IETF Logo Mail Archive

Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices

Jen Linkova <furry13@gmail.com> Wed, 20 December 2023 14:47 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36D2CC14F61A for <v6ops@ietfa.amsl.com>; Wed, 20 Dec 2023 06:47:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.856
X-Spam-Level:
X-Spam-Status: No, score=-1.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWssC57J1zAx for <v6ops@ietfa.amsl.com>; Wed, 20 Dec 2023 06:47:24 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26B6BC14F68B for <v6ops@ietf.org>; Wed, 20 Dec 2023 06:47:08 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2cc690a3712so49062721fa.3 for <v6ops@ietf.org>; Wed, 20 Dec 2023 06:47:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703083626; x=1703688426; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=gtyX/XeNs0jxJrwzMMZxtRR5hA8l6xHb78mfPu6EqxE=; b=EpfLGA0DSi25QrQqDZm8IhpqbPfRzMbgm7ig7pKcDe9MZa5LnJxpt1odi7THMKaKjT v0ALvHoR7nMJ4pzkMEFNYGn4GB/xGJ/IbU3XYaSwxK1IJJcLUhS61rP4IIuWgz924dJN Zy0bcP2wkdWiXL+NBvc9uk0u4aq7NYbVCPwuJw8MbuMVXNxgwLuCcGwfXFYuStZW+GZk GVX2pck4hBZEn6z8SEcaNl9Q8Eme4y7XqlBdrXeDG3V68RQRCu/D1X5jHcoRnaxQkNjh GPoWtXNNiY9bMMFb7olxD2pAgKJRIC2RaHAT61AEqbrMPGRoFSY0XXcUk9lpI01NQIga Encw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703083626; x=1703688426; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gtyX/XeNs0jxJrwzMMZxtRR5hA8l6xHb78mfPu6EqxE=; b=XUWLllica/Bh4f2hLM660cUbb/XKU6mCnCAJl592q3t1NwqB1LrMosnKRRWgGZqnNs +S4DOie1/lpb+U7SMxKBFL1UQRuQ4tsjDHpq2l/HhU0dCALbUVkgVe6DB7Vcexj8K4Yx wqTHvcj7ejuMludQtgBYr5Uvy6JC7ieYUzu8RTQWCHFoJxFQ+5RQDy2VxjGZt4Ilkr6G jNbw7RY3OmgNLrS2wOIlTebc09zJO1QB7E26lXWxGEc73dGfpFRsmMqIqr6QmJUOqxHK i1qvoG9lVRRHtshwBgPYsOcqn8CbgDu2R8SI+vgf99FZWZ62p2uj0O+3pKtSyGLk8uO2 3How==
X-Gm-Message-State: AOJu0YwZU6I7IQPCIwOYLzAWSY5Bv/su4PJ5Hj6MCQGizOdD0Bg8iXO3 5HlfBhudcJ8rhOJiBWQpi5iR5Aw6GXuGWnw2FedxT2nqn7Jqzw==
X-Google-Smtp-Source: AGHT+IFt4Z+M5Gq5i2JA4yfBBiTV1MS7HMQQAdHc6sWCkuWYqaik0BGprxbPavHvnp78KtW4AHGg/HhvAPQY9vlInak=
X-Received: by 2002:a2e:8897:0:b0:2cc:6fe2:4ddc with SMTP id k23-20020a2e8897000000b002cc6fe24ddcmr2747887lji.3.1703083625659; Wed, 20 Dec 2023 06:47:05 -0800 (PST)
MIME-Version: 1.0
References: <BL1PR18MB427723EC69CD715FDA7E1CD9ACB0A@BL1PR18MB4277.namprd18.prod.outlook.com> <a13d3deb-e285-4c0a-8fbf-44feab9edd4a@gmail.com> <BL1PR18MB4277BE878F335B8BEC218B21ACB0A@BL1PR18MB4277.namprd18.prod.outlook.com> <e0470656-97d1-425d-a9b2-a5a39bf4fcc2@gmail.com> <BL1PR18MB42779B01A0EFE62142EE19AEACB0A@BL1PR18MB4277.namprd18.prod.outlook.com> <666bdf4a-abdf-9c2c-d6f9-c67907778c3d@gmail.com> <BL1PR18MB4277F8FD1820B111FBA95477ACB0A@BL1PR18MB4277.namprd18.prod.outlook.com> <CAKD1Yr0P_QKGZO_wc4EcuFD=d4pw24se0w-+bfm8Wgns0Ah0Jg@mail.gmail.com> <187BF493-685B-4F8C-B7CF-642EA8166233@delong.com> <27b3ae83-e930-76a8-cdc4-f7098a07ddd7@gmail.com> <ZV2z9WwJKJTxQL0i@Space.Net> <m1r5j1R-0000KXC@stereo.hq.phicoh.net> <CAKD1Yr1tsWbzniGQeu9y_bzoKhBFFg0T=yKfqaXZK05CWA5isw@mail.gmail.com> <687ef65c-2638-6680-98ef-77f17e54ce52@gmail.com> <CAKD1Yr0ks4yy3=Fps6=sy09fttDO0MQp6EJ33x=bbjHv21o7pA@mail.gmail.com> <90daa0f3-0ab8-7e0e-a636-41c4366f48e1@gmail.com> <BL1PR18MB42776C3A23094B3B4B3AB611ACBDA@BL1PR18MB4277.namprd18.prod.outlook.com> <CACMsEX9AeYPPuB8f25TkoDoAXPi4BkjO2vYnRe0oqoyLZPSaAg@mail.gmail.com> <CAN-Dau2hkBPDJV7tdY+HF2M6=eMNAzmhzPNaPJffF0mN_FoDng@mail.gmail.com>
In-Reply-To: <CAN-Dau2hkBPDJV7tdY+HF2M6=eMNAzmhzPNaPJffF0mN_FoDng@mail.gmail.com>
From: Jen Linkova <furry13@gmail.com>
Date: Wed, 20 Dec 2023 15:46:53 +0100
Message-ID: <CAFU7BARswZ58GvHYdVVCH0cj=ErMApwXD8es78Pk-nFkrrC09Q@mail.gmail.com>
To: David Farmer <farmer=40umn.edu@dmarc.ietf.org>
Cc: Nick Buraglio <buraglio@forwardingplane.net>, "v6ops@ietf.org" <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/KuoqghHp4FXuz9r20EDzv98iq8Q>
Subject: Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2023 14:47:28 -0000

Sorry for coming late to the party.. dealing with a month of IETF
mailing lists backlog..

On Mon, Nov 27, 2023 at 8:10 PM David Farmer
<farmer=40umn.edu@dmarc.ietf.org> wrote:
>
> Simply receiving an RA isn’t enough. Receiving a RA is necessary but not quite sufficient, configuring a GUA or ULA, something more than link-local is the threshold that needs to be met, and probably a default route as well. Without these a host is probably better off getting a IPv4 address.
>
> In the case we are discussing, the host had a firewall blocking the RA. However, it is also possible for the RA to be missing critical information needed to configure an address and default route. These are both misconfigurations, but without DHCP option 108, IPv4 would have likely worked.

I think it all comes to a fundamental definition of "IPv6-only capable
host" - and Option 108 is supposed to be sent by such hosts.
What it means is outside of scope for RFC8925 - it's more in scope of
"Deploying Ipv6-mostly networks" draft I'm writing (as was suggested
at IETF118).

Administrators which block IPv6 on endpoints effectively disable
IPv6-only capability on those devices. So they shall also disable
Option 108.
It's a case of misconfigured hosts. Let's say I have an IPv6-only
enterprise network and disable IPv4 on laptops - to increase security.


> On Mon, Nov 27, 2023 at 12:38 Nick Buraglio <buraglio@forwardingplane.net> wrote:
>>
>> Mine were similar, as I sent in a prior email:
>> 1. Host listens for an RA. If RA received and a default route is installed, implement 108 and disable IPv4
>> 2. If no RA is received, request IPv4 lease.
>>
>> The trick is the timing. If a host operates correctly it should perform a RS on link, if it does not receive a RA in a few seconds, then it probably has some limit or problem that disabling IPv4 would expose. Again, this is in a failure state of the IPv6 network - so by definition if this is occurring there is a problem that needs to be addressed. Perhaps a very slight delay of a few seconds (3?) is not necessarily a *bad* thing.
>> The grey failure that this covers is very real but difficult to diagnose, ironically, on systems that do 108 correctly. On systems that do not do 108 it is largely a non-issue because IPv4 papers over the problem.
>>
>> Stretch goal - if the host has a delayed RA but *can* do 108, it could potentially just delay the disablement until an address and default route are configured.
>>
>> On Mon, Nov 27, 2023 at 8:14 AM Jeremy Duncan <jduncan@tachyondynamics.com> wrote:
>>>
>>> The simplest idea is always the best here...
>>>
>>> I have 2 ideas:
>>> 1. if the v6 side receives an RA, and the host configures an address - either with DHCPv6 or with SLAAC
>>> or
>>> 2. use the S-flag in the RA as that signaling that IPv6 is indeed expected in this network
>>>
>>>
>>> Jeremy
>>>
>>>
>>> -----Original Message-----
>>> From: v6ops <v6ops-bounces@ietf.org> On Behalf Of Brian E Carpenter
>>> Sent: Thursday, November 23, 2023 11:39 PM
>>> To: Lorenzo Colitti <lorenzo@google.com>
>>> Cc: v6ops@ietf.org
>>> Subject: Re: [v6ops] DHCP Option 108 Issue with Mac and iOS devices
>>>
>>> On 24-Nov-23 17:21, Lorenzo Colitti wrote:
>>> > Well, do we have an idea of what such a "relatively simple" health check would do?
>>>
>>> Pass, I'll leave that one for Nick and Jeremy.
>>>
>>>     Brian
>>>
>>> >
>>> > On Fri, Nov 24, 2023 at 1:20 PM Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>>> >
>>> >     On 24-Nov-23 16:28, Lorenzo Colitti wrote:
>>> >      > As someone with real experience writing and maintaining network health checking code, I would strongly dispute the assertion that health checks aren't hard. :-)
>>> >
>>> >     In the general case, I'm sure you're right. I would think that for this specific case, it could be kept relatively simple. I could be wrong, of course.
>>> >
>>> >          Brian
>>> >
>>> >
>>> >      > The Android implementation <https://cs.android.com/android/platform/superproject/main/+/main:packages/modules/NetworkStack/src/com/android/server/connectivity/NetworkMonitor.java <https://cs.android.com/android/platform/superproject/main/+/main:packages/modules/NetworkStack/src/com/android/server/connectivity/NetworkMonitor.java>> is almost 5000 lines of code once you count utility classes.
>>> >      >
>>> >      > Part of the problem is that there can be many different failure modes because the host cannot know what the network supports.  For example, let's say that we specify a health check using ping. What if the network drops all ping packets for "security" reasons? Should the check fail? So then maybe we should use something else, HTTP perhaps? But to whose server? How do we distinguish a server problem from a health check failure? And so on and so forth.
>>> >      >
>>> >      > 6rd was able to define a very robust health check mechanism that loops the packet back to the host itself. See https://datatracker.ietf.org/doc/html/rfc5969#section-8 <https://datatracker.ietf.org/doc/html/rfc5969#section-8> <https://datatracker.ietf.org/doc/html/rfc5969#section-8 <https://datatracker.ietf.org/doc/html/rfc5969#section-8>> . That works well, but I think it was only possible it was a greenfield deployment. I don't think we can do the same type of thing with NAT64 because deployed NAT64s might not support hairpinning, or ping, or... well, anything other than forwarding traffic to external IPv4 addresses.
>>> >      > On Wed, Nov 22, 2023 at 5:56 PM Philip Homburg <pch-v6ops-12@u-1.phicoh.com <mailto:pch-v6ops-12@u-1.phicoh.com> <mailto:pch-v6ops-12@u-1.phicoh.com <mailto:pch-v6ops-12@u-1.phicoh.com>>> wrote:
>>> >      >
>>> >      >     If DHCP returns an option 108 then the hosts starts a connectivity check. If
>>> >      >     the check fails, then the host retries DHCP without option 108.
>>> >      >
>>> >      >     This results in a small delay if both the host and the network think they are
>>> >      >     supporting IPv6-mostly, but something is broken.
>>> >      >
>>> >      >     Obviously, this approach does mask that something is broken. Though it should
>>> >      >     be visible from the DHCP logs where a host first tries with option 108 and
>>> >      >     then without.
>>> >      >
>>> >      >     _______________________________________________
>>> >      >     v6ops mailing list
>>> >      > v6ops@ietf.org <mailto:v6ops@ietf.org> <mailto:v6ops@ietf.org <mailto:v6ops@ietf.org>>
>>> >      > https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops> <https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>>
>>> >      >
>>> >      >
>>> >      > _______________________________________________
>>> >      > v6ops mailing list
>>> >      > v6ops@ietf.org <mailto:v6ops@ietf.org>
>>> >      > https://www.ietf.org/mailman/listinfo/v6ops <https://www.ietf.org/mailman/listinfo/v6ops>
>>> >
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops



-- 
Cheers, Jen Linkova

v2.23.0 | Report a Bug | By Email