Re: ipv6_enable

From: Doug Barton <dougb_at_FreeBSD.org>
Date: Sun, 04 Apr 2010 19:53:42 -0700
Thanks for the reply, it's nice to get other viewpoints involved,
especially from those who have actual working knowledge of IPv6. I'm
going to snip the bits where we agree for ease of reading.

On 04/03/10 22:33, Kevin Oberman wrote:
>> Date: Sat, 03 Apr 2010 17:49:40 -0700
>> From: Doug Barton <dougb_at_FreeBSD.org>
>> Sender: owner-freebsd-current_at_freebsd.org
>>
>> As we've discussed previously, you and I have a lot of disagreement on
>> some of these principles. I'm going to outline my responses in some
>> detail, however I'm also interested in what others have to say since I'd
>> ultimately like to see some consensus from the community on how this
>> should be configured.
> 
> I guess it's time to put in my $.02. I do have some experience with
> IPv6. I have the first system to run a production IPv6 address in that
> ARIN region sitting under my desk in Berkeley.
> 
> I agree with one of Doug's points and one of Hiroki's.
>>
>> On 04/03/10 04:51, Hiroki Sato wrote:
>>> Doug Barton <dougb_at_freebsd.org> wrote
>>>   in <4BB70E1E.3090102_at_FreeBSD.org>:
>> I actually look forward to the day when we have an ipv4_enable, and look
>> forward even more to the day when it defaults to "off." :)
> 
> It's possible that the time will come this decade when IPv4 is really
> not needed by the typical user, but I don't expect utilization to drop
> low enough that it would be appropriate to make the default "no"
> (certainly not "off"). POLA and general conservatism will prevent this
> for a long time.

Yes, my sentiment is serious, but the practicalities dictated the smiley
at the end.  :)

>>> do> 3. Each IPv6 interface (other than lo0) should be configured with rtsol
>>> do> by default, but manual configuration should still be possible.
>
> I would agree with Doug EXCEPT for experiences I have had. I have been
> at a conference where a rogue RA totally clobbered the IPv6
> network. Yes, not that many of us were running over IPv6, but I was (see
> the headers on this message) and it was very annoying. (It was also
> totally inadvertent.)
> 
> I also know that a large federal research lab discovered that they had
> hundreds of systems running IPv6 on their network without knowing
> it. Almost all UNIX systems turn it on by default and some systems were
> configured for RTADV. It was causing all sorts of problems that were very
> hard to track down.
> 
> Neither of these cases involved any intent to cause harm, but they
> demonstrate that it would not be hard for a miscreant to take advantage
> of this.
> 
> ATM there is no alternative to running RTADV, and I am hopeful that IETF
> finishes and that vendors quickly implement RA-Guard, as well as mods
> to DHCPv6 to allow it to operate without needing a system running RTADV
> on the wire.

I've read the various opinions regarding having RA on by default, and
have reconsidered my position. Therefore I'd like to offer a compromise.
What I'm after is that modulo the need to toggle ipv6_enable if a user
has an interface configured with IPv4 that the same interface should
"just work" with IPv6. Given that RA is the default method of IPv6
deployment, and given that it will almost certainly be necessary, I
thought enabling it by default was a good idea. However I'm nothing if
not reasonable. :)

So I'd like to suggest returning the default in ipv6_autoconfif() to
off, but enabling it if the user has a DHCP option in their IPv4
configuration for that same interface. To that end I've modified my
patch, you can see the new version at
http://people.freebsd.org/~dougb/v6-enable-2.diff. I've also added
support for an RTADV keyword in ifconfig_IF_ipv6 and updated rc.conf.5
to match.

I think this is a reasonable compromise, as those users who are using
DHCP for IPv4 already have the expectation that their interfaces will be
automatically configured. Those who are manually specifying their v4
addresses will have a little more work to get IPv6 up and running, but I
can just send them to Hiroki or Steinar for help. :)

Incidental to the RA default, when working on this new patch I noticed
that noafif() is only ever called by ipv6_autoconfif() so I changed it
to be in line rather than a separate function.


Doug

-- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/
Received on Mon Apr 05 2010 - 00:53:44 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:02 UTC