On Tue, Jan 22, 2013 at 1:52 PM, Chris Lawrence <lordsutch@gmail.com> wrote:
On Tue, Jan 22, 2013 at 1:40 AM, Dave Taht <dave.taht@gmail.com> wrote:
> I think that's this in /etc/dnsmasq.conf
>
> dhcp-range=se00,1234::, ra-stateless, ra-names
> dhcp-range=sw00,1234::, ra-stateless, ra-names
> dhcp-range=sw10,1234::, ra-stateless, ra-names
> dhcp-range=gw00,1234::, ra-stateless, ra-names
> dhcp-range=gw10,1234::, ra-stateless, ra-names
>
> It's kind of unclear to me what 1234 could be replaced with.
> "ce30" works for me...

Using ::1 on each will autoassign the addresses based on the address
of the interface, which seems like a sensible default no matter what
network address you have.  Having said that I found that with
ra-stateless enabled, at least one device on my network would send
DHCPv6 requests that crashed dnsmasq.  So I have:

dhcp-range=::1,constructor:se00,ra-names
(etc.)

My own objection to ::1 is that provides both an easy mneumonic for people to manage their networks AND an easier vector for attacks from the outside world.

J.random.badscript only has to ping ::1 on every subnet in your delegation to try and hit all the routers.

That said, I think the humans are going to win on this one, even though the dns integration with ipv6 and dnsmasq is tighter than it's ever been before.

One thing that does bother me though, from a simplification standpoint, is I wouldn't mind using up some of that extra address space to gain larger ephemeral port ranges for things like dns service and to make it easier to analyze traffic. I remember back in the 90s when we used to have one ip address per web host.... it was a PITA then  because of address scarcity.

I have been liking ipv6's integration with virtual machines. No more port forwarding, yea! A raft of unupdated vm machines running boo.


I think with test11 that can be further simplified to:

dhcp-range=::1,constructor:*,ra-names

This uses SLAAC only, which seems sufficient for my network purposes.
I tried adding an end to the range to see if that was the problem with
DHCP, but that doesn't seem to help, at least in test10.


I won't mind providing some examples of syntax, and I can imagine that a guest network might use slaac and an internal network try to use dhcp.

The new constructor thing is neat. Though I've read the man page secton on it 3 times, and still don't get it all.

And now there's a new authoritative dns support documented in the man page...

It has long been my hope to be able to publish AAAA records in the public dns, and this will let you do that. Still unclear as to how to just export AAAAs and not As....

Another one of my hopes has been to get one name for a machine with two interfaces somehow, someday.

Anyway, I'm liking it...
 
The other thing I noticed in 3.7.2-4 is that both dnsmasq and
dnsmasq-dhcpv6 are installed, but the dnsmasq binary is actually the
non-v6 version unless you reinstall the dnsmasq-dhcpv6 package
(according to upstream OpenWRT, only one or the other should be
installed since they conflict).

I may have fixed this in 3.7.3-1, so if it isn't fixed now, let me know.

CONFIG_PACKAGE_dnsmasq=m
CONFIG_PACKAGE_dnsmasq-dhcpv6=y
 
I'm hoping to get a 3.7.4-1 out with the last of the unaligned hack fixes out today.


Chris
_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel



--
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html