Page MenuHomeVyOS Platform

IPv4-mapped and IPv4-compatible IPv6 addresses not valid anymore
Confirmed, HighPublicBUG

Description

I hope I didn't miss a bug report regarding this topic. I don't even know if this can be considered a bug, but it can break part of the VyOS configuration when upgrading from an older version.

IPv6 address validation seems to have changed between VyOS 1.2.3 and VyOS 1.3.2. In version 1.2.3 (I believe this works until 1.2.8), I was able to use a prefix-list with IPv4-mapped and IPv4-compatible IPv6 addresses (as in RFC 4291 section 2.5.5), which looked like this:

prefix-list6 testing {
    description "IPv4-compatible IPv6 addresses"
    rule 10 {
        action permit
        prefix ::127.0.0.0/104
    }

In VyOS 1.3.2 the validation fails when you try to configure it in this format:

set policy prefix-list6 testing rule 10 action permit
set policy prefix-list6 testing rule 10 prefix ::127.0.0.1/104

::127.0.0.0/104 ist not a valid IPv6 network address
Value validation failed
Set failed

The obvious and usable workaround is to change the notation:

set policy prefix-list6 testing rule 10 action permit
set policy prefix-list6 testing rule 10 prefix ::7f00:0/104

Interestingly, the FRR configuration in VyOS 1.3.2 looks like this in the end, even if you changed the notation:

ipv6 prefix-list testing seq 10 permit ::127.0.0.1/104

However, if the configuration is quite large, this behavior can lead to major problems during an update. When I tried to update a system with a 3000+ lines config.boot from VyOS 1.3.2 to VyOS 1.3.2, the configuration failed completely. I also tried this from later versions. If you upgrade from 1.2.8, for some reason only the specific prefix-list6 is missing. But if you save without noticing and reboot, route-maps that reference this prefix-list6 are also missing, so this can end quite bad.

Since I don't know whether this address validation behavior is intended and since it can lead so some serious problems depending on the configuration and VyOS version you are coming from, I thought I would at least let you know.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Unspecified (please specify)

Event Timeline

@rcit I can assure you were never planned to explicitly disallow embedded IPv4 notation. Moreover, I thought the current validator supports it, even though we didn't have tests for it. I'll take a look!

Viacheslav changed the task status from Open to Confirmed.Feb 2 2024, 4:33 PM