IETF Logo Mail Archive

Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices

Jeremy Duncan <jduncan@tachyondynamics.com> Wed, 15 November 2023 23:11 UTC

Return-Path: <jduncan@tachyondynamics.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C134C151522 for <v6ops@ietfa.amsl.com>; Wed, 15 Nov 2023 15:11:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.808
X-Spam-Level:
X-Spam-Status: No, score=-1.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tachyondynamics.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2l77BlN7uj5m for <v6ops@ietfa.amsl.com>; Wed, 15 Nov 2023 15:11:27 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2040.outbound.protection.outlook.com [40.107.236.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CBCBC151089 for <v6ops@ietf.org>; Wed, 15 Nov 2023 15:11:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KxCkbSxWCXWznBsNZI+r9y7dMT4GlvZbJIUxvo8LuDmxrgVjZMRpAnMENoU7pSaMbxTgsBOmXp7pdKuwn3dszHn11yTRm5skCAewhFREZXdqT10gjYoR8+DDwprivt4IFKOzdf+jaSx4Ilfsxn0wSv/M8aioF28lY4jpv6G7IQFRZpT+4qFv6oiui3nIdwiNVBvctgPZ7C+WElpgWk2BEcCnsKvAvI7FmREwbaKL7VUNJmPEzmzSP9dfj27X9CU1N50POjgtKiCszCvvmS04ifbK13Hbd1xAWSDMCPyg2jS0+rr+plo4u6d6R4OtG47ZUoBVTTGRkXxnYFYw4shkEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=W6/n3R7mNVFsCIN1COZhr2q/haPO9RabdJ65xjZMVSA=; b=htU4e0Lb9NHRvT2vf+1D2KfSf+qmc6izWzJH1fwiFxGiyKO0KGOo7SgDlUcfjV76Re30AJQ3QpR8FgtRvs1/eG10wr4Jge0vciKDdYKgEI4dPUePFZeFsRl+f/2ksKNEasILhiLQzTKQljlE8do58QADkfIUKWqaRq9MkZtI5ag6lSgwtjJxvErDKc5jCZOdaPLpawGNo136f2mAONGO313YMl12nWYZ0/s8zNZAoWLTXzarUsAlJVPB0+po6lGZ1KI/pDLGHlmtEem3WGk142hPcsF3at6Ro4SRGG3DgltEv6MfeBpu38SkOstcUtexavsdwTdjLo4JGD9wzpXvXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tachyondynamics.com; dmarc=pass action=none header.from=tachyondynamics.com; dkim=pass header.d=tachyondynamics.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=TachyonDynamics.onmicrosoft.com; s=selector2-TachyonDynamics-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W6/n3R7mNVFsCIN1COZhr2q/haPO9RabdJ65xjZMVSA=; b=O+roUdisDIV3GFv/BhXs+n6/3l5PKbgmstTr9iJFsdCBbhxLHSiSVC38SGALxAs5hFUoO/Vz0nHdJPVn420keWpzKozk3H2yqXG4oLl+0TaxApnlHbnbulsWt4Xua3L9TIeTXFbCB5yiV578k+ujJJ5jzwxJsi3EmzulQoR183M=
Received: from CH0PR18MB4274.namprd18.prod.outlook.com (2603:10b6:610:b9::20) by MN6PR18MB5467.namprd18.prod.outlook.com (2603:10b6:208:46f::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7002.18; Wed, 15 Nov 2023 23:11:23 +0000
Received: from CH0PR18MB4274.namprd18.prod.outlook.com ([fe80::edf3:d0ba:836f:d2e2]) by CH0PR18MB4274.namprd18.prod.outlook.com ([fe80::edf3:d0ba:836f:d2e2%3]) with mapi id 15.20.7002.019; Wed, 15 Nov 2023 23:11:23 +0000
From: Jeremy Duncan <jduncan@tachyondynamics.com>
To: Ted Lemon <mellon@fugue.com>, Nick Buraglio <buraglio@forwardingplane.net>
CC: v6ops <v6ops@ietf.org>
Thread-Topic: [v6ops] DHCP Option 108 Issue with Mac and iOS devices
Thread-Index: AdoYEN5gnGAdvWBYSt+FuYzewN05QgAAxP2AAAAQ1uAAAExMAAAAFZuAAABY9gAAAG7Wdg==
Date: Wed, 15 Nov 2023 23:11:23 +0000
Message-ID: <CH0PR18MB4274084D0FA9EF218664EF42ACB1A@CH0PR18MB4274.namprd18.prod.outlook.com>
References: <BL1PR18MB4277AAD4CFD760FC7DC413F2ACB1A@BL1PR18MB4277.namprd18.prod.outlook.com> <CAPt1N1m6hvyoqMW0PrU_hBGKE8fc2mR7984i3j1tANcDrdCS9A@mail.gmail.com> <BL1PR18MB4277FB69262543192D93D9F0ACB1A@BL1PR18MB4277.namprd18.prod.outlook.com> <CAPt1N1kSt6FmvUkv_4eLQnej=mqKjJVNY01Y05fRc2zTYkkfkw@mail.gmail.com> <CACMsEX_5VcHRovpES89VYVGMFuMycOk51ioMo9dkLRSE72D18A@mail.gmail.com> <CAPt1N1nKvS-gA3irgYdSc6vReyAY_b1PS_n9pOYPpit+zYOUkA@mail.gmail.com>
In-Reply-To: <CAPt1N1nKvS-gA3irgYdSc6vReyAY_b1PS_n9pOYPpit+zYOUkA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=tachyondynamics.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR18MB4274:EE_|MN6PR18MB5467:EE_
x-ms-office365-filtering-correlation-id: 66e04dd3-b228-4dc7-4bbc-08dbe6302f96
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZkDpHDaBCnOSh1gFmSl8kiEjKBQT5YeXEKbD93GG8tbuVLLXn/S91v2WF/CkPXkQISThhu1uSbKYEoB4VUXZ6VXjq8aP44C1A01cLtDHLgr/BPMIS0QeKVJfu6VhPCDQJbi7eH75Dy3iCfM2+xMDStLQFtlr5iPkmvAffQyw//dI8Eh7Ct3s8AsYnCy0MPyU4E2Vxb1P78aZxXvRohfKWibTk3uWvJv/dF+0+8t7nNeYIdAxanTN/5R3RV/75iGK/pBdNQsEN3WcVMDn5D0UAr2X47kQQjgNiKZIle+Qifx4r53Fty1fMn97avoLCogi7YA4T5s/xTDgT3pAy5VICJ1aBQ2eY7+oG3ba9cxPyWn5KdkYL+HxYP6lXi8GZX1iR28SGuvzTCT482qqj91WIvCNxuOcxXskSYAnG3F+GqX1Ve3aAp3wPMJ4oMKpWUt/Tj9ukdAqQvh9NUaor5rbRKiIVtLwkI0AHOGjZYfqoFKvftJAvcfVGHBbJA0IglXTTEt2/QlOmtQ3d9KBIY7nKKfDyuS1VzYA4euB8XFsqKpHC4eilU5QfwssBUHr7ZBkcmMkyu5S7mKijNbzdXSPJ4BkJyHVdSXzBmJ7vrDHYFY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR18MB4274.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(366004)(376002)(39830400003)(136003)(346002)(230922051799003)(64100799003)(186009)(1800799009)(451199024)(122000001)(66899024)(38100700002)(2906002)(40140700001)(5660300002)(41300700001)(166002)(38070700009)(83380400001)(966005)(6506007)(7696005)(4326008)(53546011)(8936002)(8676002)(66556008)(55016003)(86362001)(66946007)(71200400001)(76116006)(478600001)(66446008)(66476007)(64756008)(26005)(316002)(110136005)(33656002)(9686003)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 73cqLTS3bVXjM6XAc8Eip4v7uXv+MBPYDalI4FK2z+vrAGGUpZIj2SFnMpza68fCLWH/siNUrfNo39l1BRWtfAemMhhyE5RfkNjd/APxGWaXuJ2MyjiFiPvkwL36FDzMISfrPbgg6Y66vEKC7waW6YFO+W2ZDTO5/6Okdw6B4hXfFY/Dv4Wp+Lp8P4UA/MwwxOKCuzxpt3KbtwipNN7cLSTUrXlL9pPV1D4TixpTh5aFD9cMN1V+nejcLpW4O1DAgV6qcmMn23sO9bXNtU8LQnBojh1X6rSTFO01o1XhejsrElK2asJxnEh/Klf1bDpIjFFdhNKGvbrZRk00+Wz2uC1tmlQ9Z++LVaiedAIUGlIbpa9fMNJBBXddUfW7BD4tFcyKnfnQl6K4tM3ZDHOsoIKJqOW3rmqipdJlyg87bTOZaiAlPhRrHL1TAqt80UYLvdl6ts2H7XnedKRq+aWbJXFzTt37JLmtklWpQ7H436LlR57LRDnsaRqU9w4fyP+ityxaUzGa7sWDSc+O6doi4W4gCBc5YFMrMgIGVxiM7zNc+5ZkfWoP+Tv6RBZwEa/IevndWWErihDDF0t4jx0xoW8vOSDeL3egTkk+QYIo9PeZhDfnDLgwPzGr/SAkt4nNnk6B7I1PZDNLn9gsWkQZfcT0a0lZJOz96c/E0Vo/gihH6UEVubQwtSN39xN+V9eHlexnvhFPTjDhE9YFZSNEhkSbaWvQ6Pmlq1vhe/Yo1226Kj7RcbwT+Xcj4tKZ8NxKViIoSj3ti1onE+3Wj/I6WjdPwQA7/lUqm4R530YfYuwKVQIzftnf2mmYZdUd6IOb0XSiD2a9PrEoisd6b1kGSdDYLmVjcsnoegWgWQKUqWRehDcP+ey2LnSIuGXpZjp6GE0hjXnfWvS9dD+MIHP+xLTJTzKrHyRMd9/0k8Rikr3Nds2SeeK+r/J6tObI7HMUWRE3+3/V+E5GR79C+21W2IB/aFXmDmSw2o4tk/DNsQZDArjeir6bMkjlts74zyos9abrn8RWQwrNQpOEfbRkL9uYJRHL6xaz37rVu04zuzNR3LO7ihQyI5MtMtDgl5P061s/6LJiD/qYjVVSyrXaNistoiqsLJcpk1/j0890vOvlQSbu+qY7frKUX7IXdTzFN0evdMpeuaO6+7qRytrbiULoPguNPPPlyQKhTLDYEknHq8XPbAyt3YaOJ3/dsOIn8DnW0yr5h1VUD2rw+Qcw2RcgMLy7BbI9y13suEXV5S2LhdoFGZm9HFUvtTvlgURj0geuYcXXuKwk1+h7vI0p/N9ZPWVxYW5TbB7aiTQk5351dP+0Y63X5G+M7UN3ANnIagcy7oWLvwcmUXIg4C9/+Oqtr5gKzaVsx8ZeZfKNfq0JBz7yxUzBsjl4qSQt2E5K7Zin4W02N3kbrm6ku7iJJkjvygBT5duiJ4+osH78+ROSLFAc6Xc36R7Ui9Z9VSSUjeje8tSkuTL1lc44JDC/SgI8I2pOruZVhlb+6s/CGdWUAA8idUlR5pLsa3pC9gH1KPqHMuoR/6cCLTMX/J4gWjLAT9Ztj8wBkFC/rClpp0ZwkKIk6n7NsHuP6859BWcLhlLVHcBUTUNPzwG6pQ/zLIFCQLbBgbgx5+1BN8bypRs=
Content-Type: multipart/alternative; boundary="_000_CH0PR18MB4274084D0FA9EF218664EF42ACB1ACH0PR18MB4274namp_"
MIME-Version: 1.0
X-OriginatorOrg: tachyondynamics.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR18MB4274.namprd18.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 66e04dd3-b228-4dc7-4bbc-08dbe6302f96
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2023 23:11:23.3809 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 306ea27d-bb9d-47c1-a6ca-c70495fc7695
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SusvaLtF8zUcsQnYrMlVo1o7JpGrnlX4U72vkOEh654kYRXk+d3uCsFpgPEXNaJuM07gOWpE6uM2311LODAj8bRdNYFgog+6BIZ10+bFwus=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN6PR18MB5467
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/0XSw-YYgNWu52jkLBvkA-g1raLU>
Subject: Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Nov 2023 23:11:31 -0000

Ted, in most cases it was blocking ICMPv6 inbound. And these were enterprise managed Mac systems that we dealt with. So any number of 3rd party apps could trigger these block rules.


Semper Fi,
Jeremy Duncan
Sent from my cell
________________________________
From: Ted Lemon <mellon@fugue.com>
Sent: Wednesday, November 15, 2023 5:57:38 PM
To: Nick Buraglio <buraglio@forwardingplane.net>
Cc: Jeremy Duncan <jduncan@tachyondynamics.com>; v6ops <v6ops@ietf.org>
Subject: Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices

OK, but what actually installed the PF rules? Was this set up in System Settings? Looking at my System Settings app I don't see a way to turn off IPv6, so this seems like it had to have been done by a third-party app. The reason I'm asking about this is that figuring out that the app is blocking IPv6 then becomes rather difficult—I don't know how we'd do it automatically. I mean, I can /imagine/ writing some kind of pf rule analyzer that figures this out, or just probing to see what is going on, but it's non-trivial.

On Wed, Nov 15, 2023 at 5:47 PM Nick Buraglio <buraglio@forwardingplane.net<mailto:buraglio@forwardingplane.net>> wrote:
It was the pf based native firewall. We were able to see the rules with normal pf commands.

On Wed, Nov 15, 2023 at 4:46 PM Ted Lemon <mellon@fugue.com<mailto:mellon@fugue.com>> wrote:
Sure. And then the next question is, was the firewall part of the operating system, or some kind of third-party add-on?

On Wed, Nov 15, 2023 at 5:37 PM Jeremy Duncan <jduncan@tachyondynamics.com<mailto:jduncan@tachyondynamics.com>> wrote:

Yes, and it’s not as surprising as you would think for enterprise host-based security systems.





0101001101100101011011010111000001100101011100100100011001101001

Jeremy Duncan
IPv6 Architect, Managing Partner
Tachyon Dynamics, Inc
Phone: (703) 259-8550 x 103
Fax: (703) 259-8548

https://www.tachyondynamics.com<http://www.tachyondynamics.com>



From: Ted Lemon <mellon@fugue.com<mailto:mellon@fugue.com>>
Sent: Wednesday, November 15, 2023 5:35 PM
To: Jeremy Duncan <jduncan@tachyondynamics.com<mailto:jduncan@tachyondynamics.com>>
Cc: v6ops <v6ops@ietf.org<mailto:v6ops@ietf.org>>
Subject: Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices



Do you mean that people came to the conference with devices that had internal firewalls that blocked ipv6?



Op wo 15 nov 2023 om 17:26 schreef Jeremy Duncan <jduncan@tachyondynamics.com<mailto:jduncan@tachyondynamics.com>>

Hi v6ops-



Nick and I were involved with the Supercomputing Conference this year and part of the decision was to provide a real-world network to experiment with IPv6 transition technologies in an IPv6-only state. So a part of the wireless network was configured with an IPv4 DHCP scope with Option 108 with a value of 3600. The IPv6 part was configured with IPv6 SLAAC only with RADNS options pointing to a DNS64 resolver that mapped to the 64:ff9b::/96 scope - where the intermediate upstream device has NAT64 functional.



As we expected, most Android and all later version Mac/iOS systems performed as expected:

  *   IPv4 DHCP request for option 108
  *   Response with 108, 3600
  *   Disable IPv4 functionality on the wireless NIC
  *   Spin up the CLAT/464XLAT functionality
  *   Happy IPv6-only-ing



Well, with one exception: organizations that provided misconfigured firewall rules (blocking all ICMPv6/IPv6) or disabling of the IPv6 stack entirely.



In this specific use case, the iOS/Mac would do exactly as instructed by the DHCP server, it would disable IPv4 and spin up its CLAT/464XLAT – but without any verification that IPv6 is functional before doing so.



As you are probably aware, this resulted in a total endpoint denial of service as it has a non-functional IPv6 stack, but the IPv4 stack (network) did not have the awareness of any issues therefore disabled IPv4 functionality.



The question for the v6ops group – is there something we can do to tighten up any kind of RFC that will require IPv6 stack capabilities and functionality?





0101001101100101011011010111000001100101011100100100011001101001

Jeremy Duncan
IPv6 Architect, Managing Partner
Tachyon Dynamics, Inc
Phone: (703) 259-8550 x 103
Fax: (703) 259-8548

https://www.tachyondynamics.com<http://www.tachyondynamics.com>



_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

v2.40.4 | Report a Bug | By Email | System Status