Do you mean it is sending RAs? That seems odd. I wonder if we should
be rejecting them, but we'd have to read the specs.
Can you explain more precisely?
Three thoughts about what might be going on:

I am unclear on codes in ICMPv6; it could be that 0 is irregular and
getting filtered out by us, even though maybe it shouldn't be.

It seems that the proper response of TCP to net/host unreachable is
arguable. In the case you mention, it's best to abort, but a
transient unreachable situation on a TCP connection shouldn't kill the
connection.

It strikes me as odd that without a public address TCP is being tried.
Does your interface have any global addresses, or just the LL one?
If the router is handing out global addresses which don't work, it's a
much harder question about doing per-protocol black-hole detection
(leading down the path to happy eyeballs).

Firefox usually tries both connections in parallel ("Happy Eyeballs").
You can disable this by setting network.http.fast-fallback-to-IPv4 to
false in about:config, and you can completely disable v6 by
setting network.dns.disableIPv6 to false.

However, your description does not sound like connections are the real
problem, but more your DNS setup. Did the router provide a nameserver
with IPv6 address in the DHCP option?

Martin

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I fully agree. I just got my ssh connections to a linux host killed
only because I unplugged/replugged the ethernet cable of said linux box.
That's very annoying.

That was my initial thought also, but I've read the specs and can't see
anything to say they should be rejected.
There is also a few documents (NOT RFCs) on recommending using fe80::1
as the edge router because it's like easy to remember.
It's a fully functional IPv6 router, except it's not handing out any
prefixes or addresses of any kind. The DHCPv6 is just handing out DNS
records.
It's not irregular, it's ICMP6_DST_UNREACH_NOROUTE which is handled in
sys/netinet6/icmp6.c line 525. I have yet to explore further than this.
As I said above, no addresses are being handed out.
The local interface just have local-link addresses.

Roy


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Yes, firefox works reasonably well and is the exception.
Yes it did.
And it works fine. It gives the same responses as the IPv4 nameserver.
On both NetBSD and Linux, wget gets the IPv6 address first.

Roy


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I would argue that's correct behaviour because the addresses will become
non functional when you take the cable out. In the IPv6 case on NetBSD
the addresses will be marked as detached and then tentative when the
cable is plugged back in. I think in the Linux case the addresses are
just removed. With dhcpcd running it will remove the addresses. There is
no guarantee the same network will be plugged back in.

If you want ssh to persist in any way or form, run tmux or screen at the
other end.

Roy


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I think it works best if errors (either unreachables or sending errors
reported by the local stack) are reported immediately when the TCP packet
that resulted in the error is a SYN packet but are ignored, falling back
to a timeout, when the connection has gotten beyond that. It is very
true that this is arguable though.
I'm not sure the first bit is right. I think TCP connections using the
LL address are okay, even when the remote address is global scope, as
long as the remote host is connected to the same wire. Since a host
can't necessarily tell whether the global addressee is on the same wire,
however, the only thing it can do is attempt to open the connection and
let the router tell it whether this is okay or not. This doesn't work
so well if the host entirely ignores the unreachables the router sends back.

I do think that if IPv6, or IPv4 for that matter, is broken for you then
a good solution is just to configure the broken protocol off, use the
one that works and just get on with it. That the IPv6 implementation
makes it hard to do this is a problem.

Dennis Ferguson

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Date: Thu, 02 Apr 2015 20:58:01 +0100
From: Roy Marples <***@marples.name>
Message-ID: <***@uberlaptop2.marples.name>

| This is displayed with ping -v as well, so it is hitting userland.
| However, applications are ignoring it.

ICMP messages only "hit userland" for applications using raw sockets,
like ping, the vast majority of applications don't, and I think it way
to much to expect of them just on the off chance an ICMP packet appears
(which they'd have to filter out of all the random other noise that
raw sockets also let through.)

| On NetBSD, using wget on a IPv6 host, such as roy.marples.name, will try
| IPv6 first. It then stalls, ignoring the ICMP unreachable message.

That's arguably correct behaviour. ICMP used (way back in the dark ages)
to kill connections, but that was widely (and correctly) lambasted as totally
broken behaviour - it is perhaps not quite so bad for TCP SYN packets, but
even there leaves the system wide open to DoS attacks (anyone can send an
ICMP packet, they're totally unauthenticated, and unverifiable, if you abandon
the connection on receiving one, you cannot resurrect it later if an answering
SYN+ACK does appear).

It doesn't seem like it would be so bad in the case you're postulating,
where the application has another address it can try, but the kernel doesn't
know that, all it can assume is that if you asked for it to make a
connection to a particular address, that's what it should try and do.

It was (long ago) determined that apart from their use by network engineers
for diagnostics (and hence the output from ping, traceroute, etc) all that
should even be done with a received ICMP unreachable is remember it, to
allow a better error code to be returned to the application if the
connection (or connection attempt) does eventually fail.

If linux is receiving the icmp and using that to abort the connect attempt,
it is, quite simply, broken (and probably even warrants a CERT advisory).

One thing that could be done (but which would mean adapting every application
in existance) would be to invent a "connect to one of addr set" sys call,
where a bunch of addresses (not necessarily all the same AF) could be given,
allowing the kernel to know what the application knows, so it could try
more sophisticated behaviours - including good destination addr selection,
instead of relying on the DNS functions magically returning addresses to
the applications in the "right" order. That could include either multiple
SYNs (perhaps) or quick fallover in the event of an apparent error (without
actually abandoning the initial attempt).

I kind of agree with Greg Troxel, if there's any problem at all on the
NetBSD system, it would be in attempting to send to the global addr from
a LL addr - but even that isn't as clear cut as it seems, the global
addr might be on the local link, in which case the connection should succeed.

I certainly believe your holiday apartment's router is broken though,
advertising itself as a router when it has no routes at all (beyond LL)
is just perverse.

For NetBSD, aside from the unlikely possibility of a magic new connect
syscall, about all you can do when facing a broken router like this, would be
to disable IPv6 (which admittedly right now is harder than it could be.)

Certainly "fixing" it to act (in any way at all) upon the ICMP is not
the right thing to do.

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I don't know what Linux is doing here, I just know that wget (and other
applications) are failing IPv6 early and falling back to IPv4. It could
be some other mechanism other than ICMP for all I know.
I agree on all points.
My knee jerk reaction was the same.
But after contemplating the issue while soaking the sun it's not really
that broken. It's perfectly possible that the router is configured to
request a Prefix Delegation from a upstream DHCP server which has gone
silent. The normal operation of rtadvd(8) is to advertise itself as a
router and any prefixes on the advertising interface - of which there
will be none if Prefix Delegation has failed.
Well, as discussed above, fixing it by not adding a default route if no
global addresses are available isn't a good solution either (and one I
have also considered).

Roy


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Date: Fri, 03 Apr 2015 22:02:23 +0100
From: Roy Marples <***@marples.name>
Message-ID: <***@uberlaptop2.marples.name>

| It's perfectly possible that the router is configured to
| request a Prefix Delegation from a upstream DHCP server which has gone
| silent.

My home router does that - when it gets no IPv6 it advertises no IPv6
(ie: it only sends rtadvd when it has something to advertise). It is
a regular off the shelf commercial product (not the cheapest available
though). It works the way I think it should.

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I can't think of a better way of fixing it though!
And seeing as the current discussion isn't looking like any possible fix
for this is possible in NetBSD I've made dhcpcd skip adding a default
route for routers which advertise themselves as a router but without any
global prefixes. I've also added an option to turn this off and have the
original behavior.

http://roy.marples.name/projects/dhcpcd/ci/6ead1d4962b514e8?sbs=0

Roy


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

There's some notion, on which I am fuzzy, about doing ND for prefixes
not known to be on-link. Sending a LL->global packet to a router seems
odd, because unless the global is on link, it's not going to get a
reply. And it seems bad to forward a packet with a LL source address in
general.
So we probably need two sysctls to disable v4 and v6.

IPv6 routers need to implement source address constrained forwarding
in any case, it is an unavoidable consequence of the general problem
of dealing with address scopes. If you think about what one needs to
do to border-patrol site local source addresses then the LL source address
case falls out as a simpler special case of that. A packet with a site local
source address is forwarded, but only when the outgoing interface is one
of a group (of 1 or more) attached to the same "site" as the incoming
interface; otherwise a code 2 unreachable is sent. A packet with a LL
source address is forwarded, but only when the outgoing interface is the
same as the incoming interface (a group of 1); otherwise a code 2
unreachable is sent.

It sucks to be an IPv6 router.

There are many ways that a host sending packets will end up not getting
replies to those packets, but when a host with only a LL local address
sends something through a router it will usually get a reply. Either
it will get a ND redirect pointing at the MAC address of the thing it wants
to talk to (and also packets from the thing it wants to talk to, hopefully)
or it will get an unreachable error. There's no way to predict which
it will get with certainty without actually sending something.
I actually think this is a symptom of a problem (one of several such) with
how interface configuration is represented. Protocol configuration is
per-interface configuration, so there needs to be a way to indicate which
protocols are enabled for use on each interface. BSD networking has always
tied this to address configuration; a protocol was enabled on the interface
when an address for the protocol is configured on the interface. This was
fine when life was simple, but now is full of warts in pretty much every
case that matters now:

- It doesn't work for forwarding protocols which have no per-interface
address configuration, like 802.1 bridging, so you need a special way
to configure that up not involving address configuration.

- There are cases where you would like IPv4 configured up without addresses.
You don't need IPv4 addresses configured to run IPv4 on point-to-point
links between routers, and you would like to have IPv4 configured up on
an ethernet without addresses so you could send and receive the IPv4 DHCP
packets required to determine the address to configure. Now the former
configuration can't be done while the latter needs the work around
of having dhcpcd using BPF to send and receive raw packets instead (a
sure sign your protocol stack is missing something it should have).

- IPv6 never needs to run without a protocol address since it can
(and should) conjure one up and add it itself, but since that has the
side effect of configuring itself up there now needs to be a special
case way to tell it when you don't want it to do that.

When every protocol needs to work around the configuration representation
it is pretty clear the representation itself is inadequate. Configuring
a protocol address isn't a good way to indicate that you want to enable
the protocol on the interface, that should be done separately.

I prefer dealing directly with the representation problem by splitting
interface structures (and the API those structures support) into a larger
number of components. Addresses shouldn't be added to interfaces, instead
protocol families should be added to interfaces to enable the protocol
and addresses should be added (or not) to the appropriate protocol family
on the interface. Then you would not configure IPv6 on an interface by
not configuring the IPv6 protocol family on the interface, the same way
that you avoid configuring bridging or IPv4.

Dennis Ferguson
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de