Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dist/tools/sliptty/start_network.sh: IPv6 connectivity is broken on PC #14689

Open
trickeydan opened this issue Aug 3, 2020 · 14 comments
Open
Assignees
Labels
Area: network Area: Networking Area: tools Area: Supplementary tools Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors)

Comments

@trickeydan
Copy link
Contributor

Description

dist/tools/sliptty/start_network.sh enables forwarding on all interfaces when running.

By default, Linux will ignore RAs on interfaces with forwarding enabled unless net.ipv6.conf.<interface>.accept_ra=2. This is sensible for security on routers.

It thus ignores RAs on my uplink interface and breaks connectivity.

Interestingly, this seems to be partially acknowledged in the script, as it sets the appropriate sysctl for the tun interface. See here

Arguably, enabling forwarding on all interfaces is very dangerous and potentially a security issue for users that are unfamiliar with Linux routing.

I am unsure of the best approach to take to fix this, as it is not clear why forwarding is activated for all interfaces!

@benemorius
Copy link
Member

The reason that forwarding is activated for all interfaces is that confusingly the Linux kernel doesn't allow enabling IPv6 routing for independent interfaces. To get any forwarding at all, net.ipv6.conf.all.forwarding must be set.

The accept_ra=2 workaround you've done is indeed the intended way to get your RAs back on the specific interface you need it from.

It's a hard problem to solve in a script because some knowledge about the network topology (which interface is the uplink?) is required. Suggestions are certainly welcome.

@trickeydan
Copy link
Contributor Author

Surely this script should work in line with all of the other start_network.sh? Those only enable forwarding on the BR interface, giving choice of forwarding to the user.

On systems with a poorly configured firewall, this script poses a serious risk in it's current state. It also breaks access to a fair amount of the internet.

Related to the inconsistency between scripts: #14618

@miri64
Copy link
Member

miri64 commented Aug 3, 2020

Surely this script should work in line with all of the other start_network.sh? Those only enable forwarding on the BR interface, giving choice of forwarding to the user.

Then the other scripts are wrong at least for Linux. @benemorius is right (and the linked doc backs him). While the variable exists for single interfaces, on Linux only setting net.ipv6.conf.all.forwarding is the only way to get forwarding enabled (you can check with radvd which will fail to start without forwarding enabled).

@miri64 miri64 self-assigned this Aug 3, 2020
@miri64 miri64 added Area: network Area: Networking Area: tools Area: Supplementary tools Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors) labels Aug 3, 2020
@trickeydan
Copy link
Contributor Author

trickeydan commented Aug 4, 2020

@benemorius is right (and the linked doc backs him).

I acknowledge this. :)

Then the other scripts are wrong at least for Linux.

As it stands, changing this will break IPv6 connectivity on the other scripts too. As about a third of users have IPv6 these days, this will likely cause problems for more people.

Additionally, the other scripts use Layer 2 ethernet interfaces (tap for ethos, eth for cdc-ecm) which do not require forwarding to be enabled to reach nodes. If forwarding was required for these scripts, it would probably have been noticed by now.

Enabling forwarding on all interfaces on these scripts is likely to break things for a number of users, including myself and others doing work on RIOT at my University. I think it would be a massive shame to spread this issue to other scripts.

Side note: Theoretically you could enable forwarding for all interfaces, and set accept_ra=2 for the uplink(s), but it would be very difficult to determine and account for every network topology in use. Unfortunately we can't even look at interfaces with default routes, as there may be multiple default routes, and smaller routes down other interfaces too.

@miri64
Copy link
Member

miri64 commented Aug 4, 2020

See #10477 (comment).

@miri64
Copy link
Member

miri64 commented Aug 4, 2020

Additionally, the other scripts use Layer 2 ethernet interfaces (tap for ethos, eth for cdc-ecm) which do not require forwarding to be enabled to reach nodes. If forwarding was required for these scripts, it would probably have been noticed by now.

You could just configure the forwarding according to the uplink.

@trickeydan
Copy link
Contributor Author

You could just configure the forwarding according to the uplink.

My main concern with this is that often the first experience of RIOT that someone has is using one of the example programs, e.g examples/gnrc_border_router. If the user does not have knowledge of how forwarding works on Linux, all they will notice is that their connectivity has broken. If these changes are made, then it would need to be very well documented. This documentation should include the security risk that comes with enabling IP forwarding on systems with a firewall that is not configured for it (i.e desktop distros).

It would be a massive shame if the examples were no longer as simple to use as make all flash term.

@miri64
Copy link
Member

miri64 commented Aug 4, 2020

If the user does not have knowledge of how forwarding works on Linux, all they will notice is that their connectivity has broken.

I don't experience any broken connectivity when using this script, so I am not clear on what you mean by that. Please clarify.

@trickeydan
Copy link
Contributor Author

I don't experience any broken connectivity when using this script, so I am not clear on what you mean by that. Please clarify.

As mentioned previously by myself further up in the issue, when IPv6 forwarding is enabled on an interface, Linux will by default ignore RAs on that interface. This means that IPv6 connectivity to the wider internet is lost when forwarding is enabled and no further action is taken (i.e accept_ra=2). As about a third of users now use IPv6 (and some internet services are IPv6-only), not having IPv6 connectivity is an issue for many.

I noticed this issue as my SSH connection to a server dropped when this script was ran. My laptop had dropped the IPv6 default route from my router as it was ignoring RAs, later I lost the IPv6 address too (also due to lack of RA).

@miri64
Copy link
Member

miri64 commented Aug 4, 2020

Ah sorry, I did not read carefully enough 😕. Fact is, for a border router (what this script effectively wants to enable) forwarding capabilities are required, especially if one wants to use it as e.g. @benpicco does in #14676 (as said: RAdvD requires forwarding to be enabled, not sure if it is happy with "enabling" forwarding only on the operating interface is enough). As in my desired fix for #14618 everything those script do could be configured via CLI parameter how about this: only enable forwarding when a -f option is provided + setting accept_ra=2 for all interfaces (for iface in $(ip link) ...) in that case.

@trickeydan
Copy link
Contributor Author

only enable forwarding when a -f option is provided + setting accept_ra=2 for all interfaces (for iface in $(ip link) ...)

This sounds like a good solution to me. 👍

It could potentially be nice to warn if a layer 3 interface (SLIP or similar) is used without the -f option being given. This would hopefully allow users to be able to work out why packets aren't being forwarded across the interface, although that is more in scope of #14618.

@benemorius
Copy link
Member

@miri64 do you have any near plans to address this? It's not been high on my list but I can do it. I think your proposed solution is fine, and better then current master.

@miri64
Copy link
Member

miri64 commented Sep 11, 2020

@benemorius I work on it whenever I find some time. First step (#14881 #14928) is already merged.

@maribu
Copy link
Member

maribu commented May 18, 2023

@miri64: With #14928 and #15087 merged, can this be considered fixed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: network Area: Networking Area: tools Area: Supplementary tools Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors)
Projects
None yet
Development

No branches or pull requests

5 participants