From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 42D4C21F0BA for ; Tue, 22 Jan 2013 15:12:10 -0800 (PST) Received: by mail-ie0-f180.google.com with SMTP id c10so12880061ieb.11 for ; Tue, 22 Jan 2013 15:12:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=TRcoY/RTDkebyi8QW69n09C8eFkOHvn+5iBK3KccPeY=; b=BF8KfHeiHi2HceC5Lb+RGEZvL+SY547NI4UUfF3jGzcX3SYD/ivyF6X8g7+kYSVmYj Wyvubr0jA0ipvxmefA485cyhHqBA2+mOa3WydxK5o/FkJUR6D4y7lurISfIO1WAyl9qW 4Qkn8vlTTEB4wo22SclDDHI/uDd1+5V4Ia/nUYc2ap2n349TEUnrRcfPZ2ozuH/wvOIO uHPJammdmBfH6i82uIbnMjH361zB10zLv/69s5v7L5NiCqmNH1xFNQ6Ii+CVE6zC++F1 V/sjf722dGsbgUTWqpoS0W+/mx5Cbo4Wt713t8R5ghPgTjjDA399mzdjm85QHRsXXvgd qDFQ== MIME-Version: 1.0 X-Received: by 10.50.56.139 with SMTP id a11mr12644307igq.86.1358896329438; Tue, 22 Jan 2013 15:12:09 -0800 (PST) Received: by 10.64.135.39 with HTTP; Tue, 22 Jan 2013 15:12:09 -0800 (PST) In-Reply-To: References: Date: Tue, 22 Jan 2013 18:12:09 -0500 Message-ID: From: Dave Taht To: Chris Lawrence Content-Type: multipart/alternative; boundary=f46d0401f44900b3bb04d3e8b530 Cc: "" Subject: Re: [Cerowrt-devel] dnsmasq ipv6 stuff X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2013 23:12:10 -0000 --f46d0401f44900b3bb04d3e8b530 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Tue, Jan 22, 2013 at 1:52 PM, Chris Lawrence wrote= : > On Tue, Jan 22, 2013 at 1:40 AM, Dave Taht wrote: > > I think that's this in /etc/dnsmasq.conf > > > > dhcp-range=3Dse00,1234::, ra-stateless, ra-names > > dhcp-range=3Dsw00,1234::, ra-stateless, ra-names > > dhcp-range=3Dsw10,1234::, ra-stateless, ra-names > > dhcp-range=3Dgw00,1234::, ra-stateless, ra-names > > dhcp-range=3Dgw10,1234::, ra-stateless, ra-names > > > > It's kind of unclear to me what 1234 could be replaced with. > > "ce30" works for me... > > Using ::1 on each will autoassign the addresses based on the address > of the interface, which seems like a sensible default no matter what > network address you have. Having said that I found that with > ra-stateless enabled, at least one device on my network would send > DHCPv6 requests that crashed dnsmasq. So I have: > > dhcp-range=3D::1,constructor:se00,ra-names > (etc.) > My own objection to ::1 is that provides both an easy mneumonic for people to manage their networks AND an easier vector for attacks from the outside world. J.random.badscript only has to ping ::1 on every subnet in your delegation to try and hit all the routers. That said, I think the humans are going to win on this one, even though the dns integration with ipv6 and dnsmasq is tighter than it's ever been before= . One thing that does bother me though, from a simplification standpoint, is I wouldn't mind using up some of that extra address space to gain larger ephemeral port ranges for things like dns service and to make it easier to analyze traffic. I remember back in the 90s when we used to have one ip address per web host.... it was a PITA then because of address scarcity. I have been liking ipv6's integration with virtual machines. No more port forwarding, yea! A raft of unupdated vm machines running boo. > I think with test11 that can be further simplified to: > > dhcp-range=3D::1,constructor:*,ra-names > > This uses SLAAC only, which seems sufficient for my network purposes. > I tried adding an end to the range to see if that was the problem with > DHCP, but that doesn't seem to help, at least in test10. > > I won't mind providing some examples of syntax, and I can imagine that a guest network might use slaac and an internal network try to use dhcp. The new constructor thing is neat. Though I've read the man page secton on it 3 times, and still don't get it all. And now there's a new authoritative dns support documented in the man page... It has long been my hope to be able to publish AAAA records in the public dns, and this will let you do that. Still unclear as to how to just export AAAAs and not As.... Another one of my hopes has been to get one name for a machine with two interfaces somehow, someday. Anyway, I'm liking it... > The other thing I noticed in 3.7.2-4 is that both dnsmasq and > dnsmasq-dhcpv6 are installed, but the dnsmasq binary is actually the > non-v6 version unless you reinstall the dnsmasq-dhcpv6 package > (according to upstream OpenWRT, only one or the other should be > installed since they conflict). > I may have fixed this in 3.7.3-1, so if it isn't fixed now, let me know. CONFIG_PACKAGE_dnsmasq=3Dm CONFIG_PACKAGE_dnsmasq-dhcpv6=3Dy I'm hoping to get a 3.7.4-1 out with the last of the unaligned hack fixes out today. > Chris > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html --f46d0401f44900b3bb04d3e8b530 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Tue, Jan 22, 2013 at 1:52 PM, Chris L= awrence <lordsutch@gmail.com> wrote:
On Tue, Jan 22, 2013 at 1:40 AM, Dave Taht <dave.taht@gmail.com> wrote:
> I think that's this in /etc/dnsmasq.conf
>
> dhcp-range=3Dse00,1234::, ra-stateless, ra-names
> dhcp-range=3Dsw00,1234::, ra-stateless, ra-names
> dhcp-range=3Dsw10,1234::, ra-stateless, ra-names
> dhcp-range=3Dgw00,1234::, ra-stateless, ra-names
> dhcp-range=3Dgw10,1234::, ra-stateless, ra-names
>
> It's kind of unclear to me what 1234 could be replaced with.
> "ce30" works for me...

Using ::1 on each will autoassign the addresses based on the address<= br> of the interface, which seems like a sensible default no matter what
network address you have. =A0Having said that I found that with
ra-stateless enabled, at least one device on my network would send
DHCPv6 requests that crashed dnsmasq. =A0So I have:

dhcp-range=3D::1,constructor:se00,ra-names
(etc.)

My own objection to ::1 is that provides bo= th an easy mneumonic for people to manage their networks AND an easier vect= or for attacks from the outside world.

J.random.badscript only has = to ping ::1 on every subnet in your delegation to try and hit all the route= rs.

That said, I think the humans are going to win on this one, even though= the dns integration with ipv6 and dnsmasq is tighter than it's ever be= en before.

One thing that does bother me though, from a simplificati= on standpoint, is I wouldn't mind using up some of that extra address s= pace to gain larger ephemeral port ranges for things like dns service and t= o make it easier to analyze traffic. I remember back in the 90s when we use= d to have one ip address per web host.... it was a PITA then=A0 because of = address scarcity.

I have been liking ipv6's integration with virtual machines. No mor= e port forwarding, yea! A raft of unupdated vm machines running boo.

I think with test11 that can be further simplified to:

dhcp-range=3D::1,constructor:*,ra-names

This uses SLAAC only, which seems sufficient for my network purposes.
I tried adding an end to the range to see if that was the problem with
DHCP, but that doesn't seem to help, at least in test10.


I won't mind providing some examples of synta= x, and I can imagine that a guest network might use slaac and an internal n= etwork try to use dhcp.

The new constructor thing is neat. Though I&= #39;ve read the man page secton on it 3 times, and still don't get it a= ll.

And now there's a new authoritative dns support documented in the m= an page...

It has long been my hope to be able to publish AAAA recor= ds in the public dns, and this will let you do that. Still unclear as to ho= w to just export AAAAs and not As....

Another one of my hopes has been to get one name for a machine with two= interfaces somehow, someday.

Anyway, I'm liking it...
=A0
The other thing I noticed in 3.7.2-4 is that both dnsmasq and
dnsmasq-dhcpv6 are installed, but the dnsmasq binary is actually the
non-v6 version unless you reinstall the dnsmasq-dhcpv6 package
(according to upstream OpenWRT, only one or the other should be
installed since they conflict).

I may have fixed t= his in 3.7.3-1, so if it isn't fixed now, let me know.

CONFIG_PA= CKAGE_dnsmasq=3Dm
CONFIG_PACKAGE_dnsmasq-dhcpv6=3Dy
=A0
I'm ho= ping to get a 3.7.4-1 out with the last of the unaligned hack fixes out tod= ay.


Chris
_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.= bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel



--
Dave T=E4ht

Fixi= ng bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.ht= ml=20 --f46d0401f44900b3bb04d3e8b530--