base-files: Don't enable ULA IPv6 addresses by default in new config

From: Baptiste Jonglez <git@bitsofnetworks.org>

ULA IPv6 prefixes (Unique Local Addresses, RFC 4193) are not routable on
the Internet.  As such, they have very limited use, and enabling them by
default causes more problems than it solves:

- if an OpenWrt device already has external IPv6 connectivity with
  globally routable addresses, then ULA addresses are not useful.

- if an OpenWrt device has no external IPv6 connectivity, then ULA
  addresses could be useful for local IPv6 communication on the LAN;
  however, link-local IPv6 addresses already provide such a service
  without needing any configuration or even the need for a router.
  Discovery protocols based on IPv6 multicast and link-local addresses are
  becoming more common (e.g. syncthing) and don't need ULA to work.

- users might be confused to see multiple unrelated IPv6 addresses on
  their devices.  Or they might wrongly conclude that they have IPv6
  connectivity thanks to ULA addresses, while in fact ULA addresses are
  not globally routable.

- there have been various bug reports [1, 2, 3] in 19.07 and 21.02 where
  ULA addresses basically break global IPv6 connectivity.  These bugs have
  not been solved in several years, indicating a probable lack of interest
  for ULA from the OpenWrt developer community.

ULA addresses are still supported, e.g. by setting
network.globals.ula_prefix='auto' in a uci-defaults script that runs
before "12_network-generate-ula", or by directly setting
network.globals.ula_prefix to a /48 prefix.

[1] https://github.com/openwrt/openwrt/issues/5082
[2] https://forum.openwrt.org/t/router-can-use-ipv6-ok-but-clients-in-lan-cannot/57587
[3] https://lafibre.info/ipv6/saison-2-openwrt-slaac-problemes/

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
---
 package/base-files/files/bin/config_generate | 7 -------
 1 file changed, 7 deletions(-)

>>>>> Baptiste Jonglez <git@bitsofnetworks.org> writes:
    > ULA IPv6 prefixes (Unique Local Addresses, RFC 4193) are not routable
    > on the Internet.  As such, they have very limited use, and enabling
    > them by default causes more problems than it solves:

    > - if an OpenWrt device already has external IPv6 connectivity with
    > globally routable addresses, then ULA addresses are not useful.

That's just not the case.
ULAs are intended to be the IPv6 version of RFC1918, useable for local
communications.

Please go read RFC7084.
ULAs are required, and OpenWRT has been a leader here.

I strongly object to this proposal.

>>>>> Baptiste Jonglez <git@bitsofnetworks.org> writes:
    > - there have been various bug reports [1, 2, 3] in 19.07 and 21.02
    > where ULA addresses basically break global IPv6 connectivity.  These
    > bugs have not been solved in several years, indicating a probable lack
    > of interest for ULA from the OpenWrt developer community.

Seems to be

a) a bug in MacOS.
b) a bug reported in french, where my reading is that an he.net tunnel is
   involved.  I don't see anything about ULAs here.
c) a bug where a client didn't get a GUA, and not surprisingly, couldn't
   ping the internet.
   "so I suppose IP assignment is fine."
   But they weren't because the router didn't assign a v6 prefix to the LAN.

Having ULAs available is critical to efforts to do HTTPS to the router.
Please do not change this default.

> Le 8 sept. 2022 à 19:35, Michael Richardson <mcr+ietf@sandelman.ca> a écrit :
> 
> 
>>>>>> Baptiste Jonglez <git@bitsofnetworks.org> writes:
>> - there have been various bug reports [1, 2, 3] in 19.07 and 21.02
>> where ULA addresses basically break global IPv6 connectivity.  These
>> bugs have not been solved in several years, indicating a probable lack
>> of interest for ULA from the OpenWrt developer community.
> 
> Seems to be
> 
> a) a bug in MacOS.
> b) a bug reported in french, where my reading is that an he.net tunnel is
>   involved.  I don't see anything about ULAs here.
> c) a bug where a client didn't get a GUA, and not surprisingly, couldn't
>   ping the internet.
>   "so I suppose IP assignment is fine."
>   But they weren't because the router didn't assign a v6 prefix to the LAN.
> 
> Having ULAs available is critical to efforts to do HTTPS to the router.
> Please do not change this default.  

I’ve personally experienced on a linux client (running 5.18) a situation where ipv6 connectivity was lost, apparently because of foul play from ULA.

The most obvious symptom was: pinging a target ipv6 address resulted in a ping reply from the OpenWrt router’s ULA address with « Destination unreachable: Unknown code 5 », as below:

$ ping6 git.openwrt.org
PING git.openwrt.org(git-01.infra.openwrt.org (2a03:b0c0:3:d0::160e:e001)) 56 data bytes
From router.lan (fdc9:6d06:832a::1) icmp_seq=1 Destination unreachable: Unknown code 5
^C
--- git.openwrt.org ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

A traceroute would similarly stop at the router:

$ traceroute6 git.openwrt.org
traceroute to git.openwrt.org (2a03:b0c0:3:d0::160e:e001), 30 hops max, 80 byte packets
 1  router.lan (fdc9:6d06:832a::1)  2.392 ms !<5>  2.351 ms !<5>  2.333 ms !<5>

The issue was random. The client had a GUA assigned, below is the ipv6 routing table at the time of the issue:

$ ip -6 route
2a0e:e701:11c2::/64 dev bond0 proto kernel metric 256 expires 7082sec pref medium
fdc9:6d06:832a::/64 dev bond0 proto kernel metric 256 pref medium
fe80::/64 dev bond0 proto kernel metric 256 pref medium
fe80::/64 dev bond0.10 proto kernel metric 256 pref medium
default via fe80::184f:a7ff:fe21:d230 dev bond0 proto ra metric 1024 expires 1793sec mtu 1492 hoplimit 64 pref medium

For that matter, this setup only uses SLAAC (no DHCPv6 on LAN).

Disabling ULA « fixes » this issue.

HTH
T

One of the first things I do when I bring up a new OpenWrt box is to 
disable ULA to the LAN as it has not usage in most scenarios I think.
I basically use the IPv6 connectivity to receive a global prefix 
delegated from my ISP, install it on the LAN and bring global 
connectivity to devices behind it.

I hardly see scenarios where ULA are used - and I know there may be 
legitimate scenarios - but I don't think they are many that justifies to 
have ULA turned on by default.

I see no problem in turning it off and leave it as optional to be 
enabled for those cases

Fernando

On 08/09/2022 14:30, Michael Richardson wrote:
>>>>>> Baptiste Jonglez <git@bitsofnetworks.org> writes:
>      > ULA IPv6 prefixes (Unique Local Addresses, RFC 4193) are not routable
>      > on the Internet.  As such, they have very limited use, and enabling
>      > them by default causes more problems than it solves:
>
>      > - if an OpenWrt device already has external IPv6 connectivity with
>      > globally routable addresses, then ULA addresses are not useful.
>
> That's just not the case.
> ULAs are intended to be the IPv6 version of RFC1918, useable for local
> communications.
>
> Please go read RFC7084.
> ULAs are required, and OpenWRT has been a leader here.
>
> I strongly object to this proposal.
>
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Hi,

On 08-09-22, Michael Richardson wrote:
> 
> >>>>> Baptiste Jonglez <git@bitsofnetworks.org> writes:
>     > ULA IPv6 prefixes (Unique Local Addresses, RFC 4193) are not routable
>     > on the Internet.  As such, they have very limited use, and enabling
>     > them by default causes more problems than it solves:
> 
>     > - if an OpenWrt device already has external IPv6 connectivity with
>     > globally routable addresses, then ULA addresses are not useful.
> 
> That's just not the case.
> ULAs are intended to be the IPv6 version of RFC1918, useable for local
> communications.
> 
> Please go read RFC7084.
> ULAs are required, and OpenWRT has been a leader here.

Thanks for the pointer, I had forgotten about this one.

I just read it again.  ULAs should be supported, but there is no hard
requirement to use them by default.  Even ULA-1 is a SHOULD, not a MUST,
and it's only about generating a ULA prefix.

I see two main arguments for ULAs in this RFC:

1) Section 3.2.1: allowing local IPv6 communication when the home router
   manages several links and there is no global IPv6 connectivity.  If
   there is a single link, then the RFC agrees that "link-local addressing
   can be used instead".  This is a good use-case for ULAs, but I'm not
   sure whether the multi-link situation is really common, and if there
   are any applications that can take advantage of ULAs in this specific
   case.  In other words: how can clients coordinate when they are in
   different links and they have no global connectivity?  That does not
   sound easy.

2) Section 3.1: stability of local addresses, even when the global prefix
   delegated by the ISP might change.  This may work for IPv4 (192.168.1.1
   is stable and well-known), but that argument doesn't fly for IPv6: who
   would use "well-known" raw ULA IPv6 addresses?  Stable identifiers
   belong in the DNS, not in the IP layer.

Actually, my main concern about ULA is that they don't get enough exposure
among developers and power users, resulting in the kind of bugs I
mentioned going unnoticed and unfixed, which is not good for a default-on
feature.  As a matter of fact, I always disable ULA on my OpenWrt builds
(personal taste), and I suspect several other OpenWrt developers do the
same.

Baptiste

On 08-09-22, Michael Richardson wrote:
> 
> >>>>> Baptiste Jonglez <git@bitsofnetworks.org> writes:
>     > - there have been various bug reports [1, 2, 3] in 19.07 and 21.02
>     > where ULA addresses basically break global IPv6 connectivity.  These
>     > bugs have not been solved in several years, indicating a probable lack
>     > of interest for ULA from the OpenWrt developer community.
> 
> Seems to be
> 
> a) a bug in MacOS.

That's debatable, Linux should probably always use a link-local address as
source address for NDP (but I haven't checked whether it's legal or not to
use ULA here).

> b) a bug reported in french, where my reading is that an he.net tunnel is
>    involved.  I don't see anything about ULAs here.
> c) a bug where a client didn't get a GUA, and not surprisingly, couldn't
>    ping the internet.
>    "so I suppose IP assignment is fine."
>    But they weren't because the router didn't assign a v6 prefix to the LAN.

Both are actually the same issue.  I spent some time with Thibault
troubleshooting this issue on his setup, and it does look like a real bug
when using both ULAs and global addresses.  But since I don't have any use
for ULAs, I cannot dedicate time to debug it further and try to fix it.
Same for Thibault, he didn't actually have any use for ULA so he ended up
disabling them.  I suspect this is a rather common way of sidestepping the
issue.

> Having ULAs available is critical to efforts to do HTTPS to the router.
> Please do not change this default.  

How do ULAs relate to HTTPS?

Baptiste

On Thu, 8 Sep 2022 19:51:06 +0200
Thibaut <hacks@slashdirt.org> wrote:

> The issue was random. The client had a GUA assigned, below is the ipv6 routing table at the time of the issue:
> 
> $ ip -6 route
> 2a0e:e701:11c2::/64 dev bond0 proto kernel metric 256 expires 7082sec pref medium
> fdc9:6d06:832a::/64 dev bond0 proto kernel metric 256 pref medium

So AFAICS here lies the problem. Same metric, same preference.
The addresses below are usually tagged link local somewhere, but
I assume the ULA is not.

> fe80::/64 dev bond0 proto kernel metric 256 pref medium
> fe80::/64 dev bond0.10 proto kernel metric 256 pref medium
> default via fe80::184f:a7ff:fe21:d230 dev bond0 proto ra metric 1024 expires 1793sec mtu 1492 hoplimit 64 pref medium
> 
> For that matter, this setup only uses SLAAC (no DHCPv6 on LAN).
> 
> Disabling ULA « fixes » this issue.

Sure. Above, it looks like a game of chance which address is used.

From my understanding, router.lan would need to be told to do IPv6 NAT
if clients are to reach outside with their ULAs, right?

If I get a vote, I'd enable ULA generation only iff an IPv6 NAT was also
configured, and, last but not least, I wouldn't randomise it. I'd go for
e.g. fd00:4f57:5254 ("OWRT"), like all AVR use 192.168.178.0/24 on v4.

	Torsten

Hi,

pá 9. 9. 2022 v 11:21 odesílatel Torsten Duwe <duwe@lst.de> napsal:
>
> On Thu, 8 Sep 2022 19:51:06 +0200
> Thibaut <hacks@slashdirt.org> wrote:
>
> > The issue was random. The client had a GUA assigned, below is the ipv6 routing table at the time of the issue:
> >
> > $ ip -6 route
> > 2a0e:e701:11c2::/64 dev bond0 proto kernel metric 256 expires 7082sec pref medium
> > fdc9:6d06:832a::/64 dev bond0 proto kernel metric 256 pref medium
>
> So AFAICS here lies the problem. Same metric, same preference.
> The addresses below are usually tagged link local somewhere, but
> I assume the ULA is not.

When pinging a public IPv6 address the default route should be used.
This should have nothing to do with the two routes above
(2a03:b0c0:3:d0::160e:e001 IPv6 address has no match here).

> > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > fe80::/64 dev bond0.10 proto kernel metric 256 pref medium
> > default via fe80::184f:a7ff:fe21:d230 dev bond0 proto ra metric 1024 expires 1793sec mtu 1492 hoplimit 64 pref medium

This default route over bond0 should be actually used during pinging
of git.openwrt.org (2a03:b0c0:3:d0::160e:e001).

> > For that matter, this setup only uses SLAAC (no DHCPv6 on LAN).

When you are pinging global addresses, also global IPv6 address should
be used independently of the presence of ULA. For your public IPv6
prefix 2a0e:e701:11c2::/64 any ping outside should use the IPv6
address of your computer having this prefix. I would be interested in
which address is actually used during pinging. Please share your `ip
-6 address` too. And if possible, also please share `tcpdump -i bond0
-nv icmp6` while the computer is pinging. Important - all of this
assumes that you are delegating your public IPv6 prefix from the
router to all computers (I used to have a static IPv6 configuration on
my OpenWrt router with option `ip6prefix` for that purpose).

There is also a possibility that you mentioned - have NAT66 (ULA to
public IPv6 prefix translation) on the router. This means that you
could remove the public prefix delegation and just keep the ULA
configured. All computers would use the ULA prefix when accessing
public addresses. In this case you would need to change the firewall
and add the following SNAT rule to the NFT firewall for the srcnat_wan
chain:

  ip6 saddr fdc9:6d06:832a::/61 snat prefix to 2a0e:e701:11c2::/64

> >
> > Disabling ULA « fixes » this issue.

There is probably some different issue in your configuration, which
causes this behaviour.

Oldrich.

> Sure. Above, it looks like a game of chance which address is used.
>
> From my understanding, router.lan would need to be told to do IPv6 NAT
> if clients are to reach outside with their ULAs, right?
>
> If I get a vote, I'd enable ULA generation only iff an IPv6 NAT was also
> configured, and, last but not least, I wouldn't randomise it. I'd go for
> e.g. fd00:4f57:5254 ("OWRT"), like all AVR use 192.168.178.0/24 on v4.
>
>         Torsten
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

út 18. 10. 2022 v 16:43 odesílatel Oldřich Jedlička
<oldium.pro@gmail.com> napsal:
>
> Hi,
>
> pá 9. 9. 2022 v 11:21 odesílatel Torsten Duwe <duwe@lst.de> napsal:
> >
> > On Thu, 8 Sep 2022 19:51:06 +0200
> > Thibaut <hacks@slashdirt.org> wrote:
> >
> > > The issue was random. The client had a GUA assigned, below is the ipv6 routing table at the time of the issue:
> > >
> > > $ ip -6 route
> > > 2a0e:e701:11c2::/64 dev bond0 proto kernel metric 256 expires 7082sec pref medium
> > > fdc9:6d06:832a::/64 dev bond0 proto kernel metric 256 pref medium
> >
> > So AFAICS here lies the problem. Same metric, same preference.
> > The addresses below are usually tagged link local somewhere, but
> > I assume the ULA is not.
>
> When pinging a public IPv6 address the default route should be used.
> This should have nothing to do with the two routes above
> (2a03:b0c0:3:d0::160e:e001 IPv6 address has no match here).
>
> > > fe80::/64 dev bond0 proto kernel metric 256 pref medium
> > > fe80::/64 dev bond0.10 proto kernel metric 256 pref medium
> > > default via fe80::184f:a7ff:fe21:d230 dev bond0 proto ra metric 1024 expires 1793sec mtu 1492 hoplimit 64 pref medium
>
> This default route over bond0 should be actually used during pinging
> of git.openwrt.org (2a03:b0c0:3:d0::160e:e001).
>
> > > For that matter, this setup only uses SLAAC (no DHCPv6 on LAN).
>
> When you are pinging global addresses, also global IPv6 address should
> be used independently of the presence of ULA. For your public IPv6
> prefix 2a0e:e701:11c2::/64 any ping outside should use the IPv6
> address of your computer having this prefix. I would be interested in
> which address is actually used during pinging. Please share your `ip
> -6 address` too. And if possible, also please share `tcpdump -i bond0
> -nv icmp6` while the computer is pinging. Important - all of this
> assumes that you are delegating your public IPv6 prefix from the
> router to all computers (I used to have a static IPv6 configuration on
> my OpenWrt router with option `ip6prefix` for that purpose).
>
> There is also a possibility that you mentioned - have NAT66 (ULA to
> public IPv6 prefix translation) on the router. This means that you
> could remove the public prefix delegation and just keep the ULA
> configured. All computers would use the ULA prefix when accessing
> public addresses. In this case you would need to change the firewall
> and add the following SNAT rule to the NFT firewall for the srcnat_wan
> chain:
>
>   ip6 saddr fdc9:6d06:832a::/61 snat prefix to 2a0e:e701:11c2::/64

Sorry, typo here, prefix length should be 64 in both cases:

  ip6 saddr fdc9:6d06:832a::/64 snat prefix to 2a0e:e701:11c2::/64

Oldrich.

> > >
> > > Disabling ULA « fixes » this issue.
>
> There is probably some different issue in your configuration, which
> causes this behaviour.
>
> Oldrich.
>
> > Sure. Above, it looks like a game of chance which address is used.
> >
> > From my understanding, router.lan would need to be told to do IPv6 NAT
> > if clients are to reach outside with their ULAs, right?
> >
> > If I get a vote, I'd enable ULA generation only iff an IPv6 NAT was also
> > configured, and, last but not least, I wouldn't randomise it. I'd go for
> > e.g. fd00:4f57:5254 ("OWRT"), like all AVR use 192.168.178.0/24 on v4.
> >
> >         Torsten
> >
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel