[Dnsmasq-discuss] DHCPv6 without DNS (Was: Re: [PATCH v2] DHCPv6: Honor assigning IPv6 address based on MAC address)

Pali Rohár pali.rohar at gmail.com
Thu Jul 23 09:21:58 BST 2020


On Wednesday 22 July 2020 23:48:19 Petr Menšík wrote:
> On 7/22/20 3:44 PM, Pali Rohár wrote:
> > Hello Petr!
> > 
> > On Wednesday 22 July 2020 14:42:16 Petr Menšík wrote:
> >> More below...
> >>
> >> On 7/22/20 9:40 AM, Pali Rohár wrote:
> >>> Hello Petr!
> >>>
> >>> On Tuesday 21 July 2020 14:23:51 Petr Menšík wrote:
> >>>> I think more correct would be using the same DUID on both systems.
> >>>
> >>> Problem is that DUID generation is under control of operating system and
> >>> during installation of operating system, every one generates its own. It
> >>> is not under user control (at this stage of setup) or under "hw" control
> >>> (like for MAC address in IPv4 where operating system read MAC address
> >>> from HW).
> >>>
> >>> Also this is unsuitable in environment where MAC address should be
> >>> assigned to network card "by law". Or in environment where must be 1:1
> >>> mapping between assigned IPv4 and IPv6 address.
> >>
> >> Could you explain a situation, why 1:1 mapping is required? Why 1:4
> >> mapping would not work?
> > 
> > What do you mean by 1:4 mapping? And why 4? That device would always
> > have one IPv4 address and randomly chosen IPv6 address from 4 member
> > set?
> Because it would be likely enough for normal host, even if it uses PXE
> on boot. Yes, it would have always one from those 4.

This is again fragile. It expects that there would not be more then 4
installation of OS on same host.

> > This looks like complication. The point of DHCPv6 is that I could assign
> > one address, not random address from 4 member IPv6 set.
> One from predefined set is not random address.

So in the end, in the worst case I need to set N addresses. So result is
same as random.

> > I really do not want to try 4 addresses until I figure out which one is
> > working. This is insane.
> Are you typing IPv6 addresses? How? What commands use them? Try DNS.

Thank you, but this is about DHCPv6. I'm started feeling like in market
place where I'm getting tons of products for which I did not asked.

> It
> has support for multiple addresses on single name. Sane software would
> try all of them until it succeeds.

We are not in ideal world where all software is sane, free of bugs and
works like charm.

> >> They are different protocols. IPv6 supports
> >> multiple addresses from the start. Because they make several maintenance
> >> actions a lot simpler. Why do you insist there must be only one address?
> > 
> > And why I have to use multiple IPv6 addresses? I want to have service on
> > specific/chosen IPv6 address. Not random.
> How often do your machines change running operating system, with IAID
> change? Excluding changes during netboot.

Randomly. If I take e.g. home local network then every reboot with
Windows machine disconnected from network can generate new IAID.

No, I do not want to debug Windows bugs.

> >> You can use SLAAC for MAC generated addresses and they would be the same
> >> regardless running OS.
> > 
> > SLAAC cannot be used anymore for this purpose as operating systems do
> > not use MAC address for generating SLAAC address. Both Windows systems
> > and NetworkManager systems generates randomized SLAAC address by
> > default. IIRC Android is doing it too.
> Good. Maybe there is a reason behind it.

Reason is privacy, to not expose MAC address to world. If MAC address is
directly included in IPv6 address then servers can track computers if
they connect from different networks.

But if IPv6 address does not contain MAC address then it is OK. And
reason why to use DHCPv6 where admin should have control how to assign
IPv6 address.

> If you used hardware address to
> identify them instead of manually reserved IP address, it would work
> also with them.
> > 
> >>>
> >>> If I have to configure every one machine on network and every one
> >>> operating system on that machine, then I do not have to use DHCPv6 and I
> >>> would assign all addresses statically.
> >>>
> >>> The point of usage DHCPv6 here is ability to configure network
> >>> automatically without need to re-configure network stack on operating
> >>> system.
> >> It is possible to configure them on network.
> > 
> > Well, as I said, if I had to configure network stack on every IPv6
> > connected computer and on every operating system on that computer then I
> > can set static IPv6 address. And do not see to deal with DUIDs and IADs.
> > 
> > The point of usage DHCPv6 is to automatize assignment of IPv6 addresses
> > without need to do configuration of target systems. Like in IPv4 setup.
> > 
> > Moreover, it is not possible to configure DUIDs on every system. E.g.
> > Intel's PXE implementation burned into PC ROM does not allow to set DUID
> > or IAID in firmware/setup screen.
> > 
> >>  It is not possible to
> >> ignore conflicting IDs. It would work well if host OS releases assigned
> >> leases before shutdown.
> > 
> > Some OSes do not do it. Different closed source / burned systems
> > (including PXE) even cannot be workarounded / fixed.
> Openstack requested support for multiple IPv6 for one mac address. It
> got merged, because it allows solving exactly this use case without
> conflict with existing protocols. Unlike your proposal.
> 
> And its use case included PXE boot. May I ask why does PXE boot require
> static IP address?

Every, every, software which defines rules for different hosts or
application is doing it based on IP address. And lot of software has
mapping IP address = one host.

May I ask you, why you are forcing me to use more IP addresses for one
machine? As I explained more times, I do not want to have more IP
addresses for one machine.

> Why it needs the same address as the OS later? Is it
> even important? Why?
> > 
> > And still this does not work if you disconnected ethernet cable before
> > doing OS shutdown and connecting if after new bootup.
> > 
> >>  If they are still leased, they should not be
> >> assigned to conflicting ids. Is it possible to make sure they release
> >> the lease on shutdown/reboot?
> > 
> > In case of network disconnect such thing is not obviously possible.
> > 
> > And expecting that there is no network disconnect during leased IPv6
> > address is wrong.>
> > Moreover, in static MAC <--> IPv6 setup I expect that IPv6 address is
> > assigned (leased) to MAC address. Otherwise, what other use case could
> > be for static MAC <--> IPv6 configuration setup?
> It works, but only if there is not already active lease.

... so in reality it does not work.

> > 
> >>>
> >>>> There is already another option to make this working. It is possible
> >>>> assigning IPv6 prefix or multiple addresses. dhcp-host can provide
> >>>> multiple addresses to single mac
> >>>
> >>> Assigning IPv6 address based on mac address is broken as I pointed in
> >>> this patch. So such setup would not work.
> >>>
> >>> Anyway, my point is not to assign multiple addresses to single MAC
> >>> address, but rather to ensure that for one MAC address would be assigned
> >>> always only one specific MAC address. And not more.
> >> But you need dnsmasq to ignore conflicts between addresses. While
> >> existing solution allows to predefine addresses to static host entry. It
> >> would always gen one of those addresses in case of conflict. It seems
> >> more elegant and more correct fix to me. You haven't stated why do you
> >> need just a single address for conflicting DUID.
> > 
> > Just to note that dnsmasq assign address to IAID, not to DUID.
> > 
> > Same problem happens if you even configure *same* DUID on both Windows
> > and Linux systems on particular computer and on of them does not release
> > its IAID (e.g. because network disconnect).
> > 
> > Anyway, there cannot be any conflict which you described. MAC addresses
> > on local network are unique (I do not have DHCPv6 relays).
> > 
> > I did not said that I need single address for conflicting IAID (or
> > DUID). But rather that I need single address for network card identified
> > by MAC address.
> > 
> >> There are plenty of IPv6 addresses available. Why does single host need
> >> exactly one?
> > 
> > Because I need static IPv6 addresses. I do not want to have dynamic
> > setup. Based on IPv6 addresses is configured firewall and other routing.
> > 
> >> Especially if DNS can be synchronized and contains valid
> >> records?
> > 
> > This just overcomplicate whole setup. Configuring DNS records and then
> > from DNS records configure back firewall and routing is overkill.
> Did you know dnsmasq already adds dhcp hosts to its DNS without any
> configuration?

I know. But not on all instances of dnsmasq is DNS forwarder used. So
this solution again does not work and as I said, I do not want to have
DHCPv6 bound with DNS.

> It is not easy to cooperate with larger DNS servers, but
> it is possible.

So you already realized that this is complicated setup.

Again, why you to complicate things if it can be done easier and
simpler?

> > 
> > Moreover this is fragile. If routing or firewall would be configured
> > incorrectly it may happen that DNS synchronization just fails.
> Do you have a firewall? Why don't you instead make rules based on
> hardware address and forget about matching MAC<->IPv6?

Please, do not suggest me fool complicated ideas.

I know how to configure it and I also know drawbacks for this solution.

May I ask you, have you ever configured larger or smaller network setup?
Because I cannot imagine that somebody some up with idea to use iptables
not for IP addresses, but rather for MAC address (or combination with
ebtables). In all cases which I saw such setup was just workaround for
buggy hosts or applications.

> Just allow any random address with allowed MAC.

This would then completely breaks DHCP snooping / screening on switches.

> It would protect you against static
> IPs, which DHCP cannot. As a bonus, you would have just one rule for
> both IPv4 and IPv6 without a change.
> 
> It might require more work than you are used to on IPv4, but I think
> final solution would be much better.

Have you ever heard about those DHCP snooping techniques on switches?
Seems not, otherwise you would not suggest me such nonsense ideas
complete incompatible with standard network setup.

> > Anyway, why I had to use DNS at all? Why should I be forced to use DNS
> > if I do not need it? I just need to assign predicable IPv6 addresses.
> Because IPv6 addresses are even longer than IPv4 and you should not need
> ever type them. Just assign and use names instead.

So, do it for your networks, but in my setup, I want to have network
working also without DNS. I do not see any reason why *local* network
must not work without DNS. And because you have problems with longer
IPv6 address, it does not mean that other people have it too.

-- 
Pali Rohár
pali.rohar at gmail.com



More information about the Dnsmasq-discuss mailing list