Fwd: DHCPv6 broken in RHEL 6.x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Interesting.

-------- Original-Nachricht --------
Betreff: DHCPv6 broken in RHEL 6.x
Datum: Tue, 16 Nov 2010 17:14:16 -0500
Von: Ray Soucy <rps@xxxxxxxxx>
An: teg@xxxxxxxxxx, harald@xxxxxxxxxx

Hi,

Not sure if you guys are the right ones to nag about this, but maybe
you know who the right people are.

I recently took a look at RHEL 6 to see how you guys are doing with
IPv6 support.

I was happy to see the installer actually offered IPv6 configuration
in Stateless, DHCPv6, and Static.  Unfortunately, the DHCPv6 network
configuration for RHEL 6 is broken.

There are two major problems:

1. The default "ip6tables" configuration blocks DHCPv6 responses.
I've very glad to see ip6tables have sane defaults.  The problem here
is the assumption that DHCPv6 client traffic would be caught by
conntrack and the ESTABLISHED,RELATED rule.  Unfortunately with DHCPv6
this is not the case.  Thus for DHCPv6 to work at all you need to
include a rule like "-A INPUT -p udp --dport 546 -j ACCEPT" in the
default policy.

2. There seems to be an assumption made that "stateless" == "autoconf".

When DHCPv6 is selected in the installer, it adds a IPV6_AUTOCONF="no"
to the interface configuration.  DHCPv6 has no way to provide default
route information.  In IPv6, that task is handled by router
advertisement.

If you disable autoconf, then you disable the mechanistic for the host
to get a default gateway, making DHCPv6 pointless.

Similarly, host systems should not decide to "disable" stateless
address configuration in favor of DHCPv6.  The "A" (autonomous) flag
within a router advertisement signals hosts on a network whether to
assign a stateless address or not; Linux already respects this flag.

It is a legitimate configuration to use _both_ a stateless and a
stateful IPv6 address on a single interface.  That should be
determined by the network, not the host, as the default behavior.

If the RFC were followed, you would actually wait for an IPv6 router
advertisement to announce either the "M" or "O" flags before starting
a DHCPv6 client; but I'm not sure how you would do that in Linux.  The
only reliable way right now is to just enable DHCPv6 by default if
"Automatic" configuration is selected.

3. DHCPv6 seems to replace resolve.conf with IPv6-only version,
instead of a version with both IPv4 and IPv6 nameservers.  It's not
really an issue, since IPv6 DNS should be preferred per RFCs, but it
makes me wonder if it would revert to IPv4 resolve.conf if IPv6 were
to go away on the host.

4. The network setup utility (which has your names on it, ;D) doesn't
provide for IPv6 configuration as the installer does.  We really need
the default tools to setup IPv6 to be in place at this point.  We
can't wait for RHEL 7 to get this right.

Essentially, there should be 2 options for IPv6:  "Automatic" and
"Static" configuration.  Automatic should imply that a working DHCPv6
client will be started.  If you have a way to only start it when a
router advertisement with the "O" (other) or "M" (managed) flags set,
then that would be better since it would match the requirement by the
RFC... I can't think of a way to easily do that though (maybe with
udev...).  So the other obvious solution is to just start the DHCPv6
client up in case it's needed.  This seems to be how Windows handles
it by default.

DHCPv6 has been ignored until now, but a growing number of people are
starting to make use of it as people quickly find out that stateless
is not a good option for the enterprise (even Apple has reversed its
position on DHCPv6).

Is there any way we can get RHEL 6 to come into the fold?  Little
things like this really hold back IPv6 deployment, and I don't think
there is time for us to wait another 5 years for RHEL 7 to fix it.

Modified ip6tables default:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 546 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

Example interface configuration for "automatic" IPv6:
DEVICE="eth0"
BOOTPROTO="dhcp"
DHCPV6C="yes"
HWADDR="00:1D:09:EF:E9:9A"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"

If someone really wants to kill DHCPv6, they can always edit the file.
 The average user should have no knowledge of whether IPv6 is stateful
or stateless.  DHCPv6 is also needed in a stateless environment for
DNS server information.

Let me know if I can help.  I'm a member of the Internet2 IPv6 working
group, and head up IPv6 deployment for the University of Maine System.

--
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list


[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux