[Dnsmasq-discuss] [PATCH v2] DHCPv6: Honor assigning IPv6 address based on MAC address

Pali Rohár pali.rohar at gmail.com
Wed Jul 22 14:44:37 BST 2020


Hello Petr!

On Wednesday 22 July 2020 14:42:16 Petr Menšík wrote:
> More below...
> 
> On 7/22/20 9:40 AM, Pali Rohár wrote:
> > Hello Petr!
> > 
> > On Tuesday 21 July 2020 14:23:51 Petr Menšík wrote:
> >> I think more correct would be using the same DUID on both systems.
> > 
> > Problem is that DUID generation is under control of operating system and
> > during installation of operating system, every one generates its own. It
> > is not under user control (at this stage of setup) or under "hw" control
> > (like for MAC address in IPv4 where operating system read MAC address
> > from HW).
> > 
> > Also this is unsuitable in environment where MAC address should be
> > assigned to network card "by law". Or in environment where must be 1:1
> > mapping between assigned IPv4 and IPv6 address.
> 
> Could you explain a situation, why 1:1 mapping is required? Why 1:4
> mapping would not work?

What do you mean by 1:4 mapping? And why 4? That device would always
have one IPv4 address and randomly chosen IPv6 address from 4 member
set?

This looks like complication. The point of DHCPv6 is that I could assign
one address, not random address from 4 member IPv6 set.

I really do not want to try 4 addresses until I figure out which one is
working. This is insane.

> They are different protocols. IPv6 supports
> multiple addresses from the start. Because they make several maintenance
> actions a lot simpler. Why do you insist there must be only one address?

And why I have to use multiple IPv6 addresses? I want to have service on
specific/chosen IPv6 address. Not random.

> You can use SLAAC for MAC generated addresses and they would be the same
> regardless running OS.

SLAAC cannot be used anymore for this purpose as operating systems do
not use MAC address for generating SLAAC address. Both Windows systems
and NetworkManager systems generates randomized SLAAC address by
default. IIRC Android is doing it too.

> > 
> > If I have to configure every one machine on network and every one
> > operating system on that machine, then I do not have to use DHCPv6 and I
> > would assign all addresses statically.
> > 
> > The point of usage DHCPv6 here is ability to configure network
> > automatically without need to re-configure network stack on operating
> > system.
> It is possible to configure them on network.

Well, as I said, if I had to configure network stack on every IPv6
connected computer and on every operating system on that computer then I
can set static IPv6 address. And do not see to deal with DUIDs and IADs.

The point of usage DHCPv6 is to automatize assignment of IPv6 addresses
without need to do configuration of target systems. Like in IPv4 setup.

Moreover, it is not possible to configure DUIDs on every system. E.g.
Intel's PXE implementation burned into PC ROM does not allow to set DUID
or IAID in firmware/setup screen.

> It is not possible to
> ignore conflicting IDs. It would work well if host OS releases assigned
> leases before shutdown.

Some OSes do not do it. Different closed source / burned systems
(including PXE) even cannot be workarounded / fixed.

And still this does not work if you disconnected ethernet cable before
doing OS shutdown and connecting if after new bootup.

> If they are still leased, they should not be
> assigned to conflicting ids. Is it possible to make sure they release
> the lease on shutdown/reboot?

In case of network disconnect such thing is not obviously possible.

And expecting that there is no network disconnect during leased IPv6
address is wrong.

Moreover, in static MAC <--> IPv6 setup I expect that IPv6 address is
assigned (leased) to MAC address. Otherwise, what other use case could
be for static MAC <--> IPv6 configuration setup?

> > 
> >> There is already another option to make this working. It is possible
> >> assigning IPv6 prefix or multiple addresses. dhcp-host can provide
> >> multiple addresses to single mac
> > 
> > Assigning IPv6 address based on mac address is broken as I pointed in
> > this patch. So such setup would not work.
> > 
> > Anyway, my point is not to assign multiple addresses to single MAC
> > address, but rather to ensure that for one MAC address would be assigned
> > always only one specific MAC address. And not more.
> But you need dnsmasq to ignore conflicts between addresses. While
> existing solution allows to predefine addresses to static host entry. It
> would always gen one of those addresses in case of conflict. It seems
> more elegant and more correct fix to me. You haven't stated why do you
> need just a single address for conflicting DUID.

Just to note that dnsmasq assign address to IAID, not to DUID.

Same problem happens if you even configure *same* DUID on both Windows
and Linux systems on particular computer and on of them does not release
its IAID (e.g. because network disconnect).

Anyway, there cannot be any conflict which you described. MAC addresses
on local network are unique (I do not have DHCPv6 relays).

I did not said that I need single address for conflicting IAID (or
DUID). But rather that I need single address for network card identified
by MAC address.

> There are plenty of IPv6 addresses available. Why does single host need
> exactly one?

Because I need static IPv6 addresses. I do not want to have dynamic
setup. Based on IPv6 addresses is configured firewall and other routing.

> Especially if DNS can be synchronized and contains valid
> records?

This just overcomplicate whole setup. Configuring DNS records and then
from DNS records configure back firewall and routing is overkill.

Moreover this is fragile. If routing or firewall would be configured
incorrectly it may happen that DNS synchronization just fails.

I do not see any benefit why to complicate things just because "IPv6
addresses are many". I do not see nothing wrong on simple setup where
device has one IPv6 address assigned by DHCPv6 server.


Anyway, why I had to use DNS at all? Why should I be forced to use DNS
if I do not need it? I just need to assign predicable IPv6 addresses.

....

But this discussion is now far away from my original patch. I would like
if we continue focusing on the patch as current dnsmasq code for
assigning IPv6 address based on MAC address does not work.

And from dnsmasq documentation users would expect that they can
configure dnsmasq for static DHCPv6 entries based on MAC address...

> >> which works with different DUID quite
> >> well. It still has different addresses, but with the same base.
> >>
> >> taken from manual page:
> >> --dhcp-host=laptop,[1234:50/126]
> >>
> >> Why isn't this sufficient?
> >>
> >> On 5/26/20 10:52 AM, Pali Rohár wrote:
> >>> On Thursday 21 May 2020 16:22:03 Geert Stappers wrote:
> >>>> On Sun, May 03, 2020 at 01:23:15PM +0200, Pali Rohár wrote:
> >>>>> Currently IPv6 addresses are assigned to tuple (IAID, DUID). When system
> >>>>> changes IAID/DUID then old assigned IPv6 address cannot be reused, even
> >>>>> when in config file was DHCPv6 assignment based on MAC address (and not on
> >>>>> DUID).
> >>>>>
> >>>>> IAID/DUID is changed when rebooting from one operating system to another;
> >>>>> or after reinstalling system. In reality it is normal that DUID of some
> >>>>> machine is changed, so people rather assign also IPv6 addresses based on
> >>>>> MAC address.
> >>>>>
> >>>>> So assigning IPv6 based on MAC address in dnsmasq is currently semi-broken
> >>>>
> >>>> How to reproduce that  semi-brokenness?
> >>>
> >>> Take computer with Windows/Linux dual boot systems.
> >>>
> >>> Configure MAC-based static IPv6 entry for that computer in dnsmasq and
> >>> set big enough lease time (e.g. day or more).
> >>>
> >>> Boot computer into Windows and wait until dnsmasq assign it IPv6
> >>> address. It should match MAC-based entry in dnsmasq. Then reboot
> >>> computer into Linux system and again wait until it got assigned IPv6
> >>> address.
> >>>
> >>> Normally it should get again same IPv6 address as it was assigned on
> >>> Windows, due to MAC-based static IPv6 entry in dnsmasq.
> >>>
> >>> But in reality that static entry is ignored by dnsmasq and rather some
> >>> "random" address is assigned.
> >>>
> >>> So assigning IPv6 addresses based on static MAC address in dnsmasq is
> >>> broken.
> >>>
> >>> You can reproduce it not only with Windows/Linux, but with any two
> >>> DHCPv6 clients which use different IAID/DUID. E.g. PXE DHCPv6 client
> >>> (for network booting) and Linux DHCPv6 client.
> >>>
> >>> dnsmasq without this patch refuse to assign MAC-based IPv6 static
> >>> address to computer with that MAC address, if that IPv6 address is still
> >>> leased to DHCPv6 client with different IAID.
> >>>
> >>> In my above example/reproducer, IPv6 address was leased to Windows
> >>> DHCPv6 client and therefore dnsmasq refused to assign it to Linux DHCPv6
> >>> client, which in most cases have different IAID. Even both clients
> >>> (Windows and Linux) are on the same computer with same MAC address,
> >>> which matches MAC address in dnsmasq configuration file.
> >>>
> >>> That is why I called IPv6 address assignment according to MAC address as
> >>> "semi-brokenness".
> >>>
> >>>>  
> >>>>> This patch tries to fix it and honors IPv6 config rules with MAC address,
> >>>>> to always assign particular IPv6 address to specific MAC address (when
> >>>>> configured). And ignores the fact if IAID/DUID was changed.
> >>>>>
> >>>>> Normally IPv6 address should be assigned by IAID/DUID (which also state
> >>>>> DHCPv6 RFCs), but dnsmasq has already some support for assigning IPv6
> >>>>> address based on MAC address, when users configured in config file.
> >>>>>
> >>>>> So this patch just tries to fix above problem for user configuration with
> >>>>> MAC addresses. It does not change assignment based on DUID.
> >>>>> ---
> >>>>>
> >>>>> This is my original patch rebased on top of current git master branch.
> >>>>
> >>>> Acknowledge
> >>>>
> >>>>
> >>>>> Previous email with this patch probably dropped into spambox
> >>>>> and was not processed.
> >>>>
> >>>>  (unspoken words +
> >>>>   http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2020q2/014018.html )
> >>>>
> >>>>
> >>>>> So please let me know if now this email was correctly received.
> >>>>  
> >>>> Recieved the patch and was able to  `git am` it.
> >>>> It did compile and passed the unittests.
> >>>>
> >>>> No further check was done.  Mostly because not facing the problem that
> >>>> patch submitter has.  Probably some day I will, hence the above 'How to
> >>>> reproduce that  semi-brokenness?'
> >>>>
> >>>>
> >>>>>  src/rfc3315.c | 55 +++++++++++++++++++++++++++++++++++++++++++--------
> >>>>>  1 file changed, 47 insertions(+), 8 deletions(-)
> >>>>>
> >>>>> diff --git a/src/rfc3315.c b/src/rfc3315.c
> >>>>> index b3f0a0a..e588b13 100644
> >>>>> --- a/src/rfc3315.c
> >>>>> +++ b/src/rfc3315.c
> >>>>      ... 142 lines of actual patch ...
> >>>>
> >>>>
> >>>> Groeten
> >>>> Geert Stappers
> >>>> -- 
> >>>> Silence is hard to parse
> >>>>
> >>>> _______________________________________________
> 
> -- 
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

-- 
Pali Rohár
pali.rohar at gmail.com



More information about the Dnsmasq-discuss mailing list