[Dnsmasq-discuss] Don't reply to requests for DHCPv6 addresses when M flag is off

Simon Kelley simon at thekelleys.org.uk
Sun Apr 19 21:21:20 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


My feeling is that this is a better solution, and I'm inclined to
apply the patch. Does anyone know what caused openWRT to revert the patc
h?


Cheers,

Simon.



On 17/04/15 12:51, Vladislav Grishenko wrote:
> Hi,
> 
> Per RFC 3315 17.2.1 the server MAY discard the Solicit message, but
> per 17.2.2, if the server will not assign any addresses to any IAs
> in a subsequent Request from the client, the server MUST send an
> Advertise message to client. Also, per RFC 2219 MAY is truly
> optional item, and MUST be prepared to interoperate with another
> inverse option existence implementation. So, interpreting that
> dnsmasq may not respond at all in stateless mode into RFC 3315
> 17.2.1 seems a bit farfetched.
> 
> In real world, absence of Advertise message with NoAddrsAvail
> Status Code may lead to client misbehavior and prevent it from
> fallback to DHCPv6 Stateless mode, because RFC 3315 doesn't state
> any non-zero MRC & MRD non-zero values by default for Solicit
> messages transmission. Example of such client is
> https://github.com/sbyx/odhcp6c Also, openwrt has already reverted
> this change, refer 
> https://dev.openwrt.org/browser/trunk/package/network/services/dnsmasq
/patch
>
> 
es/200-fix-dhcpv6-solicit-handling.patch
> 
> Since the original issue was in log flooding, log error only for 
> non-stateless contexts and threat it as false-positive error if
> it's expected due the configuration. Please refer patch attached.
> 
> Best Regards, Vladislav Grishenko
> 
>> -----Original Message----- From: Dnsmasq-discuss
>> [mailto:dnsmasq-discuss- bounces at lists.thekelleys.org.uk] On
>> Behalf Of Simon Kelley Sent: Thursday, January 22, 2015 2:02 AM 
>> To: dnsmasq-discuss at lists.thekelleys.org.uk Subject: Re:
>> [Dnsmasq-discuss] Don't reply to requests for DHCPv6
> addresses
>> when M flag is off
>> 
> My first reaction to this was to apply it, but then I went and
> looked at RFC3315, and found this:
> 
> If the server will not assign any addresses to any IAs in a 
> subsequent Request from the client, the server MUST send an
> Advertise message to the client that includes only a Status Code
> option with code NoAddrsAvail and a status message for the user, a
> Server Identifier option with the server's DUID, and a Client
> Identifier option with the client's DUID.
> 
> Which seems to indicate that the patch would violate the RFC.
> 
> But then I looked some more, and found this:
> 
> 17.2.1. Receipt of Solicit Messages
> 
> 
> The server determines the information about the client and its 
> location as described in section 11 and checks its administrative 
> policy about responding to the client.  If the server is not 
> permitted to respond to the client, the server discards the
> Solicit message.  For example, if the administrative policy for the
> server is that it may only respond to a client that is willing to
> accept a Reconfigure message, if the client indicates with a
> Reconfigure Accept option in the Solicit message that it will not
> accept a Reconfigure message, the servers discard the Solicit
> message.
> 
> 
> So I think we can define "DHCPv6 address allocation not configured"
> as administrative policy and chose to discard the solict message in
> this
>> case.
> 
> Patch applied, with some style changes, thanks.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> 
> 
> 
> 
> On 19/01/15 21:30, Win King Wan wrote:
>>>> Hi,
>>>> 
>>>> In https://github.com/RMerl/asuswrt-merlin/pull/854 I patched
>>>> the dnsmasq version of my router's firmware to not send out
>>>> replies to DHCPv6 queries when dhcp-range mode is
>>>> ra-stateless.
>>>> 
>>>> Even though the M flag is off in the router advertisement,
>>>> Windows 8 (and newer) clients will still request an address
>>>> via DHCPv6. When it receives a reply that no addresses are
>>>> available, it tries a few more time before giving up for
>>>> several minutes. After several minutes however it retries.
>>>> This causes the syslog to be filled up with noise stating
>>>> that there are no DHCPv6 addresses available for a specific
>>>> MAC address. (--quiet-dhcp6 does not help much as the "no 
>>>> addresses  available" message is always logged.)
>>>> 
>>>> My changes basically stops dnsmasq from sending this reply.
>>>> Since the O flag is on, Windows 8 will try to get other
>>>> information from the DHCPv6 server if it does not get an
>>>> reply for its initial request for an address (which seems to
>>>> still work, as it is able to get the IPv6 DNS server).
>>>> 
>>>> After running Wireshark for quite some time, it appears that
>>>> Windows 8 will not send out subsequent requests for an IPv6
>>>> address to the DHCPv6 server (after my patch), at least not
>>>> within several minutes.
>>>> 
>>>> I have included the patch for completeness sake. Would it be
>>>> possible to apply it? Or perhaps there is a better or more
>>>> elegant solution to this problem?
>>>> 
>>>> diff --git a/src/rfc3315.c b/src/rfc3315.c index
>>>> ddb390b..1f3646a 100644 --- a/src/rfc3315.c +++
>>>> b/src/rfc3315.c @@ -824,6 +824,19 @@ static int
>>>> dhcp6_no_relay(struct state *state, int msg_type, void 
>>>> *inbuff, size_ } else { +	    int all_stateless = 1; +
>>>> for (c = state->context; c; c = c->current) +		if (!(c->flags
>>>> & CONTEXT_RA_STATELESS)) +		  { +		    all_stateless =
>> 0; +
>>>> break; +		 } +	    if (all_stateless) +		/*
>> Windows 8
> always
>>>> requests an address even if the Managed bit +		   in RA is
>> 0 and
> it
>>>> keeps retrying if it receives a reply +		   stating that no 
>>>> addresses are available */ +		return 0; + /* no address,
>> return
>>>> error */ o1 = new_opt6(OPTION6_STATUS_CODE); 
>>>> put_opt6_short(DHCP6NOADDRS);
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________ Dnsmasq-
> discuss
>>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>
>>
>>
>>>> 
_______________________________________________
>> Dnsmasq-discuss mailing list 
>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlU0Dj8ACgkQKPyGmiibgrdE1ACeN88pbTgqJNkaJVCZs6jFKg+D
TwEAmgOXxdPXbYQraMVtmQUcSgjjX/Kp
=q+SC
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list