[Bug 986395] New: NFS client is using temp IPv6 address for mount
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395 Bug ID: 986395 Summary: NFS client is using temp IPv6 address for mount Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: bnc-team-screening@forge.provo.novell.com Reporter: christian.deckelmann@microfocus.com QA Contact: qa-bugs@suse.de CC: jbohac@suse.com, mt@suse.com Found By: --- Blocker: --- Hi, the NFS client is using the privacy IPv6 address to mount from a NFS server. This breaks the mount when the privacy IPs are renewed periodically Solution could be to implement RFC 5014 in the NFS client application. That would allow the client to not use the privacy IP as source for an NFS mount. Same could be implemented for other clients hat rely on stable connections for a long time. Thanks, Christian -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
Chenzi Cao
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c1
Neil Brown
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c2
--- Comment #2 from Marius Tomaschewski
Hi,
the NFS client is using the privacy IPv6 address to mount from a NFS server. This breaks the mount when the privacy IPs are renewed periodically ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
They're _not_ renewed, but _deleted_. Only "normal" non-temporary dhcp6 and auto6 [$prefix:eui64_from_mac] addresses are renewed. When the preferred_lft reached 0, a new temp ($prefix:$random) address is added to the interface (-> for new connections) and the old one gets a deprecated flag. Once the valid_lft reached 0, an address is deleted.
Solution could be to implement RFC 5014 in the NFS client application.
Yes, there is also an examples showing the (socket and) getaddrinfo flags to set causing to filter out or to prefer (as in the example) temp addresses (e.g. in a web browser) in source address selections. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c3
--- Comment #3 from Neil Brown
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c4
--- Comment #4 from Neil Brown
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c11
--- Comment #11 from Marius Tomaschewski
But how often? RFC4941 doesn't list a minimum for TEMP_VALID_LIFETIME or TEMP_PREFERRED_LIFETIME, just recommended defaults of 1 week and 1 day. Cycling every 6 hours would probably be safe
IMO, it would not be safe at all. The defaults are veeeery long (and the defaults are similar to e.g. IEEE defaults for bridge STP causing up to 50s delay before forwarding packets or sleep(random(1..10s)) before dhcp4 starts to do anything. In practice, it is probably more common to use e.g. valid lifetime of 1hour. I'd not make any assumption about the times, but read the lifetime from the address. What would be probably doable is to a) prefer to use non-temporary addresses and (if there is none [a clear corner case]) b) start to switch over to a new temporary-address when the preferred lft reached 0 (still usable for existing connections until valid lft goes to 0). The temporary / privacy addresses are assigned additionally to non-temporary. IMO there is currently no autoconf option in the kernel to assign a privacy address only, that is, there is basically always a non-temporary / renewable [e.g. MAC based EUI64] address. When the user is using not using autoconf, but only dhcp6 and assigns only a temp addr, you can IMO assume he knows what he is doing and does not want to use nfs/persistent connections at all or he misconfigured the box. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c12
--- Comment #12 from Neil Brown
... but read the lifetime from the address.
as far as I can tell there is no interface to do this. With a bit of effort I could probably get a list of interfaces, then a list of addresses for each interface together with their lifetimes. Then compare the address I got when I bound my socket to each of these to deduce the lifetime of the address. But that is awfully clumsy. Always requesting a public address is certainly possible but seems to go explicitly against the configuration choice to use temporary private addresses for outgoing connections. I'm currently tempted to not change anything. Once the local address does expire the client will stop getting replies from the server, will timeout, and will reconnect. It should then get a new address. This should only take about 2 minutes, and should only happen if there has been constant traffic, with no gap of 5 minutes, for the entire lifetime of the temporary address. I need to test that this is what actually happens. If it is, I would need a very strong arguement for making any change given how clumsy such a change would have to be. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c13
--- Comment #13 from Neil Brown
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c15
--- Comment #15 from Neil Brown
You're sure you haven't just overlooked something?
No, I'm not. I haven't been able to reproduce it. Other things are weird though. It seems fairly easy to trigger the IPv6: ipv6_create_tempaddr: regeneration time exceeded - disabled temporary address support message, which seems like it should be nearly impossible on a network with half a dozen hosts. And "ip -6 addr" reports e.g. inet6 2406:3400:c:15:7036:9572:6256:d431/64 scope global temporary dynamic valid_lft 277sec preferred_lft 14177sec so the preferred_lft is larger than the valid_lft. # grep . /proc/sys/net/ipv6/conf/eth0/temp_* /proc/sys/net/ipv6/conf/eth0/temp_prefered_lft:120 /proc/sys/net/ipv6/conf/eth0/temp_valid_lft:500 so preferred_lft should be less than 120. A couple of minutes later it says: valid_lft 155sec preferred_lft 0sec so it jumped to 0 (and became 'deprecated') rather quickly. but now establishing an IPv6 connection doesn't create a new temp address, but just uses the permanent one. When I do have an NFS connection from a temporary address, and the temp address becomes invalid, I've seen "time ls -l /mnt" take 14 minutes, thought 3.5 is more common. I don't think the NFS client does ever disconnect itself. It just waits for the networking layer to break the connection. Yes, I saw the thread on "research" thanks. There is definitely something wrong, and not having temp_addresses as the default would probably be the best fix. I'm starting to lean towards just telling NFS to always request a public address... OK, more weirdness.. My temp address became valid_lft 0sec preferred_lft 14100sec so it shouldn't work any more. and "ls -l" blocked for 210 seconds. Now that same temporary address is working again. The 'valid_lft' is 228sec. It never became deprecated. It just stopped working for a while, then started again. I think I want to say "temporary addresses are obviously buggy, they shouldn't be used.." -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c17
--- Comment #17 from Marius Tomaschewski
Always requesting a public address is certainly possible but seems to go explicitly against the configuration choice to use temporary private addresses for outgoing connections.
But is the right way to use in nfs client case IMO. While RFC3484 defined, that a public address is preferred over a temporary, RFC 6724 changes the default is to prefer temporary address (-> #section-5 and changes summary in appendix-B), but it is completely fine and _correct_ when the application does not use the defaults due to it's requirements, e.g.: https://tools.ietf.org/html/rfc6724#section-5 Implementations MUST provide a mechanism allowing an application to reverse the sense of this preference and prefer public addresses over temporary addresses (e.g., via appropriate API extensions such as [RFC5014]). Use of the mechanism MUST only affect the selection rules for the invoking application. Even the Privacy Extensions RFC 4941 considers this, e.g. section-3.6: The use of temporary addresses may cause unexpected difficulties with some applications. [...] In addition, some applications may not behave robustly if temporary addresses are used and an address expires before the application has terminated, or if it opens multiple sessions, but expects them to all use the same addresses. section-6: The determination as to whether to use public versus temporary addresses can in some cases only be made by an application. (In reply to Neil Brown from comment #15)
A couple of minutes later it says:
valid_lft 155sec preferred_lft 0sec so it jumped to 0 (and became 'deprecated') rather quickly. ... OK, more weirdness.. My temp address became valid_lft 0sec preferred_lft 14100sec
preferred_lft 0 is deprecated and should not be used for new connections; the kernel is even permitted to remove it _when_ there are no connections using it (. If valid_lft reaches 0 the address is not valid any more and prefered_lft > valid_lft is invalid lifetime. When something (e.g. router RA) contains a valid_lft 0, it is request to remove things (e.g. a prefix not valid any more). Sending prefered_lft 0 is kind of "scheduled removal". Your "valid_lft 0sec preferred_lft 14100sec" could be even be related to all this, but some cleanup code is not implemented properly.
I think I want to say "temporary addresses are obviously buggy, they shouldn't be used.."
:-) There were many changes in this area in 4.2/4.4 kernel. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c18
--- Comment #18 from Neil Brown
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
Ludwig Nussel
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c19
--- Comment #19 from Neil Brown
But is the right way to use in nfs client case IMO.
I'm coming around to you point of view. I've sent the attached patch upstream. If there is no disagreement, I'll apply it to 12-SP2. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c20
--- Comment #20 from Ludwig Nussel
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c21
Neil Brown
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
Swamp Workflow Management
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.suse.com/show_bug.cgi?id=986395
http://bugzilla.suse.com/show_bug.cgi?id=986395#c23
--- Comment #23 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com