On 11/17/2010 11:29 AM, Harald Hoyer wrote:
Interesting.
-------- Original-Nachricht --------
Betreff: DHCPv6 broken in RHEL 6.x
Datum: Tue, 16 Nov 2010 17:14:16 -0500
Von: Ray Soucy <rps@xxxxxxxxx>
An: teg@xxxxxxxxxx, harald@xxxxxxxxxx
Hi,
Not sure if you guys are the right ones to nag about this, but maybe
you know who the right people are.
I recently took a look at RHEL 6 to see how you guys are doing with
IPv6 support.
I was happy to see the installer actually offered IPv6 configuration
in Stateless, DHCPv6, and Static. Unfortunately, the DHCPv6 network
configuration for RHEL 6 is broken.
There are two major problems:
1. The default "ip6tables" configuration blocks DHCPv6 responses.
I've very glad to see ip6tables have sane defaults. The problem here
is the assumption that DHCPv6 client traffic would be caught by
conntrack and the ESTABLISHED,RELATED rule. Unfortunately with DHCPv6
this is not the case. Thus for DHCPv6 to work at all you need to
include a rule like "-A INPUT -p udp --dport 546 -j ACCEPT" in the
default policy.
The answer of the DHCPv6 server is not related, because the server is
free to use any matching IP address it has, also link-local. This makes
it impossible to add a sane rule for the firewall, that is not opening
up the port for everyone with the current static firewall model.
2. There seems to be an assumption made that "stateless" == "autoconf".
When DHCPv6 is selected in the installer, it adds a IPV6_AUTOCONF="no"
to the interface configuration. DHCPv6 has no way to provide default
route information. In IPv6, that task is handled by router
advertisement.
If you disable autoconf, then you disable the mechanistic for the host
to get a default gateway, making DHCPv6 pointless.
Similarly, host systems should not decide to "disable" stateless
address configuration in favor of DHCPv6. The "A" (autonomous) flag
within a router advertisement signals hosts on a network whether to
assign a stateless address or not; Linux already respects this flag.
It is a legitimate configuration to use _both_ a stateless and a
stateful IPv6 address on a single interface. That should be
determined by the network, not the host, as the default behavior.
If the RFC were followed, you would actually wait for an IPv6 router
advertisement to announce either the "M" or "O" flags before starting
a DHCPv6 client; but I'm not sure how you would do that in Linux. The
only reliable way right now is to just enable DHCPv6 by default if
"Automatic" configuration is selected.
3. DHCPv6 seems to replace resolve.conf with IPv6-only version,
instead of a version with both IPv4 and IPv6 nameservers. It's not
really an issue, since IPv6 DNS should be preferred per RFCs, but it
makes me wonder if it would revert to IPv4 resolve.conf if IPv6 were
to go away on the host.
4. The network setup utility (which has your names on it, ;D) doesn't
provide for IPv6 configuration as the installer does. We really need
the default tools to setup IPv6 to be in place at this point. We
can't wait for RHEL 7 to get this right.
Essentially, there should be 2 options for IPv6: "Automatic" and
"Static" configuration. Automatic should imply that a working DHCPv6
client will be started. If you have a way to only start it when a
router advertisement with the "O" (other) or "M" (managed) flags set,
then that would be better since it would match the requirement by the
RFC... I can't think of a way to easily do that though (maybe with
udev...). So the other obvious solution is to just start the DHCPv6
client up in case it's needed. This seems to be how Windows handles
it by default.
DHCPv6 has been ignored until now, but a growing number of people are
starting to make use of it as people quickly find out that stateless
is not a good option for the enterprise (even Apple has reversed its
position on DHCPv6).
Is there any way we can get RHEL 6 to come into the fold? Little
things like this really hold back IPv6 deployment, and I don't think
there is time for us to wait another 5 years for RHEL 7 to fix it.
Modified ip6tables default:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp --dport 546 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
Adding this rule as a default rule for all will result in requests to to
remove it. But not having this rule also will result in request to add
it ...
Example interface configuration for "automatic" IPv6:
DEVICE="eth0"
BOOTPROTO="dhcp"
DHCPV6C="yes"
HWADDR="00:1D:09:EF:E9:9A"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
NM_CONTROLLED="yes"
ONBOOT="yes"
If someone really wants to kill DHCPv6, they can always edit the file.
The average user should have no knowledge of whether IPv6 is stateful
or stateless. DHCPv6 is also needed in a stateless environment for
DNS server information.
Let me know if I can help. I'm a member of the Internet2 IPv6 working
group, and head up IPv6 deployment for the University of Maine System.
Thanks in advance,
Thomas
--
Thomas Woerner
Software Engineer Phone: +49-711-96437-310
Red Hat GmbH Fax : +49-711-96437-111
Hauptstaetterstr. 58 Email: Thomas Woerner <twoerner@xxxxxxxxxx>
D-70178 Stuttgart Web : http://www.redhat.de/
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
