[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: connect() with AF_INET6 freezes on some Debian/unstable machine

On Wed, Apr 08, 2015 at 01:35:44AM +0200, Vincent Lefevre wrote:
> On 2015-04-08 01:41:58 +0300, Reco wrote:
> > On Wed, Apr 08, 2015 at 12:00:59AM +0200, Vincent Lefevre wrote:
> > > > Can I see the output of the following, please:
> > > > 
> > > > ip -6 a l dev eth0
> > > 
> > > ypig:~> ip -6 a l dev eth0
> > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
> > >     inet6 2001:1::21f:29ff:fe04:3efb/64 scope global mngtmpaddr dynamic 
> > >        valid_lft 2557017sec preferred_lft 569817sec
> > 
> > This. Every time you see this - that means your host received an advice
> > to configure IPv6 address from an advertised network and to use the
> > sender as a router. Your host's routing table shows exactly the same.
> > 
> > SLAAC is a good thing if the host that advertises RA is an actual
> > router. If it is not - you get exactly the behavior you got.
> Thanks for the information. Do you mean that random machines on
> the network can send fake advertising?

Yes. And by default - every host in a local network segment and their
dog will accept this RA. Worse - there can be more than one RA
advertiser on a network segment (and it leads to *very* funny results).

>Otherwise how is "the host that advertises RA" determined?

It's the one that sends NDP announcements (icmpv6 type 134)


> If SLAAC can be a bad thing on arbitrary networks, why is it enabled
> by default? (IMHO, the default should be the safest.)

Treat SLAAC as DHCP. It's considered pretty normal to run DHCP client in
a foreign network and trust whatever information DHCP server sends the
client. Heck, some clients are going that far as setting own hostname
the way DHCP server told them.
The only difference being that DHCP requires userspace client
and SLAAC does not (in Linux).

> > The correct way to deal with this then is to disable accepting RAs on
> > your host:
> > 
> > echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra
> I did *not* do that yet, but I can see:
> ypig:~> cat /proc/sys/net/ipv6/conf/all/accept_ra
> 1
> i.e. it is already 1 (ditto for /proc/sys/net/ipv6/conf/eth0/accept_ra).
> Or do you mean 0?

My bad. Zero to disable, one to enable.

> But on the other machine that doesn't have this "scope global",
> /proc/sys/net/ipv6/conf/*/accept_ra is also 1, so that I'm confused.

If it's on the same network - check whenever you have ip6tables
configured on that host. If it's a different network - it's no wonder.


Reply to: