Discussion:
Question about NetBSD implementation of IPv6 SLAAC and RFC4941
(too old to reply)
Roy Marples
2020-04-05 18:07:59 UTC
Permalink
Hi List

As we seem to be cutting the cruft from the kernel recently I think it's time to
remove the kernel handling of router advertisements and leave it to dhcpcd -
there's nothing dhcpcd can't do that the kernel can for RA handling, but the
reverse is not true.

Roy
Hi Fernando,
Thanks for that.
Roy Marples maintains dhcpcd, and is also a NetBSD committer, so I'll drag him
into the conversation, he's best placed to say how he intends to take dhcpcd.
Roy?
Best,
Alistair
Hi, Alistair,
It seems that NetBSD ships with dhcpcd enabled by default.
Quick question: is the plan to maintain the kernel support for SLAAC
(and hence a kernel based implementation of rfc4941bis would be
desirable), or is such code being phased out, and hence I should just
focus on a dhcpcd-based implementation of rfc4941bis?
Thanks!
Cheers,
--
Fernando Gont
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Jonathan A. Kollasch
2020-04-05 18:14:46 UTC
Permalink
Post by Roy Marples
Hi List
As we seem to be cutting the cruft from the kernel recently I think it's
time to remove the kernel handling of router advertisements and leave it to
dhcpcd - there's nothing dhcpcd can't do that the kernel can for RA
handling, but the reverse is not true.
I would like RA handling kept in the kernel.

Jonathan

P.S. I'm still frustrated that rtsol got removed.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-05 19:45:03 UTC
Permalink
Post by Jonathan A. Kollasch
Post by Roy Marples
Hi List
As we seem to be cutting the cruft from the kernel recently I think it's
time to remove the kernel handling of router advertisements and leave it to
dhcpcd - there's nothing dhcpcd can't do that the kernel can for RA
handling, but the reverse is not true.
I would like RA handling kept in the kernel.
I would like some sound technical reasons why.
Post by Jonathan A. Kollasch
P.S. I'm still frustrated that rtsol got removed.
Aside from sentiment, what frustrations do you currently endure about the lack
of rtsol? And again, please keep it technical.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2020-04-05 19:56:42 UTC
Permalink
Date: Sun, 5 Apr 2020 19:07:59 +0100
From: Roy Marples <***@marples.name>
Message-ID: <8e19a96e-f084-3f39-6219-***@marples.name>

| there's nothing dhcpcd can't do that the kernel can for RA handling,

dhcpcd cannot do anything at all before userland is running. The kernel can.

eg: how would dhcpcd autoconfig an address & router required to reach the NFS
server on which the binary & libraries needed for dhcpcd are located ?

Leave it as it is.

kre



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-05 20:23:44 UTC
Permalink
Post by Robert Elz
Date: Sun, 5 Apr 2020 19:07:59 +0100
| there's nothing dhcpcd can't do that the kernel can for RA handling,
dhcpcd cannot do anything at all before userland is running. The kernel can.
eg: how would dhcpcd autoconfig an address & router required to reach the NFS
server on which the binary & libraries needed for dhcpcd are located ?
The default kernel settings ignore router advertisements.
The kernel doesn't actively solicit anything either - there's literally no code
to do so. I mean, that is why we had rtsold before yes? As such, you would need
to wait for the router to advertise before you get a workable address and who
knows how long that will take?

Now if you think it would work otherwise, please provide a working example and
by all means I'll retract my request, but otherwise it still stands.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Joerg Sonnenberger
2020-04-05 20:24:19 UTC
Permalink
Post by Robert Elz
Date: Sun, 5 Apr 2020 19:07:59 +0100
| there's nothing dhcpcd can't do that the kernel can for RA handling,
dhcpcd cannot do anything at all before userland is running. The kernel can.
eg: how would dhcpcd autoconfig an address & router required to reach the NFS
server on which the binary & libraries needed for dhcpcd are located ?
Leave it as it is.
Have you tried it with the kernel? It can't do that without userland
configuration either.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2020-04-05 21:31:26 UTC
Permalink
Post by Roy Marples
Hi List
As we seem to be cutting the cruft from the kernel recently I think it's time to
remove the kernel handling of router advertisements and leave it to dhcpcd -
there's nothing dhcpcd can't do that the kernel can for RA handling, but the
reverse is not true.
What about systems that don't use dhcpcd? I have statically allocated
addresses at work and don't use dhcpcd currently...
Does the isc dhcp client offer the same functionality?
How much code are we talking about?

christos


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-05 21:49:30 UTC
Permalink
Post by Christos Zoulas
Post by Roy Marples
Hi List
As we seem to be cutting the cruft from the kernel recently I think it's time to
remove the kernel handling of router advertisements and leave it to dhcpcd -
there's nothing dhcpcd can't do that the kernel can for RA handling, but the
reverse is not true.
What about systems that don't use dhcpcd? I have statically allocated
addresses at work and don't use dhcpcd currently...
And they will still work.
Statically allocated means you're ignoring router advertisements.

And if anyone doesn't want to use dhcpcd, they are free to use an alternative
such as slaacd(8) from OpenBSD.
Post by Christos Zoulas
Does the isc dhcp client offer the same functionality?
I don't see what ISC dhcp client has to do with this?
But, no it does not.
Post by Christos Zoulas
How much code are we talking about?
sys/netinet6/nd6_rtr.c is 2262 lines of code that can go.
Then there is some associated glue in the other bits of netinet6 that can go as
well, or become ENOTSUPP.
Parts of ndp(8) can also go that set set RA bits.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2020-04-05 22:05:39 UTC
Permalink
Post by Roy Marples
Post by Christos Zoulas
Post by Roy Marples
Hi List
As we seem to be cutting the cruft from the kernel recently I think it's time to
remove the kernel handling of router advertisements and leave it to dhcpcd -
there's nothing dhcpcd can't do that the kernel can for RA handling, but the
reverse is not true.
What about systems that don't use dhcpcd? I have statically allocated
addresses at work and don't use dhcpcd currently...
And they will still work.
Statically allocated means you're ignoring router advertisements.
Am I? I thought that I could still see routing advertisements for my static addresses. How about if the default
route changes (or any other specific routes)?
Post by Roy Marples
And if anyone doesn't want to use dhcpcd, they are free to use an alternative such as slaacd(8) from OpenBSD.
Post by Christos Zoulas
Does the isc dhcp client offer the same functionality?
I don't see what ISC dhcp client has to do with this?
But, no it does not.
Well, dhcpcd handles DHCP, RA, SLAAC. I was wondering what I would need to run the ISC dhcp client instead...
Post by Roy Marples
Post by Christos Zoulas
How much code are we talking about?
sys/netinet6/nd6_rtr.c is 2262 lines of code that can go.
Then there is some associated glue in the other bits of netinet6 that can go as well, or become ENOTSUPP.
Parts of ndp(8) can also go that set set RA bits.
That's a lot :-)

christos
Roy Marples
2020-04-05 22:18:54 UTC
Permalink
Post by Christos Zoulas
Post by Roy Marples
Post by Christos Zoulas
What about systems that don't use dhcpcd? I have statically allocated
addresses at work and don't use dhcpcd currently...
And they will still work.
Statically allocated means you're ignoring router advertisements.
Am I? I thought that I could still see routing advertisements for my static addresses. How about if the default
route changes (or any other specific routes)?
Maybe your definition of static differs from mine.
By static I mean you have addresses and routes setup in say /etc/ifconfig.re0
Can you clarify?
Post by Christos Zoulas
Post by Roy Marples
And if anyone doesn't want to use dhcpcd, they are free to use an alternative such as slaacd(8) from OpenBSD.
Post by Christos Zoulas
Does the isc dhcp client offer the same functionality?
I don't see what ISC dhcp client has to do with this?
But, no it does not.
Well, dhcpcd handles DHCP, RA, SLAAC. I was wondering what I would need to run the ISC dhcp client instead...
ISC dhcp client runs either DHCP or DHCP6 (not both at the same time in the same
process).
You would need something else to handle SLAAC from RA like say slaacd(8) from
OpenBSD.
Post by Christos Zoulas
Post by Roy Marples
Post by Christos Zoulas
How much code are we talking about?
sys/netinet6/nd6_rtr.c is 2262 lines of code that can go.
Then there is some associated glue in the other bits of netinet6 that can go as well, or become ENOTSUPP.
Parts of ndp(8) can also go that set set RA bits.
That's a lot :-)
It's not in-substancial and the only updates it sees are just the parts to make
it carry on working with the various API changes we've made in other parts of
the kernel.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2020-04-05 22:23:22 UTC
Permalink
Post by Roy Marples
Maybe your definition of static differs from mine.
By static I mean you have addresses and routes setup in say /etc/ifconfig.re0
Can you clarify?
I can have a static address but the routing information can be dynamic. For example if I am connected to a network that has access to more than one ISP.
Post by Roy Marples
ISC dhcp client runs either DHCP or DHCP6 (not both at the same time in the same process).
You would need something else to handle SLAAC from RA like say slaacd(8) from OpenBSD.
Ok makes sense.
Post by Roy Marples
It's not in-substancial and the only updates it sees are just the parts to make it carry on working with the various API changes we've made in other parts of the kernel.
Yes, development in the kernel is more difficult/constrained.

christos
Roy Marples
2020-04-06 01:35:02 UTC
Permalink
Post by Christos Zoulas
Post by Roy Marples
Maybe your definition of static differs from mine.
By static I mean you have addresses and routes setup in say /etc/ifconfig.re0
Can you clarify?
I can have a static address but the routing information can be dynamic. For example if I am connected to a network that has access to more than one ISP.
Ah, now we are getting interesting! So, some questions:

1) Are you soliciting a router or just waiting for an RA to magically appear?
This is fairly important as recent RFC 7772 vastly reduces broadcasts to the
network - it unicasts a lot more than it broadcasts - and makes each node
wanting a router actually solicit one.
If you're not using dhcpcd to solicit, what are you using?

2) What's the expectation with many routers and the current becomes unreachable?
dhcpcd will spot this thanks to RTM_MISS but the kernel won't. Instead it
will wait for the next RA to arrive and then evalute matters, which again
brings me back to RFC 7772 and the timeliness of RA's arriving.
Now this is fixable in the kernel for sure, but I for one like to solve
problems in one place and in this case already have.

3) How dynamic do you want your routing?
I enjoy using wireless on my pinebook - but it's slow and when I compile
over NFS I stick ethernet in via a USB dongle.
dhcpcd will automatically prefer wired over wireless and change the
routing (this assumes that wired and wireless share the same prefix).
The changeover is pretty seamless, the kernel cannot do this and I doubt
anyone will make that happen.

I would talk about dynamic addressing as well - or rather IP address sharing
which is pretty unique to NetBSD at the IPv6 level, but as your addresses are
static we can park that for another day.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2020-04-06 20:25:10 UTC
Permalink
Post by Roy Marples
1) Are you soliciting a router or just waiting for an RA to magically appear?
This is fairly important as recent RFC 7772 vastly reduces broadcasts to the
network - it unicasts a lot more than it broadcasts - and makes each node
wanting a router actually solicit one.
If you're not using dhcpcd to solicit, what are you using?
I am not doing anything special. I just set ip6mode=autohost in rc.conf which does:

/sbin/sysctl -qw net.inet6.ip6.accept_rtadv=1

and I am all set.
Post by Roy Marples
2) What's the expectation with many routers and the current becomes unreachable?
dhcpcd will spot this thanks to RTM_MISS but the kernel won't. Instead it
will wait for the next RA to arrive and then evalute matters, which again
brings me back to RFC 7772 and the timeliness of RA's arriving.
Now this is fixable in the kernel for sure, but I for one like to solve
problems in one place and in this case already have.
I don't know, I have not tested. Things just seem to work...
Post by Roy Marples
3) How dynamic do you want your routing?
I enjoy using wireless on my pinebook - but it's slow and when I compile
over NFS I stick ethernet in via a USB dongle.
dhcpcd will automatically prefer wired over wireless and change the
routing (this assumes that wired and wireless share the same prefix).
The changeover is pretty seamless, the kernel cannot do this and I doubt
anyone will make that happen.
Yes, having things more dynamic would be nice.
Post by Roy Marples
I would talk about dynamic addressing as well - or rather IP address sharing which is pretty unique to NetBSD at the IPv6 level, but as your addresses are static we can park that for another day.
Sure,

christos
Martin Husemann
2020-04-09 10:29:39 UTC
Permalink
Post by Roy Marples
Using this approach, the in kernel DHCP client could also be removed.
Quickly testing ordinary kernels without big effort via netbooting is
a very important feature. Using that setup for emergency recovery
and a quick root-on-NFS to fix the broken usual root is extremely convenient.

I would realy hate to see that setup become more complex.

I would suggest to add a simple kernel option to solicit RAs similar
to the DAD handling, and also fill any gaps that we might have for
root-on-NFS-via-IPv6.

Martin

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-09 11:02:22 UTC
Permalink
Post by Martin Husemann
Post by Roy Marples
Using this approach, the in kernel DHCP client could also be removed.
Quickly testing ordinary kernels without big effort via netbooting is
a very important feature. Using that setup for emergency recovery
and a quick root-on-NFS to fix the broken usual root is extremely convenient.
I would realy hate to see that setup become more complex.
I don't see it as any more complex.
Post by Martin Husemann
I would suggest to add a simple kernel option to solicit RAs similar
to the DAD handling, and also fill any gaps that we might have for
root-on-NFS-via-IPv6.
Are you suggesting an in-kernel DHCPv6 client that supports RFC 5970 as well to
fill the gaps?

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Martin Husemann
2020-04-09 11:20:25 UTC
Permalink
Post by Roy Marples
Post by Martin Husemann
Post by Roy Marples
Using this approach, the in kernel DHCP client could also be removed.
Quickly testing ordinary kernels without big effort via netbooting is
a very important feature. Using that setup for emergency recovery
and a quick root-on-NFS to fix the broken usual root is extremely convenient.
I would realy hate to see that setup become more complex.
I don't see it as any more complex.
If I can't test the kernel I want to test as-is, it is useless.

If I have to build a special ramdisk module for it, it is more complex -
even ignoring for the moment that on most architectures the bootloader
will not be able to pre-load that module.
Post by Roy Marples
Post by Martin Husemann
I would suggest to add a simple kernel option to solicit RAs similar
to the DAD handling, and also fill any gaps that we might have for
root-on-NFS-via-IPv6.
Are you suggesting an in-kernel DHCPv6 client that supports RFC 5970 as well
to fill the gaps?
Yes. This likely is not very important though, as most setups will be
dual stack and be able to boot from a private IPv4 address instead.
But in principle we should have feature parity for IPv4-only and IPv6-only
setups.

Martin


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-09 11:34:08 UTC
Permalink
Post by Martin Husemann
Post by Roy Marples
Are you suggesting an in-kernel DHCPv6 client that supports RFC 5970 as well
to fill the gaps?
Yes. This likely is not very important though, as most setups will be
dual stack and be able to boot from a private IPv4 address instead.
But in principle we should have feature parity for IPv4-only and IPv6-only
setups.
Then I suggest the existing complex RA handling be removed and simpler code
added alongside this DHCPv6 code.
After all, both only need to do enough for userland to boot.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-09 12:21:28 UTC
Permalink
Post by Roy Marples
Post by Martin Husemann
Post by Roy Marples
Are you suggesting an in-kernel DHCPv6 client that supports RFC 5970 as well
to fill the gaps?
Yes. This likely is not very important though, as most setups will be
dual stack and be able to boot from a private IPv4 address instead.
But in principle we should have feature parity for IPv4-only and IPv6-only
setups.
Then I suggest the existing complex RA handling be removed and simpler code
added alongside this DHCPv6 code.
After all, both only need to do enough for userland to boot.
Actually it might be possible to make it work without RA - delegate the prefix
and supply an IA_NA address within it.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-07 21:15:35 UTC
Permalink
Post by Christos Zoulas
Post by Roy Marples
1) Are you soliciting a router or just waiting for an RA to magically appear?
This is fairly important as recent RFC 7772 vastly reduces broadcasts to the
network - it unicasts a lot more than it broadcasts - and makes each node
wanting a router actually solicit one.
If you're not using dhcpcd to solicit, what are you using?
/sbin/sysctl -qw net.inet6.ip6.accept_rtadv=1
and I am all set.
The default maximum time from one RA to the next without solicition is 600
seconds, the upport limit is 1800 seconds.

Now, if your IPv6 routers don't support RFC 7772 and there are many IPv6 nodes
soliciting a RA (you'll get a RA every 3 seconds or so) or are configured with a
low MaxRtrAdvInterval then that explains why it "works" for you.

Given an IPv6 router which supports RFC 7772, I wouldn't want to wait 10 minutes
(default, max 30 minutes) after userland has booted before network connectivity
comes up (assuming IPv6 is required for connectivity). And frankly if anyone
submitted a bug report for this I would just tell them to solicit a RA because
that's how IPv6 is designed.

Is this something we want to support?

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Christos Zoulas
2020-04-07 21:22:02 UTC
Permalink
Post by Christos Zoulas
Post by Roy Marples
1) Are you soliciting a router or just waiting for an RA to magically appear?
This is fairly important as recent RFC 7772 vastly reduces broadcasts to the
network - it unicasts a lot more than it broadcasts - and makes each node
wanting a router actually solicit one.
If you're not using dhcpcd to solicit, what are you using?
/sbin/sysctl -qw net.inet6.ip6.accept_rtadv=1
and I am all set.
The default maximum time from one RA to the next without solicition is 600 seconds, the upport limit is 1800 seconds.
Now, if your IPv6 routers don't support RFC 7772 and there are many IPv6 nodes soliciting a RA (you'll get a RA every 3 seconds or so) or are configured with a low MaxRtrAdvInterval then that explains why it "works" for you.
Given an IPv6 router which supports RFC 7772, I wouldn't want to wait 10 minutes (default, max 30 minutes) after userland has booted before network connectivity comes up (assuming IPv6 is required for connectivity). And frankly if anyone submitted a bug report for this I would just tell them to solicit a RA because that's how IPv6 is designed.
Is this something we want to support?
I am not sure. Do you mean running dhcpcd with the right flags to behave like rtsold? Fixing the kernel to support RFC 7772?

christos
Roy Marples
2020-04-07 21:33:45 UTC
Permalink
Post by Christos Zoulas
Post by Christos Zoulas
Post by Roy Marples
1) Are you soliciting a router or just waiting for an RA to magically appear?
This is fairly important as recent RFC 7772 vastly reduces broadcasts to the
network - it unicasts a lot more than it broadcasts - and makes each node
wanting a router actually solicit one.
If you're not using dhcpcd to solicit, what are you using?
/sbin/sysctl -qw net.inet6.ip6.accept_rtadv=1
and I am all set.
The default maximum time from one RA to the next without solicition is 600 seconds, the upport limit is 1800 seconds.
Now, if your IPv6 routers don't support RFC 7772 and there are many IPv6 nodes soliciting a RA (you'll get a RA every 3 seconds or so) or are configured with a low MaxRtrAdvInterval then that explains why it "works" for you.
Given an IPv6 router which supports RFC 7772, I wouldn't want to wait 10 minutes (default, max 30 minutes) after userland has booted before network connectivity comes up (assuming IPv6 is required for connectivity). And frankly if anyone submitted a bug report for this I would just tell them to solicit a RA because that's how IPv6 is designed.
Is this something we want to support?
I am not sure. Do you mean running dhcpcd with the right flags to behave like rtsold?
Yes

dhcpcd -T6 --nodhcp6 $interface

gets you the same behaviour as rtsol, keeping RA in the kernel.

dhcpcd -6 --nodhcp6 $interface

gets you the same, just puts the RA handling in dhcpcd, although you should
probably drop the nodhcp6 option so the dhcpcd can respect the M or O flags if
set in the RA.

We're at the point where something in userland needs to solicit an RA to
guarantee connectivity ASAP - unless everything is static of course (but then we
don't care about RA's here). I would rather have something that solicits the RA
actually process the RA. Which makes sense because the RDNSS and DNSSL options
within a RA need to be written to resolv.conf(5).
Post by Christos Zoulas
Fixing the kernel to support RFC 7772?
Our rtadvd(8) has supported RFC 7772 since NetBSD-9.
It's not a kernel thing, it's how a router sends RA's.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2020-04-08 16:27:46 UTC
Permalink
Date: Tue, 7 Apr 2020 22:33:45 +0100
From: Roy Marples <***@marples.name>
Message-ID: <aedc88ef-b8e7-656f-4cf0-***@marples.name>

| We're at the point where something in userland needs to solicit an RA to
| guarantee connectivity ASAP

It is not difficult to have the kernel send an RS when an interface
comes up. It would be a bit more difficult (I suppose, haven't tried)
to do it properly, with random delays and all that (my environment doesn't
benefit from that - I don't have lots of systems all starting at the same
time, as in after power to a whole bunch of systems is switched on).
Similarly, my environment is quiet enough that the RS doesn't get lost
in practice, so I also survive without any kind of retry. Eliminate
all that and an RS is just a very boring multicast (destination) ICMPv6
packet (not really any different from the DaD packets that are sent).

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-08 18:33:40 UTC
Permalink
Post by Robert Elz
Date: Tue, 7 Apr 2020 22:33:45 +0100
| We're at the point where something in userland needs to solicit an RA to
| guarantee connectivity ASAP
It is not difficult to have the kernel send an RS when an interface
comes up.
You would need DaD to finish on the LL address, which means the carrier needs to
be up too.
Post by Robert Elz
It would be a bit more difficult (I suppose, haven't tried)
to do it properly, with random delays and all that.
Random delay are a RFC requirement.
Post by Robert Elz
(my environment doesn't
benefit from that - I don't have lots of systems all starting at the same
time, as in after power to a whole bunch of systems is switched on).
Similarly, my environment is quiet enough that the RS doesn't get lost
in practice, so I also survive without any kind of retry. Eliminate
all that and an RS is just a very boring multicast (destination) ICMPv6
packet (not really any different from the DaD packets that are sent).
When I code on the sofa on my pinebook, my urtwn sometimes goes funny for a
while and suffers packet loss after it associates.
This why 3 RS are sent on carrier up.

Still, no-one has actually come up with a technical reason why the kernel should
handle RA's. From a security perspective, handling it in a chrooted environment
with an unpriviledged user would be a lot better yes? That's just one of many
technical reasons why RA should be removed from the kernel.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2020-04-08 19:09:58 UTC
Permalink
Date: Wed, 8 Apr 2020 19:33:40 +0100
From: Roy Marples <***@marples.name>
Message-ID: <bc6d280c-912d-750c-4a30-***@marples.name>

| You would need DaD to finish on the LL address,

Why? If I can send a DaD packet (NS), I can send an RS packet. They're
not materially different. If I can receive a reply to a DaD packet (on
the off chance that there is a conflict) I can receive an RA. The RA
doesn't change based upon what address I end up using, so there is absolutely
no reason to wait until my address is fixed to request and process it.

| which means the carrier needs to be up too.

Of course. It has to be possible to send & receive packets.

| Random delay are a RFC requirement.

I know, and I know why, I was in the room when all this was
initially decided, and in general I support that.

But because I know why, I also know it doesn't matter to me.

Note: I am not proposing that the code I use be incorporated
into NetBSD (or even shared with anyone), it would need a bunch
of work (including random delays, and retries, and someone who knows
how to check its SMP worthiness properly) before that could
happen.

| When I code on the sofa on my pinebook, my urtwn

Wireless? Yes, for that you would probably want retries, for me
all this is on wired links. Unless something is broken (in which
case none of this really matters, as nothing is going to work anyway)
when the link is attached, carrier appears, and packets get sent
and delivered (and no, the relevant links do not have spanning tree
enabled, they're not connected to bridges).

| Still, no-one has actually come up with a technical reason why the
| kernel should handle RA's.

No-one has come up with a technical reason why it shouldn't.

But if you want a reason, consider tiny embedded systems, where the (much
cut down) kernel, and perhaps one application (replacing init), is all that
exists.

| From a security perspective, handling it in a chrooted environment
| with an unpriviledged user would be a lot better yes?

No. chroot doesn't have nearly the benefits that are sometimes attributed
to it (and sometimes desired of it). Other systems have tried to improve
it (fortunately, we haven't fallen into that rabbit hole) with poor success.

Which reminds me - I have yet to install a system with the latest dhcpcd
that has the chroot ability - but from a quick glance, I didn't see how to
turn it off, and continue the old way. I don't run any of the daemons
that support chroot chroot'd - not even the ones which arguably could
benefit a little (because of their complexity, and hence probably bugs).

What is the method to run the new dhcpcd as root, in the original directories?

It is also really hard to see how processing RA packets can possibly be
done so badly as to require that kind of protection.

| That's just one of many
| technical reasons why RA should be removed from the kernel.

Except it isn't. The only other one (I suppose 2 is "many") seems to
have been "it is a lot of code" (which by comparison with many other
things, it really isn't).

kre



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-08 20:09:13 UTC
Permalink
Post by Robert Elz
Date: Wed, 8 Apr 2020 19:33:40 +0100
| You would need DaD to finish on the LL address,
Why? If I can send a DaD packet (NS), I can send an RS packet.
Because the source address has not yet been validated .....
Go read RFC 4862 5.4 - you have to send the RS from a unicast source address.
Post by Robert Elz
They're
not materially different. If I can receive a reply to a DaD packet (on
the off chance that there is a conflict) I can receive an RA. The RA
doesn't change based upon what address I end up using, so there is absolutely
no reason to wait until my address is fixed to request and process it.
The RS does. Modern RFC's will give you a different LL address per SSID you
connect to. Not that the kernel supports this ....
Post by Robert Elz
Note: I am not proposing that the code I use be incorporated
into NetBSD (or even shared with anyone), it would need a bunch
of work (including random delays, and retries, and someone who knows
how to check its SMP worthiness properly) before that could
happen.
And this is the reason why it should be removed.
It's easier in userland.
Post by Robert Elz
| When I code on the sofa on my pinebook, my urtwn
Wireless? Yes, for that you would probably want retries, for me
all this is on wired links. Unless something is broken (in which
case none of this really matters, as nothing is going to work anyway)
when the link is attached, carrier appears, and packets get sent
and delivered (and no, the relevant links do not have spanning tree
enabled, they're not connected to bridges).
| Still, no-one has actually come up with a technical reason why the
| kernel should handle RA's.
No-one has come up with a technical reason why it shouldn't.
No-one is maintaining this other than going through the motions of keeping it
working.

It's behind the times in current RFCs.

It doesn't work with my basic use case of the same prefix on wired and wireless
because the kernel cannot manage this.

There is no mechanism to extract RDNSS and DNSSL from the RA and more
importantly use it.

Ignores (last I checked) MTU.

No way of preffering RA's from different interfaces.
It's first come, first served which is not deterministic.

Does not failover to another router when the current one becomes unreachable.
Post by Robert Elz
But if you want a reason, consider tiny embedded systems, where the (much
cut down) kernel, and perhaps one application (replacing init), is all that
exists.
How do you envisage DNS working in this IPV6 only world?

Anyway, I can easily argue that tiny applications benefit from using dhcpcd:
$ ls -l nd6_rtr.o ~/src/dhcpcd/src/ipv6.o ~/src/dhcpcd/src/ipv6nd.o
-rw-r--r-- 1 roy users 99608 Apr 8 20:50 /home/roy/src/dhcpcd/src/ipv6.o
-rw-r--r-- 1 roy users 83016 Apr 8 20:50 /home/roy/src/dhcpcd/src/ipv6nd.o
-rw-r--r-- 1 roy users 243280 Apr 8 20:59 nd6_rtr.o

So dhcpcd handling RA will take less disk space and presumably less memory than
the kernel. Which frankly is pretty damned amazing when you consider what dhcpcd
does support with RA's and what NetBSD's in kernel RA does not. I'll note that a
lot of ipv6.o is shared with the DHCPv6 part as well.

I know a few companies that use dhcpcd in ramdisks in very tiny embedded systems
with great success.
Post by Robert Elz
| From a security perspective, handling it in a chrooted environment
| with an unpriviledged user would be a lot better yes?
No. chroot doesn't have nearly the benefits that are sometimes attributed
to it (and sometimes desired of it). Other systems have tried to improve
it (fortunately, we haven't fallen into that rabbit hole) with poor success.
Which reminds me - I have yet to install a system with the latest dhcpcd
that has the chroot ability - but from a quick glance, I didn't see how to
turn it off, and continue the old way. I don't run any of the daemons
that support chroot chroot'd - not even the ones which arguably could
benefit a little (because of their complexity, and hence probably bugs).
What is the method to run the new dhcpcd as root, in the original directories?
Set the home directory of _dhcpcd to /var/empty and it will refuse chroot.
You could also remove the _dhcpcd user but that might lead to postinstall
bitching or potential upgrade issues.

Another option is to compile it out of dhcpcd - the Makefile for it should be
pretty self explanatory on now to do this.

You could even get ultra pedantic and not compile IPv6 entirely in dhcpcd so
it's just an IPv4 client. How could even go the other way and compile it as IPv6
only. And before the foolish asks, yes could could even disable IPv4 and IPv6 at
which point it becomes an ifwatchd(8) clone, but with more bells an whistles.
Post by Robert Elz
It is also really hard to see how processing RA packets can possibly be
done so badly as to require that kind of protection.
Of course, bugs never exit in old software which has had many eyes.
But you and I both know this is a fallacy.
Reducing the attack surface is always a win.
Post by Robert Elz
| That's just one of many
| technical reasons why RA should be removed from the kernel.
Except it isn't. The only other one (I suppose 2 is "many") seems to
have been "it is a lot of code" (which by comparison with many other
things, it really isn't).
I've already listed other reasons above.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Andy Ruhl
2020-04-09 03:50:06 UTC
Permalink
Question to anyone: Is it possible to netboot a diskless system using
IPv6? I used to do this (obviously with IPv4) a long time ago for
convenience when playing with different types of systems. Seems like
if dhcpcd is required for IPv6 to work, then the answer is no,
correct? Or am I missing something?

I don't know if this type of thing has value at the moment but things
have a way of coming full circle. Been there multiple times. IOT
devices come to mind.

Andy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2020-04-09 10:04:24 UTC
Permalink
Post by Andy Ruhl
Question to anyone: Is it possible to netboot a diskless system using
IPv6? I used to do this (obviously with IPv4) a long time ago for
convenience when playing with different types of systems. Seems like
if dhcpcd is required for IPv6 to work, then the answer is no,
correct? Or am I missing something?
I don't know if this type of thing has value at the moment but things
have a way of coming full circle. Been there multiple times. IOT
devices come to mind.
With a stock kernel as of now? No.

But theres no reason we can't make a ramdisk to insert into the kernel:
https://wiki.netbsd.org/tutorials/how_to_create_bootable_netbsd_image/#index5h1

Said ramdisk will just run userland tools to get networking up and network mount
what's needed. Once up, it can then pivot the root to the network and a normal
boot procedure can begin.

Using this approach, the in kernel DHCP client could also be removed.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...