Interesting. -------- Original-Nachricht -------- Betreff: DHCPv6 broken in RHEL 6.x Datum: Tue, 16 Nov 2010 17:14:16 -0500 Von: Ray Soucy <rps@xxxxxxxxx> An: teg@xxxxxxxxxx, harald@xxxxxxxxxx Hi, Not sure if you guys are the right ones to nag about this, but maybe you know who the right people are. I recently took a look at RHEL 6 to see how you guys are doing with IPv6 support. I was happy to see the installer actually offered IPv6 configuration in Stateless, DHCPv6, and Static. Unfortunately, the DHCPv6 network configuration for RHEL 6 is broken. There are two major problems: 1. The default "ip6tables" configuration blocks DHCPv6 responses. I've very glad to see ip6tables have sane defaults. The problem here is the assumption that DHCPv6 client traffic would be caught by conntrack and the ESTABLISHED,RELATED rule. Unfortunately with DHCPv6 this is not the case. Thus for DHCPv6 to work at all you need to include a rule like "-A INPUT -p udp --dport 546 -j ACCEPT" in the default policy. 2. There seems to be an assumption made that "stateless" == "autoconf". When DHCPv6 is selected in the installer, it adds a IPV6_AUTOCONF="no" to the interface configuration. DHCPv6 has no way to provide default route information. In IPv6, that task is handled by router advertisement. If you disable autoconf, then you disable the mechanistic for the host to get a default gateway, making DHCPv6 pointless. Similarly, host systems should not decide to "disable" stateless address configuration in favor of DHCPv6. The "A" (autonomous) flag within a router advertisement signals hosts on a network whether to assign a stateless address or not; Linux already respects this flag. It is a legitimate configuration to use _both_ a stateless and a stateful IPv6 address on a single interface. That should be determined by the network, not the host, as the default behavior. If the RFC were followed, you would actually wait for an IPv6 router advertisement to announce either the "M" or "O" flags before starting a DHCPv6 client; but I'm not sure how you would do that in Linux. The only reliable way right now is to just enable DHCPv6 by default if "Automatic" configuration is selected. 3. DHCPv6 seems to replace resolve.conf with IPv6-only version, instead of a version with both IPv4 and IPv6 nameservers. It's not really an issue, since IPv6 DNS should be preferred per RFCs, but it makes me wonder if it would revert to IPv4 resolve.conf if IPv6 were to go away on the host. 4. The network setup utility (which has your names on it, ;D) doesn't provide for IPv6 configuration as the installer does. We really need the default tools to setup IPv6 to be in place at this point. We can't wait for RHEL 7 to get this right. Essentially, there should be 2 options for IPv6: "Automatic" and "Static" configuration. Automatic should imply that a working DHCPv6 client will be started. If you have a way to only start it when a router advertisement with the "O" (other) or "M" (managed) flags set, then that would be better since it would match the requirement by the RFC... I can't think of a way to easily do that though (maybe with udev...). So the other obvious solution is to just start the DHCPv6 client up in case it's needed. This seems to be how Windows handles it by default. DHCPv6 has been ignored until now, but a growing number of people are starting to make use of it as people quickly find out that stateless is not a good option for the enterprise (even Apple has reversed its position on DHCPv6). Is there any way we can get RHEL 6 to come into the fold? Little things like this really hold back IPv6 deployment, and I don't think there is time for us to wait another 5 years for RHEL 7 to fix it. Modified ip6tables default: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp --dport 546 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT Example interface configuration for "automatic" IPv6: DEVICE="eth0" BOOTPROTO="dhcp" DHCPV6C="yes" HWADDR="00:1D:09:EF:E9:9A" IPV6INIT="yes" IPV6_AUTOCONF="yes" NM_CONTROLLED="yes" ONBOOT="yes" If someone really wants to kill DHCPv6, they can always edit the file. The average user should have no knowledge of whether IPv6 is stateful or stateless. DHCPv6 is also needed in a stateless environment for DNS server information. Let me know if I can help. I'm a member of the Internet2 IPv6 working group, and head up IPv6 deployment for the University of Maine System. -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/ _______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list