[Bug 555210] Re: Please assign global scope to RFC 1918 addresses in getaddrinfo()
Bug Watch Updater
555210 at bugs.launchpad.net
Wed May 25 21:19:30 UTC 2011
Launchpad has imported 5 comments from the remote bug at
http://sourceware.org/bugzilla/show_bug.cgi?id=11438.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2010-03-28T15:46:10+00:00 Tore Anderson wrote:
Back in 2003, the sorting algorithm used by getaddrinfo() was defined in RFC
3484. However, this document did not take into account (or foresee) the
ubiquity of IPv4 NAT on today's internet. This in turn causes some real
operational problems that's hindering the deployment of IPv6 for content
providers.
The problem scenario is the following:
An end user is located in a network numbered with private (RFC 1918) IPv4
addresses and transitional 6to4 (RFC 3056) IPv6 addresses. The network is
connected to the internet by a CPE/SOHO device implementing NAT for IPv4 and
anycasted 6to4 (RFC 3068) for IPv6.
When the user attempts to connect to a server whose hostname has both IPv4 and
IPv6 addresses published in DNS, an IPv6 connection using the transitional 6to4
service will be preferred. This happens because the scope comparsion fails for
IPv4, the RFC 1918 addresses are assumed to have site-local scope, which is
smaller than the global scope of the server's IPv4 address. For IPv6, both the
server's and the client's (6to4) address have global scope.
Unfortunately, the operational reality is that a transitional technique such as
6to4 is much less reliable than IPv4. The relay routers might be located far
away from the optimal IPv4 path, and thus cause a significant latency increase,
or they might not even work optimally (they're usually operated by voulenteering
third parties on a best-effort basis), and finally some ISPs simply filter away
all proto-41 traffic. Transitional techniques are useful to give end users with
IPv4-only service a real shot at accessing IPv6-only content, but it should
never be preferred over IPv4 service when accessing dual-stacked content.
RFC 3484 even acknowledges this, by saying to «avoid the use of transitional
addresses when native addresses are available».
An IETF draft document which describes the problem in a much more detailed
manner than I have is available here:
http://tools.ietf.org/html/draft-denis-v6ops-nat-addrsel-00
There's also an IETF draft that aims to revise RFC 3484 in order to fix this
problem (amongst others):
http://tools.ietf.org/html/draft-arifumi-6man-rfc3484-revise-02
Quoting from this document:
> 2.7. To change private IPv4 address scope
>
> As detailed in Remi's draft [I-D.denis-v6ops-nat-addrsel], when a
> host is in NATed site, and has a private IPv4 address and
> transitional addresses like 6to4 and Teredo, the host chooses
> transitional IPv6 address to access most of the dual-stack servers.
>
> This is because private IPv4 address is defined to be site-local
> scope, and as in RFC 3484, the scope matching rules (Rule 2) set
> lower priority for private IPv4 address.
>
> By changing the address scope of private IPv4 address to global, this
> problem can be solved.
A few other getaddrinfo() implementations have already made this change, for
instance FreeBSD (cf. http://lists.freebsd.org/pipermail/cvs-all/2004-
May/066752.html) and Microsoft. Considering that RFC 3484 was written by
Microsoft, I think this is an admission that this is a real problem with the
original specification.
The glibc maintainers has shown willingness before to adjust the RFC 3484
getaddrinfo() implentation in order to better deal with operational realities,
instead of blindly following the original specification to the letter:
http://people.redhat.com/drepper/linux-rfc3484.html
See under «The BIG Problem». Indeed, the fundamental problem being worked here
is the same as the one I'm describing - namely that RFC 3484 assumes that RFC
1918-based addresses cannot communicate with hosts on the global internet.
I have been doing some measurements of IPv6-related brokenness in the last few
months, and the conclusion is that almost all of the problems are due to
improper preference for transitional IPv6 connections. In particular, Apple's
Mac OS X suffers from the exact same problem as glibc, and I've explained the
operational impact in more detail on Apple's IPv6 mailing list:
http://lists.apple.com/archives/ipv6-dev/2010/Mar/msg00003.html
You might also be interested in my February report available here:
http://thread.gmane.org/gmane.org.operators.ipv6/2934
Check the second message to see the impact of taking OS X out of the equation.
I've posted monthly brokenness reports to the ipv6-ops list in question for a
while now, you'll find them easily by searching for posts by me in Gmane's
interface.
A glibc user can work around the problem by adding the following lines to
/etc/gai.conf:
scopev4 ::ffff:10.0.0.0/104 14
scopev4 ::ffff:172.16.0.0/108 14
scopev4 ::ffff:192.168.0.0/112 14
However, average end users with internet connectivity through NAT-ed RFC 1918-
numbered networks cannot be expected to make such a change themselves. They
will likely just experience this as unexplained failures when connecting to
certain (dualstacked) sites, possibly also realising that this is not a problem
in alternative operating systems. This is far from optimal, so I therefore
request that glibc's default behaviour is changed according to the RFC 3484
revision draft by assigning the global scope to RFC 1918-based addresses.
Best regards,
Tore Anderson
Reply at: https://bugs.launchpad.net/glibc/+bug/555210/comments/0
------------------------------------------------------------------------
On 2010-03-28T15:46:59+00:00 Tore Anderson wrote:
Created attachment 4685
Suggested patch (untested but obvious)
Reply at: https://bugs.launchpad.net/glibc/+bug/555210/comments/1
------------------------------------------------------------------------
On 2010-04-04T01:08:19+00:00 Drepper-fsp wrote:
I don't want to make changes which haven't been decided. Yes, there is a
problem. I've documented the necessary changes in the gai.conf file. It's easy
enough to install a file like that. Distributions can do that.
I'm suspending the bug. Change the state when any of the proposals are
accepted.
Reply at: https://bugs.launchpad.net/glibc/+bug/555210/comments/2
------------------------------------------------------------------------
On 2010-04-16T09:23:24+00:00 Tore Anderson wrote:
Hi Ulrich, and thanks for your feedback. I've brought the problem up with a
couple of major distributions (Fedora and Ubuntu), and they've both applied the
change, so it will be part of both Fedora 13 and Ubuntu 10.04 LTS.
I've also just realised that the current practise of assigning non-global scope
to rfc1918-addreses is more broken than what I first thought - if a host has
only link-local IPv6 addresses in addition to (NAT-ed) RFC1918 IPv4 addresses,
the link-local IPv6 address will be preferred for the outbound connection to a
dual-stacked server with (both IPv6 and IPv4 addresses globally scoped). I had
to read rule 2 in RFC3484 many times before actually believing this is the RFC-
mandated behaviour. But even if it is, it is obivously not the right thing to
do.
So I'm hoping that in light of this you might reconsider making the change prior
to the completion of the IETF standardisation process. I could attempt to
persuade all the distributors to carry the change locally, but given the
multitude of distributions out there I think it would be much more efficient to
simply fix it in glibc centrally.
Thanks for your time!
Best regards,
Tore Anderson
Reply at: https://bugs.launchpad.net/glibc/+bug/555210/comments/8
------------------------------------------------------------------------
On 2010-04-16T13:27:12+00:00 Drepper-fsp wrote:
(In reply to comment #3)
> So I'm hoping that in light of this you might reconsider making the change prior
> to the completion of the IETF standardisation process.
No, I won't. I won't change something just to change it to something else if
the official decisions come out differently.
Reply at: https://bugs.launchpad.net/glibc/+bug/555210/comments/10
** Changed in: glibc
Importance: Unknown => Medium
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/555210
Title:
Please assign global scope to RFC 1918 addresses in getaddrinfo()
Status in The GNU C Library:
Incomplete
Status in “eglibc” package in Ubuntu:
Fix Released
Status in “eglibc” source package in Lucid:
Fix Released
Status in “eglibc” package in Debian:
Fix Released
Bug description:
Currently, glibc's getaddrinfo()-implementation will prefer
transitional IPv6 connectivity (e.g. 6to4) above RFC 1918/NAT-based
IPv4. Unfortunately, unnecessary use of transitional IPv6
connectivity (which quite often does not work properly) is the single
largest reason for client loss (end users being unable to connect)
when dual-stacking web sites. See for example my measurements that
are posted at <http://thread.gmane.org/gmane.org.operators.ipv6/3248>.
This behaviour is holding back the entire IPv6 rollout for web site
operators, as deploying it will currently cut of access to the site
for a not insignificant amount of users.
The problem is that RFC 3484 did not take into account the existence
of IPv4 NAT, assuming that RFC 1918-based IPv4 addresses is unable to
communicate with hosts on the global internet. As we all know, this
is usually not the case - most home broadband deployments involve a
CPE device that does NAT, and the end users' devices are usually
numbered using RFC 1918-based addresses.
Rémi Denis-Courmount has written about the underlying problems at
length here:
http://tools.ietf.org/html/draft-denis-v6ops-nat-addrsel-00
There is also a current draft that attempts to fix the issue properly:
http://tools.ietf.org/html/draft-arifumi-6man-rfc3484-revise-02
Quoting from this document:
> 2.7. To change private IPv4 address scope
>
> As detailed in Remi's draft [I-D.denis-v6ops-nat-addrsel], when a
> host is in NATed site, and has a private IPv4 address and
> transitional addresses like 6to4 and Teredo, the host chooses
> transitional IPv6 address to access most of the dual-stack servers.
>
> This is because private IPv4 address is defined to be site-local
> scope, and as in RFC 3484, the scope matching rules (Rule 2) set
> lower priority for private IPv4 address.
>
> By changing the address scope of private IPv4 address to global, this
> problem can be solved.
In fact, both FreeBSD and Microsoft has already made this change. It
is quite telling that it was Microsoft who authored RFC 3484 to begin
with, so I regard that a clear admission that the RFC has problems in
this regard.
I have requested that the upstream glibc make the change:
http://sourceware.org/bugzilla/show_bug.cgi?id=11438
However, the feedback I got from Ulrich Drepper was basically that
while he agrees with me that there is a real problem here, he is
reluctant to make the change before the standardisation process has
finished. However, he do go on to suggest that the distributions
could work around the problem in the meanwhile.
I request that Ubuntu do exactly that. Time is of the essence; some
predict that we're running out of IPv4 addresses within a year (cf.
http://ipv4depletion.com) and so we need to get the IPv6 rollout going
as soon as possible. To do that, though, we first need to fix the
operational issues that holds it back - and this is one of them.
Thanks for considering!
Tore
More information about the foundations-bugs
mailing list