. that only covers the first hop. any failure anywhere else along the 
path would not be dealt with by 4861.

cheers,
Ole

Re: Linux and ULA support and default route

2016-10-14 Thread Holger Zuleger
>> Imagine a setup with *two* routers.  One of them has broken Internet,
>> the other is working.  How can the hosts decide if both keep announcing
>> themselves as "I can reach anything"?
> 
> in the general case the host still has to take the 'I can reach anything' 
> announcement with a pinch of salt.
> and it should be able to try both (or more) connections and react accordingly 
> when one fails.
...which is the default host behaviour if the OS supports RFC4861.
Sadly some "user friendly" network mangers breaks this and setting a
static route with a better metric to just one(!) router.

Holger



smime.p7s
Description: S/MIME Cryptographic Signature


Re: Linux and ULA support and default route

2016-10-14 Thread Holger Zuleger
> If the delegated prefix changes, you'll be simply postponing the local
> communication failure, not prevent it.
Only if the new prefix is different to the old one.

> The last year has convinced me that the best user experience is
> achieved by having an in-home stable ULA prefix to complement the
> ISP-delegated global prefix[es] [if any], and that all the internal
> hostnames should resolve to the IPv6 addresses assigned from the ULA
> prefix.
Yes, but this is probably a bit different to the AVM behavior. I have in
mind that the default configuration on Fritzboxes is to announce the ULA
*only* if the upstream is down. Then your local active sessions breaks
twice.

 Holger




smime.p7s
Description: S/MIME Cryptographic Signature


Re: Linux and ULA support and default route

2016-10-14 Thread Holger Zuleger


On 14.10.2016 12:32, Gert Doering wrote:
> Hi,
> 
> On Fri, Oct 14, 2016 at 12:00:04PM +0200, Holger Zuleger wrote:
>> Of course the default route should *not* be withdrawn.
>> The RA default router announcement says just, "Hey hosts, I'm the way
>> out of your local subnet", and not "Hey host, I have a upstream
>> connection to the rest of the internet".
> 
> If the router has no default route, it should not announce one - this
> is why PIO exists for more specific info.
For cases where a router provides "in principle" only connectivity to a
limited set of prefixes (think of VPN connection) I'm with you.

> Imagine a setup with *two* routers.  One of them has broken Internet,
> the other is working.  How can the hosts decide if both keep announcing
> themselves as "I can reach anything"?
This is just a corner case if both routers have directly the upstream
connection. But then this behavior make only sense if the same prefix is
used for both upstreams, which is seldom the case in residential user
scenarios.
Otherwise you have a lot to do with source specific routing, and yes,
you are right: In this case the source specific default route for the
failed prefix should no longer announced.

Holger Zuleger




smime.p7s
Description: S/MIME Cryptographic Signature


Re: Linux and ULA support and default route

2016-10-14 Thread Tore Anderson
* Holger Zuleger 

> Hmm, what's so bad with still using the global prefix until the global
> connectivity comes back and the CPE gets a new one?
> Than it's early enough to set the preferred time of the former prefix to
> 0 and let them time out.
> In this way all local communication will not be interrupted if your
> Internet connection fails.

If the delegated prefix changes, you'll be simply postponing the local
communication failure, not prevent it.

I've run Homewrt for over a year now and have no shortage of annoying
experiences like for instance a movie that is being streamed to my HTPC
from my NAS just suddenly freeze just because the Internet uplink have
gone down and/or the delegated prefix changes.

The last year has convinced me that the best user experience is
achieved by having an in-home stable ULA prefix to complement the
ISP-delegated global prefix[es] [if any], and that all the internal
hostnames should resolve to the IPv6 addresses assigned from the ULA
prefix.

Tore


Re: Linux and ULA support and default route

2016-10-14 Thread Gert Doering
Hi,

On Fri, Oct 14, 2016 at 12:00:04PM +0200, Holger Zuleger wrote:
> Of course the default route should *not* be withdrawn.
> The RA default router announcement says just, "Hey hosts, I'm the way
> out of your local subnet", and not "Hey host, I have a upstream
> connection to the rest of the internet".

If the router has no default route, it should not announce one - this
is why PIO exists for more specific info.

Imagine a setup with *two* routers.  One of them has broken Internet,
the other is working.  How can the hosts decide if both keep announcing
themselves as "I can reach anything"?

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


smime.p7s
Description: S/MIME cryptographic signature


Re: Linux and ULA support and default route

2016-10-14 Thread Thomas Schäfer
I was wrong. Randomly set:  no, manually change possible: yes.
The reason for my confusion was "::" versus ":"
Sometimes reading ipv6-addresses is hard.



Re: Linux and ULA support and default route

2016-10-14 Thread Holger Zuleger
>> Great idea, ULAs.
> 
> In the right circumstances, yes, actually. And actually my circumstances
> yesterday were right for a ULA prefix: the ISP failed to give my CE a prefix.
> Today, they gave me a prefix, and so Linux gives me a default route.
Hmm, what's so bad with still using the global prefix until the global
connectivity comes back and the CPE gets a new one?
Than it's early enough to set the preferred time of the former prefix to
0 and let them time out.
In this way all local communication will not be interrupted if your
Internet connection fails.

And sending the old prefix as a hint in the DHCPv6-PD reqest let a
chance open to get the same prefix again.
Then local communication will not be affected by the upstream failure at
all.

Of course the default route should *not* be withdrawn.
The RA default router announcement says just, "Hey hosts, I'm the way
out of your local subnet", and not "Hey host, I have a upstream
connection to the rest of the internet".

BR
 Holger




smime.p7s
Description: S/MIME Cryptographic Signature


Re: Linux and ULA support and default route

2016-10-14 Thread Thomas Schäfer

Am 13.10.2016 um 21:56 schrieb Brian E Carpenter:

On 13/10/2016 21:14, Lorenzo Colitti wrote:

Of note is the fact that the ULA prefix being announced is the ubiquitous
fd00::/64.


0 is a perfectly random number, just like the ubiquitous PIN code 1234.

But yes, this a sloppy job by the FritzBox. Hopefully they've fixed this in
more recent models.


It is fixed. In newer versions it is a random number and can 
additionally changed manually.


Thomas




--

There’s no place like ::1

Thomas Schäfer (Systemverwaltung)
Ludwig-Maximilians-Universität
Centrum für Informations- und Sprachverarbeitung
Oettingenstraße 67 Raum C109
80538 München ☎ +49/89/2180-9706  ℻ +49/89/2180-9701



Re: Linux and ULA support and default route

2016-10-13 Thread Brian E Carpenter
On 13/10/2016 21:14, Lorenzo Colitti wrote:
> Of note is the fact that the ULA prefix being announced is the ubiquitous
> fd00::/64.

0 is a perfectly random number, just like the ubiquitous PIN code 1234.

But yes, this a sloppy job by the FritzBox. Hopefully they've fixed this in
more recent models.

> Great idea, ULAs.

In the right circumstances, yes, actually. And actually my circumstances
yesterday were right for a ULA prefix: the ISP failed to give my CE a prefix.
Today, they gave me a prefix, and so Linux gives me a default route.

   Brian

> 
> On Wed, Oct 12, 2016 at 9:16 PM, Brian E Carpenter <
> brian.e.carpen...@gmail.com> wrote:
> 
>> This creates a tricky problem for homenet, I think, but I agree that my CE
>> is doing what that requirement says. This also creates a truly annoying
>> coding problem for me, which I won't go into here (except to gripe that
>> Linux
>> makes it very annoying indeed to discover your own global unicast address).
>>
>> Thanks
>>Brian
>>
>> On 13/10/2016 16:55, Lorenzo Colitti wrote:
>>> The linux host is correctly not adding a default route because the RA
>>> specifies a router lifetime of 0, likely due to RFC 7084 requirement G-4.
>>>
>>> On Wed, Oct 12, 2016 at 8:25 PM, Brian E Carpenter <
>>> brian.e.carpen...@gmail.com> wrote:
>>>
 I'll send you the RA packet off-list.

 Brian

 On 13/10/2016 14:10, Brian E Carpenter wrote:
> On 13/10/2016 13:47, Lorenzo Colitti wrote:
>> On Wed, Oct 12, 2016 at 5:39 PM, Brian E Carpenter <
>> brian.e.carpen...@gmail.com> wrote:
>>
>>> But what it says (before I install the correct default route) is
>>>
>>> fd00::/64 via fe80::be05:43ff:fe8e:ce39 dev wlp2s0  proto ra  metric
 600
>>> pref medium
>>> fe80::/64 dev wlp2s0  proto kernel  metric 256  pref medium
>>>
>>> No default, as you can see.
>>>
>>
>> Do you have a tcpdump of the RA?
>
> No. Any suggestions how I can catch one? Would a Wireshark capture be
 useful?
>
> Brian
>

>>>
>>
> 


Re: Linux and ULA support and default route

2016-10-13 Thread Jeroen Massar
On 2016-10-13 09:36, Tore Anderson wrote:
> * Jeroen Massar 
> 
>> RA's only install the /64 and when default announced a default.
>>
>> Thus 'the rest of the ULA /48' would require a default route to be
>> installed to reach that...
>>
>> When the device does not install a default route, there won't be an
>> entry for anything in that /48, just the /64 and thus that space won't
>> be reachable.
> 
> Not if you set the accept_ra_rt_info_max_plen sysctl to >= 48 (and the
> router implements RFC 7084 L-3).

Which is why looking at the exact RA is important.

> As far as I know, this sysctl is 0 by
> default which causes the kernel to ignore RIOs.

Correct. See among st others here for reasoning:
https://patchwork.ozlabs.org/patch/331802/

and as it is default 0, unless one does already salt/puppet/etc to
change that default, it won't easily get deployed; and if one does
salt/puppet/etc then adding static routes can also work.

Much easier and better to let the actual routers decide on routing
though and not end-hosts.

> I believe that Windows do accept RIOs by default so that's probably why
> it worked for Brian. NetworkManager user-space RA processing will also
> respect RIOs by default.

Only silly people run broken software like "NetworkManager" ;)

Greets,
 Jeroen



Re: Linux and ULA support and default route

2016-10-13 Thread Jeroen Massar
On 2016-10-13 02:30, Brian E Carpenter wrote:
> Hi Jeroen,
> On 13/10/2016 12:16, Jeroen Massar wrote:
>> On 2016-10-13 00:51, Brian E Carpenter wrote:
>> [..]
>>> Kernel IPv6 routing table
>>> DestinationNext Hop   Flag Met Ref Use 
>>> If
>>> fd00::/64  fe80::be05:43ff:fe8e:ce39  UG   600 112 
>>> wlp2s0
>>> fe80::/64  :: U256 0 0 
>>> wlp2s0
>>> ::/0   :: !n   -1  1   137 
>>> lo
>>> ::1/128:: Un   0   3 7 
>>> lo
>>> fd00::c5bb:40f2:f3d5:94e4/128  :: Un   0   319 
>>> lo
>>> fe80::9051:543a:4c9e:e93e/128  :: Un   0   211 
>>> lo
>>> ff00::/8   :: U256 2  1763 
>>> wlp2s0
>>> ::/0   :: !n   -1  1   137 
>>> lo
>>
>> Do you receive those prefixes over RA or manual config?
> 
> RA of course
> 
>> Is forwarding enabled? 
> 
> No
> 
>> What does the ra_accept sysctl say?
> 
> accept_ra = 1
> 
>>
>> Also 'ip -6 ro get ' can be very useful to check where the
>> routing table thinks packets are supposed to go.
> 
> Well, once I create the default route it tells me exactly what it should,
> for any global-scope address. But after reboot it says "unreachable"
> for any address outside the ULA /64 (i.e. even the rest of the ULA /48
> is unreachable).

RA's only install the /64 and when default announced a default.

Thus 'the rest of the ULA /48' would require a default route to be
installed to reach that...

When the device does not install a default route, there won't be an
entry for anything in that /48, just the /64 and thus that space won't
be reachable.


Btw: IMHO ULAs are in 99% of the cases the wrong thing to use anyway.
But note, this is not specific to ULA at all. (Except maybe that your
device chose to not push a default route, as there is no default route
to the Internet).

You might want to check with tcpdump with the exact details of the RA are.

Greets,
 Jeroen



Re: Linux and ULA support and default route

2016-10-12 Thread Brian E Carpenter
This creates a tricky problem for homenet, I think, but I agree that my CE
is doing what that requirement says. This also creates a truly annoying
coding problem for me, which I won't go into here (except to gripe that Linux
makes it very annoying indeed to discover your own global unicast address).

Thanks
   Brian

On 13/10/2016 16:55, Lorenzo Colitti wrote:
> The linux host is correctly not adding a default route because the RA
> specifies a router lifetime of 0, likely due to RFC 7084 requirement G-4.
> 
> On Wed, Oct 12, 2016 at 8:25 PM, Brian E Carpenter <
> brian.e.carpen...@gmail.com> wrote:
> 
>> I'll send you the RA packet off-list.
>>
>> Brian
>>
>> On 13/10/2016 14:10, Brian E Carpenter wrote:
>>> On 13/10/2016 13:47, Lorenzo Colitti wrote:
 On Wed, Oct 12, 2016 at 5:39 PM, Brian E Carpenter <
 brian.e.carpen...@gmail.com> wrote:

> But what it says (before I install the correct default route) is
>
> fd00::/64 via fe80::be05:43ff:fe8e:ce39 dev wlp2s0  proto ra  metric
>> 600
> pref medium
> fe80::/64 dev wlp2s0  proto kernel  metric 256  pref medium
>
> No default, as you can see.
>

 Do you have a tcpdump of the RA?
>>>
>>> No. Any suggestions how I can catch one? Would a Wireshark capture be
>> useful?
>>>
>>> Brian
>>>
>>
> 


Re: Linux and ULA support and default route

2016-10-12 Thread Lorenzo Colitti
The linux host is correctly not adding a default route because the RA
specifies a router lifetime of 0, likely due to RFC 7084 requirement G-4.

On Wed, Oct 12, 2016 at 8:25 PM, Brian E Carpenter <
brian.e.carpen...@gmail.com> wrote:

> I'll send you the RA packet off-list.
>
> Brian
>
> On 13/10/2016 14:10, Brian E Carpenter wrote:
> > On 13/10/2016 13:47, Lorenzo Colitti wrote:
> >> On Wed, Oct 12, 2016 at 5:39 PM, Brian E Carpenter <
> >> brian.e.carpen...@gmail.com> wrote:
> >>
> >>> But what it says (before I install the correct default route) is
> >>>
> >>> fd00::/64 via fe80::be05:43ff:fe8e:ce39 dev wlp2s0  proto ra  metric
> 600
> >>> pref medium
> >>> fe80::/64 dev wlp2s0  proto kernel  metric 256  pref medium
> >>>
> >>> No default, as you can see.
> >>>
> >>
> >> Do you have a tcpdump of the RA?
> >
> > No. Any suggestions how I can catch one? Would a Wireshark capture be
> useful?
> >
> > Brian
> >
>


Re: Linux and ULA support and default route

2016-10-12 Thread Brian E Carpenter
I'll send you the RA packet off-list.

Brian

On 13/10/2016 14:10, Brian E Carpenter wrote:
> On 13/10/2016 13:47, Lorenzo Colitti wrote:
>> On Wed, Oct 12, 2016 at 5:39 PM, Brian E Carpenter <
>> brian.e.carpen...@gmail.com> wrote:
>>
>>> But what it says (before I install the correct default route) is
>>>
>>> fd00::/64 via fe80::be05:43ff:fe8e:ce39 dev wlp2s0  proto ra  metric 600
>>> pref medium
>>> fe80::/64 dev wlp2s0  proto kernel  metric 256  pref medium
>>>
>>> No default, as you can see.
>>>
>>
>> Do you have a tcpdump of the RA?
> 
> No. Any suggestions how I can catch one? Would a Wireshark capture be useful?
> 
> Brian
> 


Re: Linux and ULA support and default route

2016-10-12 Thread Brian E Carpenter
On 13/10/2016 13:47, Lorenzo Colitti wrote:
> On Wed, Oct 12, 2016 at 5:39 PM, Brian E Carpenter <
> brian.e.carpen...@gmail.com> wrote:
> 
>> But what it says (before I install the correct default route) is
>>
>> fd00::/64 via fe80::be05:43ff:fe8e:ce39 dev wlp2s0  proto ra  metric 600
>> pref medium
>> fe80::/64 dev wlp2s0  proto kernel  metric 256  pref medium
>>
>> No default, as you can see.
>>
> 
> Do you have a tcpdump of the RA?

No. Any suggestions how I can catch one? Would a Wireshark capture be useful?

Brian


Re: Linux and ULA support and default route

2016-10-12 Thread Brian E Carpenter
On 13/10/2016 13:05, Lorenzo Colitti wrote:
> On Wed, Oct 12, 2016 at 3:51 PM, Brian E Carpenter <
> brian.e.carpen...@gmail.com> wrote:
> 
>> ::/0   :: !n   -1  1   137
>> lo
>>
> 
> I think !n means network unreachable. 

Sure. But that's the Ethernet interface which isn't connected, so that's 
correct.
The problem is the complete absence of a default route for the working (WiFi)
interface.

>Please provide the output of "ip -6
> route".

It's very unenlightening. The full table from "route" is more use.
But what it says (before I install the correct default route) is

fd00::/64 via fe80::be05:43ff:fe8e:ce39 dev wlp2s0  proto ra  metric 600  pref 
medium
fe80::/64 dev wlp2s0  proto kernel  metric 256  pref medium

No default, as you can see.

   Brian


Re: Linux and ULA support and default route

2016-10-12 Thread Lorenzo Colitti
On Wed, Oct 12, 2016 at 5:30 PM, Brian E Carpenter <
brian.e.carpen...@gmail.com> wrote:

> It's broken, is all.
>

"ip -6 route show" or it didn't happen.


Re: Linux and ULA support and default route

2016-10-12 Thread Brian E Carpenter
Hi Jeroen,
On 13/10/2016 12:16, Jeroen Massar wrote:
> On 2016-10-13 00:51, Brian E Carpenter wrote:
> [..]
>> Kernel IPv6 routing table
>> DestinationNext Hop   Flag Met Ref Use If
>> fd00::/64  fe80::be05:43ff:fe8e:ce39  UG   600 112 
>> wlp2s0
>> fe80::/64  :: U256 0 0 
>> wlp2s0
>> ::/0   :: !n   -1  1   137 lo
>> ::1/128:: Un   0   3 7 lo
>> fd00::c5bb:40f2:f3d5:94e4/128  :: Un   0   319 lo
>> fe80::9051:543a:4c9e:e93e/128  :: Un   0   211 lo
>> ff00::/8   :: U256 2  1763 
>> wlp2s0
>> ::/0   :: !n   -1  1   137 lo
> 
> Do you receive those prefixes over RA or manual config?

RA of course

> Is forwarding enabled? 

No

> What does the ra_accept sysctl say?

accept_ra = 1

> 
> Also 'ip -6 ro get ' can be very useful to check where the
> routing table thinks packets are supposed to go.

Well, once I create the default route it tells me exactly what it should,
for any global-scope address. But after reboot it says "unreachable"
for any address outside the ULA /64 (i.e. even the rest of the ULA /48
is unreachable).

It's broken, is all.

   Brian


> 
> In general on a Linux install from the last decade or so, avoid
> 'netstat' and 'ifconfig' and use iproute: 'ip ro sho' or 'ip -6 ro sho',
> 'ip -6 addr show'
> 
> Greets,
>  Jeroen
> 
> 


Re: Linux and ULA support and default route

2016-10-12 Thread Jeroen Massar
On 2016-10-13 02:05, Lorenzo Colitti wrote:
> On Wed, Oct 12, 2016 at 3:51 PM, Brian E Carpenter
> > wrote:
> 
> ::/0   :: !n   -1 
> 1   137 lo
> 
> 
> I think !n means network unreachable. Please provide the output of "ip
> -6 route".

That is indeed the default unreachable route, basically the root node of
the prefix tree ;)

Hence indeed why one should be using 'ip -6 ro sho' to check for the
actual routes, netstat output is just odd.

If only the system was using DHCPv6 eh ;)

Greets,
 Jeroen



Re: Linux and ULA support and default route

2016-10-12 Thread Lorenzo Colitti
On Wed, Oct 12, 2016 at 3:51 PM, Brian E Carpenter <
brian.e.carpen...@gmail.com> wrote:

> ::/0   :: !n   -1  1   137
> lo
>

I think !n means network unreachable. Please provide the output of "ip -6
route".


Re: Linux and ULA support and default route

2016-10-12 Thread Jeroen Massar
On 2016-10-13 00:51, Brian E Carpenter wrote:
[..]
> Kernel IPv6 routing table
> DestinationNext Hop   Flag Met Ref Use If
> fd00::/64  fe80::be05:43ff:fe8e:ce39  UG   600 112 
> wlp2s0
> fe80::/64  :: U256 0 0 
> wlp2s0
> ::/0   :: !n   -1  1   137 lo
> ::1/128:: Un   0   3 7 lo
> fd00::c5bb:40f2:f3d5:94e4/128  :: Un   0   319 lo
> fe80::9051:543a:4c9e:e93e/128  :: Un   0   211 lo
> ff00::/8   :: U256 2  1763 
> wlp2s0
> ::/0   :: !n   -1  1   137 lo

Do you receive those prefixes over RA or manual config?
Is forwarding enabled? What does the ra_accept sysctl say?

Also 'ip -6 ro get ' can be very useful to check where the
routing table thinks packets are supposed to go.

In general on a Linux install from the last decade or so, avoid
'netstat' and 'ifconfig' and use iproute: 'ip ro sho' or 'ip -6 ro sho',
'ip -6 addr show'

Greets,
 Jeroen