Project

General

Profile

Actions

Bug #11105

closed

IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106

Added by Viktor Gurov over 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
IPv6 Router Advertisements (radvd/rtsold)
Target version:
Start date:
11/26/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.4.5-p1
Affected Architecture:

Description

https://forum.netgate.com/topic/158615/pfsense-ipv6-ra-rdnss-lifetime-is-too-short-not-compliant-with-rfc8106:
Is there a way to configure the lifetime for IPv6 RA RDNSS fields (type 25 and 31) in the pfSense IPv6 RA server? It appears that the default behaviour with pfSense is too short, and does not comply with RFC8106.

pfSense only offers three configurable values in the "Router Advertisement" UI - the "Minimum RA interval" (default 5 seconds), "Maximum RA interval" (default 20 seconds), and "Router lifetime" (default 3 * maximum RA interval).

Using these defaults, RA packets it sends have a router lifetime of 60 seconds as expected. However, the RDNSS fields have a lifetime of only 20 seconds! This causes them to occasionally expire if an RA packet is lost or if there is any jitter on the network.

RFC6106 specified that the lifetime SHOULD be bounded as: MaxRtrAdvInterval <= Lifetime <= 2*MaxRtrAdvInterval

RFC8106 superceded this specifically to address this problem, and specifies that the value of Lifetime SHOULD by default be at least:
3 * MaxRtrAdvInterval

The pfSense behaviour (as tested with 2.4.5-RELEASE-p1) barely meets the RFC6106 recommendation, and is way below what RFC8106 considers the minimum for reliable operation.

Altering the MaxRtrAdvInterval in the pfSense UI doesn't help - pfSense appears to always set the lifetime of the RDNSS fields equal to MaxRtrAdvInterval.

Actions #1

Updated by Viktor Gurov over 3 years ago

https://tools.ietf.org/html/rfc8106#section-5.1:

Lifetime    32-bit unsigned integer.  The maximum time in seconds
               (relative to the time the packet is received) over which
               these RDNSS addresses MAY be used for name resolution.
               The value of Lifetime SHOULD by default be at least
               3 * MaxRtrAdvInterval, where MaxRtrAdvInterval is the
               maximum RA interval as defined in [RFC4861].  A value of
               all one bits (0xffffffff) represents infinity.  A value
               of zero means that the RDNSS addresses MUST no longer
               be used.

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/66

Actions #2

Updated by Brandon Jackson over 3 years ago

Just including my post from the thread for a bit of attional info.

The radvd.conf is getting generated without AdvRDNSSLifetime defined, which from what I can find SHOULD default to 2*MaxRtrAdvInterval from what I am reading but it seems it is using just the MaxRtrAdvInterval.

Adding AdvRDNSSLifetime {3*MaxRtrAdvInterval} to the config should fix it, and not require waiting for radvd to be fixed.

Making this,

    RDNSS 2001:470:****:1::3 2001:470:****:2::8 { };

into this.
    RDNSS 2001:470:****:1::3 2001:470:****:2::8 {
    AdvRDNSSLifetime 3060 
    };

3060 being my MaxRtrAdvInterval * 3
Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next
Actions #4

Updated by Renato Botelho about 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #5

Updated by Viktor Gurov about 3 years ago

  • % Done changed from 0 to 100
Actions #6

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1
Actions #7

Updated by Renato Botelho about 3 years ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions #8

Updated by Jim Pingle about 3 years ago

  • Subject changed from IPv6 RA RDNSS lifetime is too short (not compliant with RFC8106) to IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106

Updating subject for release notes.

Actions #9

Updated by Viktor Gurov about 3 years ago

works as expected,
but now shows warning in routing.log:

routing.log:Mar 22 09:30:01 pf4 radvd[26608]: warning: (/var/etc/radvd.conf:24) 
AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster

Actions #10

Updated by Viktor Gurov almost 3 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF