Debian Bug report logs - #684009
isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Arne Nordmark <nordmark@mech.kth.se>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

Date: Mon, 06 Aug 2012 11:21:23 +0200

[Message part 1 (text/plain, inline)]

Package: isc-dhcp-client
Version: 4.2.2.dfsg.1-5
Severity: normal
Tags: upstream ipv6 patch

dhclient unconditionally assumes an on-link prefix matching the address 
and with a length of 64 when setting an IPv6 address. Like routing 
information, on-link prefix information is not part of the DHCPv6 
protocol, so this is just a guess from the part of dhclient.

RFC 5942 asserts that on-link prefixes and addresses are independent 
concepts, and on-link prefix information must only come from Router 
Advertisements or manual configuration. Section 5 specifically points 
out that a /64 prefix must not be assumed.

In my case where a /112 prefix is used, the routing table becomes

nordmark@strix:~$ ip -6 route
2001:6b0:1:1e90::40:0/112 dev wlan0  proto kernel  metric 256  expires 
2592301sec
2001:6b0:1:1e90::/64 dev wlan0  proto kernel  metric 256
default via fe80::92e6:baff:fe68:ce8f dev wlan0  proto kernel  metric 
1024 expires 1777sec

and hosts sharing the /64 prefix but not the /112 are falsely determined 
as being on-link, and have become unreachable.

This is (probably, the bug tracking is closed so I can not verify) 
reported upstream as ISC-Bugs #29468.

The corresponding bug where Network Manager wrongly trusts the prefix 
length information from dhclient is #661885.

The incuded patch removes the use of the bogus ip6_prefixlen variables 
from dhclient-script and uses /128 when setting an address. Should other 
programs use these variables, they are hard coded as 128 instead of 64.

Arne


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages isc-dhcp-client depends on:
ii  debianutils      4.3.2
ii  iproute          20120521-3
ii  isc-dhcp-common  4.2.2.dfsg.1-5
ii  libc6            2.13-33

isc-dhcp-client recommends no packages.

Versions of packages isc-dhcp-client suggests:
ii  avahi-autoipd  0.6.31-1
ii  resolvconf     1.67

-- no debconf information

[prefixlen_128.patch (text/x-patch, attachment)]

Message #10 received at 684009@bugs.debian.org (full text, mbox, reply):

From: Ralf Schlatterbeck <ralf@zoo.priv.at>

To: 684009@bugs.debian.org

Subject: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

Date: Tue, 14 Jan 2014 13:21:14 +0100

[Message part 1 (text/plain, inline)]

Note that dhclient does not itself configures the interface but instead
calls the shellscript /sbin/dhclient-script to do the work. So a quick
workaround is to patch that script to use a fixed netmask of /128
(patch attached).

The real fix is to hand a fixed /128 netmask to the dhclient-script from
the daemon. This patches C-code in dhclient (patch attached).

Note that the dhcpv6 protocol doesn't have an option for a netmask. So
it is always /128 and routing is left to icmpv6 router advertisements.

That also means that the option "accept_ra" of the dhcp method for the
INET6 address family in /etc/network/interfaces (see interfaces(5) man
page) probably should be on by default or completely removed. In
addition maybe a fixed netmask should be configurable (see excerpts from
RFC5942 below).

Just some more facts regarding this issue:
RFC 5942 is very clear about a DHCP client "inventing" a prefix:

RFC5942, p.7 under "Host Rules":
"""
   1.  The assignment of an IPv6 address -- whether through IPv6
       stateless address autoconfiguration [RFC4862], DHCPv6 [RFC3315],
       or manual configuration -- MUST NOT implicitly cause a prefix
       derived from that address to be treated as on-link and added to
       the Prefix List.  ...
"""

and on p.8 under the heading "Observed Incorrect Implementation Behavior":
"""
   ...  An address
   could be acquired through the DHCPv6 identity association for non-
   temporary addresses (IA_NA) option from [RFC3315] (which does not
   include a prefix length), or through manual configuration (if no
   prefix length is specified).  The host incorrectly assumes an
   invented prefix is on-link.  This invented prefix typically is a /64
   that was written by the developer of the operating system network
   module API to any IPv6 application as a "default" prefix length when
   a length isn't specified...
"""

I sincerely hope this gets fixed in the next release of dhcpd. Note that
I've also filed an upstream report with issue number #35178 (before I
knew about this debian report) and I'm surprised the currently scheduled
4.3.0a1 release doesn't yet have the fix.

Ralf
-- 
Ralf Schlatterbeck             email: ralf@zoo.priv.at

[dhclient-script.patch (text/x-diff, attachment)]

[dhc6.patch (text/x-diff, attachment)]

Message #15 received at 684009@bugs.debian.org (full text, mbox, reply):

From: Florent Fourcot <florent.fourcot@enst-bretagne.fr>

To: Ralf Schlatterbeck <ralf@zoo.priv.at>, 684009@bugs.debian.org

Subject: Re: Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

Date: Tue, 14 Jan 2014 14:11:55 +0100

Hello,


> Note that dhclient does not itself configures the interface but instead
> calls the shellscript /sbin/dhclient-script to do the work. So a quick
> workaround is to patch that script to use a fixed netmask of /128
> (patch attached).
> 

I did not see anything new in your patches, the patch of Arne Nordmark
already includes your changes (and some others, covering more cases).

Second, the "/128" of ${new_ip6_address}/128 can probably be removed. An
address without prefix is set to /128 by default.

Regards,

Florent.

Message #20 received at 684009@bugs.debian.org (full text, mbox, reply):

From: Ralf Schlatterbeck <ralf@zoo.priv.at>

To: Florent Fourcot <florent.fourcot@enst-bretagne.fr>, 684009@bugs.debian.org

Subject: Re: Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

Date: Wed, 15 Jan 2014 11:21:06 +0100

On Tue, Jan 14, 2014 at 02:11:55PM +0100, Florent Fourcot wrote:
> 
> I did not see anything new in your patches, the patch of Arne Nordmark
> already includes your changes (and some others, covering more cases).
> 
> Second, the "/128" of ${new_ip6_address}/128 can probably be removed. An
> address without prefix is set to /128 by default.

Thanks, you're right, the other patch is more complete, I didn't notice
there already was a patch.

Do you know more than us mere mortals about ISC's plans to fix this bug?

Thanks
Ralf
-- 
Ralf Schlatterbeck             email: ralf@zoo.priv.at

Message #25 received at 684009@bugs.debian.org (full text, mbox, reply):

From: Florent Fourcot <florent.fourcot@enst-bretagne.fr>

To: Ralf Schlatterbeck <ralf@zoo.priv.at>, 684009@bugs.debian.org

Subject: Re: Bug#684009: isc-dhcp-client: dhclient must not assume a IPv6 prefix length of 64 when setting an address

Date: Wed, 09 Jul 2014 16:56:39 +0200

Hello,

for information, the new release of isc-dhcp provides an option to
change the prefix length:

> The prefix length passed to the dhclient script can now be modified
> at compile time by editing the includes/site.h file and #defineing
> DHCLIENT_DEFAULT_PREFIX_LEN.  By default it is set to 64 in order
> to minimize any disruptions to running systems.  A description of
> some of the issues and some other workarounds can be found at:
> https://kb.isc.org/article/AA-01141/31/How-to-workaround-IPv6-prefix-length-issues-with-ISC-DHCP-clients.html


However, since it has to be set at compiling time, it does not solve the
problem for Debian users.

Regards,

Florent.

Message #32 received at 684009-close@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 684009-close@bugs.debian.org

Subject: Bug#684009: fixed in isc-dhcp 4.3.3-6

Date: Sun, 25 Oct 2015 07:34:48 +0000

Source: isc-dhcp
Source-Version: 4.3.3-6

We believe that the bug you reported is fixed in the latest version of
isc-dhcp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 684009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated isc-dhcp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 04 Oct 2015 03:24:47 +0000
Source: isc-dhcp
Binary: isc-dhcp-server isc-dhcp-dbg isc-dhcp-server-ldap isc-dhcp-common isc-dhcp-dev isc-dhcp-client isc-dhcp-client-ddns isc-dhcp-client-udeb isc-dhcp-relay
Architecture: source
Version: 4.3.3-6
Distribution: experimental
Urgency: medium
Maintainer: Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
 isc-dhcp-client - DHCP client for automatically obtaining an IP address
 isc-dhcp-client-ddns - Dynamic DNS (DDNS) enabled DHCP client
 isc-dhcp-client-udeb - ISC DHCP Client for debian-installer (udeb)
 isc-dhcp-common - common files used by all of the isc-dhcp packages
 isc-dhcp-dbg - ISC DHCP server for automatic IP address assignment (debuging sym
 isc-dhcp-dev - API for accessing and modifying the DHCP server and client state
 isc-dhcp-relay - ISC DHCP relay daemon
 isc-dhcp-server - ISC DHCP server for automatic IP address assignment
 isc-dhcp-server-ldap - DHCP server that uses LDAP as its backend
Closes: 592539 684009
Changes:
 isc-dhcp (4.3.3-6) experimental; urgency=medium
 .
   * Fix missing build flags from the last upload.
   * Support IPv6 in the server init script (closes: #592539).
     - Thanks to Florent Fourcot and Ron Murray.
   * Don't assume an IPv6 prefix length of 64 (closes: #684009).
     - Thanks to Arne Nordmark.
Checksums-Sha1:
 07d021fc5d8e69509c9261320a2dcebf8c6be6e9 3294 isc-dhcp_4.3.3-6.dsc
 ff78fe9644d1e2bb63de1bee13774a7f586527ba 81896 isc-dhcp_4.3.3-6.debian.tar.xz
Checksums-Sha256:
 ac8e03f46ee811ebf99b8b0cde4ef2e342d077099b302d2806eed6b3e73f65b8 3294 isc-dhcp_4.3.3-6.dsc
 3422490b0bf74d1be87fe5a9596f1bc01420fe5f2fe217cab20d095a3a5cf6cc 81896 isc-dhcp_4.3.3-6.debian.tar.xz
Files:
 1048b22bebfb55310a4b59ee30d1ea2e 3294 net important isc-dhcp_4.3.3-6.dsc
 ab48c331e0c003e0463d1ad3c90c1ff9 81896 net important isc-dhcp_4.3.3-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJWLIVLAAoJELjWss0C1vRz3FYf/RESaCWCu40MDur8C/25fS82
aSblkbZ45/iHQpMSU1fwEaTYy7SDFyVI/8Ju4hqGG30rQRMfbv8n1BoFtPsspPxy
EmNvNMvSWF2Pbv19GP9SCKoKODxlVRN3KsdY6+nfpbs0ESJhoLjdkELWkS72P3x1
pqWL/y+IbyWej7U28I8pSUIp9n0oTVxr9EhtOL7ZnPDjRl7taqlXzMqBFONk+Y/v
vseA53aw1VA7h+y6ysFxAe1NyV9ASCTVIEZtKDc+fvXawp5zVB4s6BncWZbV9dHu
Nh9qdaHyegwDUGy/dqUyaFagv6sHnOXQtpOxwKZxdr5UAQ2N1uhekdZPmdzIewAd
BPMTjUIlesqMUKRusuAwghXZP3RLfK0mAFTNxYSMwmCEZ0DC2l+nWvQ1lWqRAnXJ
sbw0uVeo+/bRzSODcDbljGWbferKcYo3uPg9BQCA6elSDMzUpYhQfYxfuz+reE3J
h0eXg/dTGSm2nTQ2TH38P796DtmCajYSCEyR4Bcbj5KBCi59VPhdSq1yDAudQW7s
9EQ0O6h3SPIjrN2oNR1Fu12FqY2wZWGOAIBXY88OIf4v2yAFISCJ0UFBVsVbPmkX
+wOY8FDiQP8zn1af19V8M5QeDyCSnIZDA8PqZkMq5jJeizjnFXcPuNrIyJ1pK9py
08AlDA2+pWjv9F9Bg/BcVp3rjn3PboHhzR9ISxozBSutFEfNyDhuc8HIKcdnP4x/
b2vqBVSHpPVMWAGi4GKVNDl6gdXkkDb/ZEWiXM+tttYcZss9M5qMYANLNnV7ahim
x/duDOjTHro/vviUfiypfHsOb8MBTfEJ1pE0zjEKq+dJzo9PwjV2njHnli1SfhHt
jigSdwRsVW/0FNZZa0K0rlQReTYQRH9MyLLnnPku6OXUnAteZOromCe+Cm++XikM
KV6pskpbYlgG1SXSljx8HnrScPNlmYfL8wiFNvpzyPLsFQ40u+Kyw2HF781Cqilp
X7yxNj084qHQVZFvmbhIc/flFTKl9MZWiIu1HhEDh9+4jH5NE4w1SKe8C2+VaI3k
HCZLQqEgwAdXW42hBtyjLhCer7gFRcyvCqaMkI2HiW4X00d5pKbBrvHFk2wtE8pN
WTa4GNyHBvab310Bu1G2eQUD23bY/1mJzmaVlMITZLkT6HR0iJglEV2gEDL9VxDK
Qhw3m0QV8MtWc2Fc9jBq2HNBdnpwQoha/jCL/6bSJogy4Hz07LUsYxX2k8WRtglw
+yThKKjvjXllqSdmSRA7iU1LKFaLqyLq9IgFjuQvaYmgabylANM2nJy4vmcyvVNa
vGb/Zitp18hy0ljl1tS6FU+Nxxyh8RqOP4TlPTN7KC0xl79Dyg4ie+adRqVXcHE=
=bH0A
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.