Page MenuHomeVyOS Platform
Create Task
Maniphest T3493

DHCPv6 does not have prefix range validation
Closed, ResolvedPublicBUG
Actions

Description

Reproducing steps:

set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 address-range start 2001:db8:3456::100 stop '2001:db8:3456::1ff'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 name-server '2001:db8:daad::1'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 prefix-delegation start 2001:db8:290::500 prefix-length '64'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 prefix-delegation start 2001:db8:290::500 stop '2001:db8:290::5ff'

It allows to apply the setting, but DHCPv6 server does not start and die with error in logs

Apr 23 11:30:01 vyos systemd[1]: Starting ISC DHCP IPv6 server...
Apr 23 11:30:01 vyos dhcpd[8404]: /run/dhcp-server/dhcpdv6.conf line 13: network mask too short
Apr 23 11:30:01 vyos dhcpd[8404]:         prefix6 2001:db8:290::500 2001:db8:290::5ff/64;
Apr 23 11:30:01 vyos dhcpd[8404]:                                                     ^
Apr 23 11:30:01 vyos dhcpd[8404]: Configuration file errors encountered -- exiting
Apr 23 11:30:01 vyos dhcpd[8404]: 
Apr 23 11:30:01 vyos dhcpd[8404]: If you think you have received this message due to a bug rather
Apr 23 11:30:01 vyos dhcpd[8404]: than a configuration issue please read the section on submitting
Apr 23 11:30:01 vyos dhcpd[8404]: bugs on either our web page at www.isc.org or in the README file
Apr 23 11:30:01 vyos dhcpd[8404]: before submitting a bug.  These pages explain the proper
Apr 23 11:30:01 vyos dhcpd[8404]: process and the information we find helpful for debugging.
Apr 23 11:30:01 vyos dhcpd[8404]: 
Apr 23 11:30:01 vyos dhcpd[8404]: exiting.

Details

Version
1.4-rolling-202104221210
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

Unknown Object (User) created this task.Apr 23 2021, 1:55 PM
dmbaturin triaged this task as High priority.Jan 9 2024, 6:39 PM
dmbaturin set Issue type to Unspecified (please specify).
dmbaturin subscribed.

Should be easy to do now that ipaddrcheck supports range validation.

syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:03 AM
Giggum subscribed.EditedMay 15 2024, 5:39 PM

Can I claim this? will submit a Draft PR for review, I have it resolved (see test output below)

Test 1: Prefix start address is not within Subnet

set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 address-range start 2001:db8:3456::100 stop '2001:db8:3456::1ff'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 name-server '2001:db8:daad::1'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 prefix-delegation start 2001:db8:290::500 prefix-length '64'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 prefix-delegation start 2001:db8:290::500 stop '2001:db8:290::5ff'

	ConfigError output:
	Prefix delegation start address "2001:db8:290::500" is not in subnet
    "2001:db8:3456::/64"

Test 2: Prefix stop address is not within Subnet

set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 address-range start 2001:db8:3456::100 stop '2001:db8:3456::1ff'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 name-server '2001:db8:daad::1'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 prefix-delegation start 2001:db8:3456::500 prefix-length '64'
set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 prefix-delegation start 2001:db8:3456::500 stop '2001:db8:290::5ff'

	ConfigError output: 
	Prefix delegation stop address "2001:db8:290::5ff" is not in subnet
	"2001:db8:3456::/64"
c-po subscribed.May 19 2024, 7:43 PM

@Giggum sure, much appreciated

c-po assigned this task to Giggum.May 19 2024, 7:43 PM
c-po added a project: VyOS 1.5 Circinus.
Restricted Repository Identity mentioned this in rVYOSONEX413fd63b631b: Merge pull request #3499 from Giggum/sagitta.May 22 2024, 6:32 AM
Giggum mentioned this in rVYOSONEX4cde0b8ce778: dhcpv6-server: T3493: adds prefix range validation and fixes typos in select….May 22 2024, 6:32 AM
Giggum added a comment.May 22 2024, 10:46 AM

PR merged: https://github.com/vyos/vyos-1x/pull/3499/

This ticket can be closed

Viacheslav subscribed.May 22 2024, 12:35 PM

Does 1.5 has the same bug?

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.May 22 2024, 12:35 PM
Giggum added a comment.May 22 2024, 2:44 PM
In T3493#189273, @Viacheslav wrote:

Does 1.5 has the same bug?

Prefixes are handled differently in 1.5/Kea there's no option to set a prefix delegation start/stop address like before.

vyos@vyos-A# set service dhcpv6-server shared-network-name VyOS-DHCPv6 subnet 2001:db8:3456::/64 prefix-delegation prefix 3000:1::
Possible completions:
   delegated-length            Length in bits of prefixes to be delegated
   excluded-prefix             IPv6 prefix to be excluded from prefix delegation
   excluded-prefix-length      Length in bits of excluded prefix
   prefix-length               Length in bits of prefix
Giggum mentioned this in T6381: Typos in select ConfigError messages in dhcpv6-server.May 22 2024, 2:56 PM
Viacheslav closed this task as Resolved.May 22 2024, 5:39 PM
Viacheslav removed a project: VyOS 1.5 Circinus.
c-po added a comment.May 26 2024, 6:50 AM

This is actually a "wrong" error, or a real error with a wrong fix.

Apr 23 11:30:01 vyos dhcpd[8404]: /run/dhcp-server/dhcpdv6.conf line 13: network mask too short
Apr 23 11:30:01 vyos dhcpd[8404]:         prefix6 2001:db8:290::500 2001:db8:290::5ff/64;

The issue is that the config syntax is incorrect. Both 2001:db8:290::500 and 2001:db8:290::5ff are full 128bit IPv6 addresses and thus cannot slice /64s out of it. The proper ranges you wanted to express are most likely: 2001:db8:290:500:: to 2001:db8:290:5ff::
I will revert the verify() logic as this is legit ISC DHCPv6 behavior to assign a PD from outside of the subnet6 in use.

set service dhcpv6-server shared-network-name SMOKE-2 subnet 2001:db8:f00::/64 address-range start 2001:db8:f00::100 stop '2001:db8:f00::ffff'
set service dhcpv6-server shared-network-name SMOKE-2 subnet 2001:db8:f00::/64 prefix-delegation start 2001:db8:ee:: prefix-length '56'
set service dhcpv6-server shared-network-name SMOKE-2 subnet 2001:db8:f00::/64 prefix-delegation start 2001:db8:ee:: stop '2001:db8:ee:ff00::'

gives

# Shared network configration(s)
shared-network SMOKE-2 {
    subnet6 2001:db8:f00::/64 {
        range6 2001:db8:f00::100 2001:db8:f00::ffff;
        prefix6 2001:db8:ee:: 2001:db8:ee:ff00:: /56;
    }
    on commit {
        set shared-networkname = "SMOKE-2";
    }
}

And using this subnet on a client by DHCPv6-PD logs:

May 26 08:43:46 dhcpd[7613]: Solicit message from fe80::250:56ff:febf:c56d port 546, transaction ID 0x9085200
May 26 08:43:46 dhcpd[7613]: Advertise NA: address 2001:db8:f00::917d to client with duid 00:04:73:67:3f:42:df:77:80:c4:42:c9:42:af:ff:15:de:0b iaid = 0 valid for 43200 seconds
May 26 08:43:46 dhcpd[7613]: Picking pool prefix 2001:db8:ee:ff00::/56
May 26 08:43:46 dhcpd[7613]: Advertise PD: address 2001:db8:ee:ff00::/56 to client with duid 00:04:73:67:3f:42:df:77:80:c4:42:c9:42:af:ff:15:de:0b iaid = 0 valid for 4294967295 seconds
May 26 08:43:46 dhcpd[7613]: Sending Advertise to fe80::250:56ff:febf:c56d port 546
May 26 08:43:47 dhcpd[7613]: Request message from fe80::250:56ff:febf:c56d port 546, transaction ID 0x3AAB5E00
May 26 08:43:47 dhcpd[7613]: Reply NA: address 2001:db8:f00::917d to client with duid 00:04:73:67:3f:42:df:77:80:c4:42:c9:42:af:ff:15:de:0b iaid = 0 valid for 43200 seconds
May 26 08:43:47 dhcpd[7613]: Reply PD: address 2001:db8:ee:ff00::/56 to client with duid 00:04:73:67:3f:42:df:77:80:c4:42:c9:42:af:ff:15:de:0b iaid = 0 valid for 4294967295 seconds
May 26 08:43:47 dhcpd[7613]: Sending Reply to fe80::250:56ff:febf:c56d port 546
c-po added a comment.May 26 2024, 8:26 AM

https://github.com/vyos/vyos-1x/pull/3519

c-po reopened this task as In progress.May 26 2024, 8:26 AM
c-po claimed this task.
Restricted Repository Identity mentioned this in rVYOSONEX4a9befb92550: Merge pull request #3519 from c-po/dhcpv6-T3493.May 26 2024, 12:01 PM
c-po mentioned this in rVYOSONEXccd564c2328a: dhcpv6-server: T3493: add proper validation for prefix-delegation start/stop….May 26 2024, 12:01 PM
c-po mentioned this in rVYOSONEXb6c343c363bf: Revert "dhcpv6-server: T3493: adds prefix range validation".
c-po closed this task as Resolved.May 26 2024, 12:49 PM
jestabro mentioned this in T6404: Include constraintGroup element in reference tree.May 26 2024, 11:52 PM
Restricted Repository Identity mentioned this in rVYOSONEX15cad149f063: Merge pull request #3525 from c-po/dhcpv6-T3493-constraintGroup.May 27 2024, 7:37 AM
c-po mentioned this in rVYOSONEXf5d5dfc247ab: dhcpv6-server: T3493: add constraintGroup for prefix-delegation start/stop….May 27 2024, 7:37 AM