Project

General

Profile

Bug #11105

IPv6 RA RDNSS lifetime is too short (not compliant with RFC8106)

Added by Viktor Gurov 2 months ago. Updated about 2 months ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
IPv6 Router Advertisements (RADVD)
Target version:
Start date:
11/26/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5-p1
Affected Architecture:

Description

https://forum.netgate.com/topic/158615/pfsense-ipv6-ra-rdnss-lifetime-is-too-short-not-compliant-with-rfc8106:
Is there a way to configure the lifetime for IPv6 RA RDNSS fields (type 25 and 31) in the pfSense IPv6 RA server? It appears that the default behaviour with pfSense is too short, and does not comply with RFC8106.

pfSense only offers three configurable values in the "Router Advertisement" UI - the "Minimum RA interval" (default 5 seconds), "Maximum RA interval" (default 20 seconds), and "Router lifetime" (default 3 * maximum RA interval).

Using these defaults, RA packets it sends have a router lifetime of 60 seconds as expected. However, the RDNSS fields have a lifetime of only 20 seconds! This causes them to occasionally expire if an RA packet is lost or if there is any jitter on the network.

RFC6106 specified that the lifetime SHOULD be bounded as: MaxRtrAdvInterval <= Lifetime <= 2*MaxRtrAdvInterval

RFC8106 superceded this specifically to address this problem, and specifies that the value of Lifetime SHOULD by default be at least:
3 * MaxRtrAdvInterval

The pfSense behaviour (as tested with 2.4.5-RELEASE-p1) barely meets the RFC6106 recommendation, and is way below what RFC8106 considers the minimum for reliable operation.

Altering the MaxRtrAdvInterval in the pfSense UI doesn't help - pfSense appears to always set the lifetime of the RDNSS fields equal to MaxRtrAdvInterval.

History

#1 Updated by Viktor Gurov 2 months ago

https://tools.ietf.org/html/rfc8106#section-5.1:

Lifetime    32-bit unsigned integer.  The maximum time in seconds
               (relative to the time the packet is received) over which
               these RDNSS addresses MAY be used for name resolution.
               The value of Lifetime SHOULD by default be at least
               3 * MaxRtrAdvInterval, where MaxRtrAdvInterval is the
               maximum RA interval as defined in [RFC4861].  A value of
               all one bits (0xffffffff) represents infinity.  A value
               of zero means that the RDNSS addresses MUST no longer
               be used.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/66

#2 Updated by Brandon Jackson 2 months ago

Just including my post from the thread for a bit of attional info.

The radvd.conf is getting generated without AdvRDNSSLifetime defined, which from what I can find SHOULD default to 2*MaxRtrAdvInterval from what I am reading but it seems it is using just the MaxRtrAdvInterval.

Adding AdvRDNSSLifetime {3*MaxRtrAdvInterval} to the config should fix it, and not require waiting for radvd to be fixed.

Making this,

    RDNSS 2001:470:****:1::3 2001:470:****:2::8 { };

into this.
    RDNSS 2001:470:****:1::3 2001:470:****:2::8 {
    AdvRDNSSLifetime 3060 
    };

3060 being my MaxRtrAdvInterval * 3

#3 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.next

Also available in: Atom PDF