FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS Development

 
 
LinkBack Thread Tools
 
Old 11-17-2010, 09:29 AM
Harald Hoyer
 
Default Fwd: DHCPv6 broken in RHEL 6.x

Interesting.

-------- Original-Nachricht --------
Betreff: DHCPv6 broken in RHEL 6.x
Datum: Tue, 16 Nov 2010 17:14:16 -0500
Von: Ray Soucy <rps@maine.edu>
An: teg@redhat.com, harald@redhat.com

Hi,

Not sure if you guys are the right ones to nag about this, but maybe
you know who the right people are.

I recently took a look at RHEL 6 to see how you guys are doing with
IPv6 support.

I was happy to see the installer actually offered IPv6 configuration
in Stateless, DHCPv6, and Static. Unfortunately, the DHCPv6 network
configuration for RHEL 6 is broken.

There are two major problems:

1. The default "ip6tables" configuration blocks DHCPv6 responses.
I've very glad to see ip6tables have sane defaults. The problem here
is the assumption that DHCPv6 client traffic would be caught by
conntrack and the ESTABLISHED,RELATED rule. Unfortunately with DHCPv6
this is not the case. Thus for DHCPv6 to work at all you need to
include a rule like "-A INPUT -p udp --dport 546 -j ACCEPT" in the
default policy.

2. There seems to be an assumption made that "stateless" == "autoconf".

When DHCPv6 is selected in the installer, it adds a IPV6_AUTOCONF="no"
to the interface configuration. DHCPv6 has no way to provide default
route information. In IPv6, that task is handled by router
advertisement.

If you disable autoconf, then you disable the mechanistic for the host
to get a default gateway, making DHCPv6 pointless.

Similarly, host systems should not decide to "disable" stateless
address configuration in favor of DHCPv6. The "A" (autonomous) flag
within a router advertisement signals hosts on a network whether to
assign a stateless address or not; Linux already respects this flag.

It is a legitimate configuration to use _both_ a stateless and a
stateful IPv6 address on a single interface. That should be
determined by the network, not the host, as the default behavior.

If the RFC were followed, you would actually wait for an IPv6 router
advertisement to announce either the "M" or "O" flags before starting
a DHCPv6 client; but I'm not sure how you would do that in Linux. The
only reliable way right now is to just enable DHCPv6 by default if
"Automatic" configuration is selected.

3. DHCPv6 seems to replace resolve.conf with IPv6-only version,
instead of a version with both IPv4 and IPv6 nameservers. It's not
really an issue, since IPv6 DNS should be preferred per RFCs, but it
makes me wonder if it would revert to IPv4 resolve.conf if IPv6 were
to go away on the host.

4. The network setup utility (which has your names on it, ;D) doesn't
provide for IPv6 configuration as the installer does. We really need
the default tools to setup IPv6 to be in place at this point. We
can't wait for RHEL 7 to get this right.

Essentially, there should be 2 options for IPv6: "Automatic" and
"Static" configuration. Automatic should imply that a working DHCPv6
client will be started. If you have a way to only start it when a
router advertisement with the "O" (other) or "M" (managed) flags set,
then that would be better since it would match the requirement by the
RFC... I can't think of a way to easily do that though (maybe with
udev...). So the other obvious solution is to just start the DHCPv6
client up in case it's needed. This seems to be how Windows handles
it by default.

DHCPv6 has been ignored until now, but a growing number of people are
starting to make use of it as people quickly find out that stateless
is not a good option for the enterprise (even Apple has reversed its
position on DHCPv6).

Is there any way we can get RHEL 6 to come into the fold? Little
things like this really hold back IPv6 deployment, and I don't think
there is time for us to wait another 5 years for RHEL 7 to fix it.

Modified ip6tables default:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 546 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Example interface configuration for "automatic" IPv6:
DEVICE="eth0"
BOOTPROTO="dhcp"
DHCPV6C="yes"
HWADDR="00:1D:09:EF:E9:9A"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"

If someone really wants to kill DHCPv6, they can always edit the file.
The average user should have no knowledge of whether IPv6 is stateful
or stateless. DHCPv6 is also needed in a stateless environment for
DNS server information.

Let me know if I can help. I'm a member of the Internet2 IPv6 working
group, and head up IPv6 deployment for the University of Maine System.

--
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-18-2010, 01:04 PM
Radek Vykydal
 
Default Fwd: DHCPv6 broken in RHEL 6.x

On 11/17/2010 11:29 AM, Harald Hoyer wrote:

Interesting.

-------- Original-Nachricht --------
Betreff: DHCPv6 broken in RHEL 6.x
Datum: Tue, 16 Nov 2010 17:14:16 -0500
Von: Ray Soucy <rps@maine.edu>
An: teg@redhat.com, harald@redhat.com


2. There seems to be an assumption made that "stateless" == "autoconf".

When DHCPv6 is selected in the installer, it adds a IPV6_AUTOCONF="no"
to the interface configuration. DHCPv6 has no way to provide default
route information. In IPv6, that task is handled by router
advertisement.

If you disable autoconf, then you disable the mechanistic for the host
to get a default gateway, making DHCPv6 pointless.

Similarly, host systems should not decide to "disable" stateless
address configuration in favor of DHCPv6. The "A" (autonomous) flag
within a router advertisement signals hosts on a network whether to
assign a stateless address or not; Linux already respects this flag.

It is a legitimate configuration to use _both_ a stateless and a
stateful IPv6 address on a single interface. That should be
determined by the network, not the host, as the default behavior.

If the RFC were followed, you would actually wait for an IPv6 router
advertisement to announce either the "M" or "O" flags before starting
a DHCPv6 client; but I'm not sure how you would do that in Linux. The
only reliable way right now is to just enable DHCPv6 by default if
"Automatic" configuration is selected.



Please see discussion in NetworkManager bug
https://bugzilla.redhat.com/show_bug.cgi?id=612445
where IPV6_AUTOCONF=no was added to DHCPv6 configuration option.

In anaconda loader we follow NetworkManager Connection Editor
(we are using it in anaconda GUI) which behaves the same way
('Automatic, DHCP only' option), from NM's ifcfg-rh plugin:

value = nm_setting_ip6_config_get_method (s_ip6);
g_assert (value);
if (!strcmp (value, NM_SETTING_IP6_CONFIG_METHOD_IGNORE)) {
svSetValue (ifcfg, "IPV6INIT", "no", FALSE);
svSetValue (ifcfg, "DHCPV6C", NULL, FALSE);
return TRUE;
} else if (!strcmp (value, NM_SETTING_IP6_CONFIG_METHOD_AUTO)) {
svSetValue (ifcfg, "IPV6INIT", "yes", FALSE);
svSetValue (ifcfg, "IPV6_AUTOCONF", "yes", FALSE);
svSetValue (ifcfg, "DHCPV6C", NULL, FALSE);
} else if (!strcmp (value, NM_SETTING_IP6_CONFIG_METHOD_DHCP)) {
svSetValue (ifcfg, "IPV6INIT", "yes", FALSE);
svSetValue (ifcfg, "IPV6_AUTOCONF", "no", FALSE);
svSetValue (ifcfg, "DHCPV6C", "yes", FALSE);
} else if (!strcmp (value, NM_SETTING_IP6_CONFIG_METHOD_MANUAL)) {
svSetValue (ifcfg, "IPV6INIT", "yes", FALSE);
svSetValue (ifcfg, "IPV6_AUTOCONF", "no", FALSE);
svSetValue (ifcfg, "DHCPV6C", NULL, FALSE);
} else if (!strcmp (value, NM_SETTING_IP6_CONFIG_METHOD_LINK_LOCAL)) {
svSetValue (ifcfg, "IPV6INIT", "yes", FALSE);
svSetValue (ifcfg, "IPV6_AUTOCONF", "no", FALSE);
svSetValue (ifcfg, "DHCPV6C", NULL, FALSE);
} else if (!strcmp (value, NM_SETTING_IP6_CONFIG_METHOD_SHARED)) {
svSetValue (ifcfg, "IPV6INIT", "yes", FALSE);
svSetValue (ifcfg, "DHCPV6C", NULL, FALSE);
/* TODO */
}



4. The network setup utility (which has your names on it, ;D) doesn't
provide for IPv6 configuration as the installer does. We really need
the default tools to setup IPv6 to be in place at this point. We
can't wait for RHEL 7 to get this right.



Are you talking about system-config-network? In anaconda we use
NetworkManager Connection Editor (nm-c-e) in GUI and I think we don't
offer more ipv6 configuration options in loader than nm-c-e has


Essentially, there should be 2 options for IPv6: "Automatic" and
"Static" configuration. Automatic should imply that a working DHCPv6
client will be started. If you have a way to only start it when a
router advertisement with the "O" (other) or "M" (managed) flags set,
then that would be better since it would match the requirement by the
RFC... I can't think of a way to easily do that though (maybe with
udev...). So the other obvious solution is to just start the DHCPv6
client up in case it's needed. This seems to be how Windows handles
it by default.



Perhaps "stateless" (or "automatic") DHCPv6 (with IPV6_AUTOCONF="yes",
that is what you are suggesting below) can be added to present
("stateful" or "static") DHCPv6 in loader. It should be easy,
but I'd hesitate to do it unless it has been added to nm-c-e too.


Example interface configuration for "automatic" IPv6:
DEVICE="eth0"
BOOTPROTO="dhcp"
DHCPV6C="yes"
HWADDR="00:1D:09:EF:E9:9A"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"



Radek

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 03:57 PM
Harald Hoyer
 
Default Fwd: DHCPv6 broken in RHEL 6.x

-------- Original-Nachricht --------
Betreff: Re: DHCPv6 broken in RHEL 6.x
Datum: Fri, 19 Nov 2010 09:03:47 -0500
Von: Ray Soucy <rps@maine.edu>
An: Harald Hoyer <harald@redhat.com>

Thanks for forwarding this along. Any word on if it's actively being
worked on, or should I look into opening a formal bug report? The
Internet2 working group was asking if we should be leveraging Red
Hat's I2 membership status to get this resolved.

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-22-2010, 05:17 PM
Thomas Woerner
 
Default Fwd: DHCPv6 broken in RHEL 6.x

On 11/17/2010 11:29 AM, Harald Hoyer wrote:

Interesting.

-------- Original-Nachricht --------
Betreff: DHCPv6 broken in RHEL 6.x
Datum: Tue, 16 Nov 2010 17:14:16 -0500
Von: Ray Soucy <rps@maine.edu>
An: teg@redhat.com, harald@redhat.com

Hi,

Not sure if you guys are the right ones to nag about this, but maybe
you know who the right people are.

I recently took a look at RHEL 6 to see how you guys are doing with
IPv6 support.

I was happy to see the installer actually offered IPv6 configuration
in Stateless, DHCPv6, and Static. Unfortunately, the DHCPv6 network
configuration for RHEL 6 is broken.

There are two major problems:

1. The default "ip6tables" configuration blocks DHCPv6 responses.
I've very glad to see ip6tables have sane defaults. The problem here
is the assumption that DHCPv6 client traffic would be caught by
conntrack and the ESTABLISHED,RELATED rule. Unfortunately with DHCPv6
this is not the case. Thus for DHCPv6 to work at all you need to
include a rule like "-A INPUT -p udp --dport 546 -j ACCEPT" in the
default policy.

The answer of the DHCPv6 server is not related, because the server is
free to use any matching IP address it has, also link-local. This makes
it impossible to add a sane rule for the firewall, that is not opening
up the port for everyone with the current static firewall model.



2. There seems to be an assumption made that "stateless" == "autoconf".

When DHCPv6 is selected in the installer, it adds a IPV6_AUTOCONF="no"
to the interface configuration. DHCPv6 has no way to provide default
route information. In IPv6, that task is handled by router
advertisement.

If you disable autoconf, then you disable the mechanistic for the host
to get a default gateway, making DHCPv6 pointless.

Similarly, host systems should not decide to "disable" stateless
address configuration in favor of DHCPv6. The "A" (autonomous) flag
within a router advertisement signals hosts on a network whether to
assign a stateless address or not; Linux already respects this flag.

It is a legitimate configuration to use _both_ a stateless and a
stateful IPv6 address on a single interface. That should be
determined by the network, not the host, as the default behavior.

If the RFC were followed, you would actually wait for an IPv6 router
advertisement to announce either the "M" or "O" flags before starting
a DHCPv6 client; but I'm not sure how you would do that in Linux. The
only reliable way right now is to just enable DHCPv6 by default if
"Automatic" configuration is selected.

3. DHCPv6 seems to replace resolve.conf with IPv6-only version,
instead of a version with both IPv4 and IPv6 nameservers. It's not
really an issue, since IPv6 DNS should be preferred per RFCs, but it
makes me wonder if it would revert to IPv4 resolve.conf if IPv6 were
to go away on the host.

4. The network setup utility (which has your names on it, ;D) doesn't
provide for IPv6 configuration as the installer does. We really need
the default tools to setup IPv6 to be in place at this point. We
can't wait for RHEL 7 to get this right.

Essentially, there should be 2 options for IPv6: "Automatic" and
"Static" configuration. Automatic should imply that a working DHCPv6
client will be started. If you have a way to only start it when a
router advertisement with the "O" (other) or "M" (managed) flags set,
then that would be better since it would match the requirement by the
RFC... I can't think of a way to easily do that though (maybe with
udev...). So the other obvious solution is to just start the DHCPv6
client up in case it's needed. This seems to be how Windows handles
it by default.

DHCPv6 has been ignored until now, but a growing number of people are
starting to make use of it as people quickly find out that stateless
is not a good option for the enterprise (even Apple has reversed its
position on DHCPv6).

Is there any way we can get RHEL 6 to come into the fold? Little
things like this really hold back IPv6 deployment, and I don't think
there is time for us to wait another 5 years for RHEL 7 to fix it.

Modified ip6tables default:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 546 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Adding this rule as a default rule for all will result in requests to to
remove it. But not having this rule also will result in request to add
it ...



Example interface configuration for "automatic" IPv6:
DEVICE="eth0"
BOOTPROTO="dhcp"
DHCPV6C="yes"
HWADDR="00:1D:09:EF:E9:9A"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"

If someone really wants to kill DHCPv6, they can always edit the file.
The average user should have no knowledge of whether IPv6 is stateful
or stateless. DHCPv6 is also needed in a stateless environment for
DNS server information.

Let me know if I can help. I'm a member of the Internet2 IPv6 working
group, and head up IPv6 deployment for the University of Maine System.



Thanks in advance,
Thomas

--
Thomas Woerner
Software Engineer Phone: +49-711-96437-310
Red Hat GmbH Fax : +49-711-96437-111
Hauptstaetterstr. 58 Email: Thomas Woerner <twoerner@redhat.com>
D-70178 Stuttgart Web : http://www.redhat.de/

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 11-23-2010, 01:54 PM
Harald Hoyer
 
Default Fwd: DHCPv6 broken in RHEL 6.x

Bug 656315 - system-config-network text interface can't edit IPv6 parameters
Bug 656334 - Default Firewall blocking DHCPv6
Bug 656335 - anaconda generates an incorrect DHCPv6 configuration

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 

Thread Tools




All times are GMT. The time now is 10:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org