NetworkManager 1.36.6 no longer prefers DHCPv6 addresses over SLAAC
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
NetworkManager |
Fix Released
|
Unknown
|
|||
network-manager (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
* Impact
The recent SRU created a regression in IPv6 routing order
* Test Case
1. Connect to a network where the router sends "A" and "M" bits in the RA's and has a DHCPv6 server running (e.g. any OpenWrt router).
2. When running `ip -6 a`, the list now sorts SLAAC addresses above DHCPv6 addresses. With NetworkManager 1.36.4 and earlier, this was not the case. (The Linux kernel uses the address highest in the list as preferred.)
3. When running something like `curl ifconfig.co`, the SLAAC address is being returned, which makes sense as that is now preferred by the kernel. (But it shouldn't be.)
Desired behaviour:
NetworkManager should always sort DHCPv6 addresses above SLAAC addresses, as is the case for all versions prior to 1.36.6 and also corrected again in 1.38.0. In case static addresses are manually set, those should take first priority, with DHCPv6 second and SLAAC/autoconf last.
* Regression potential
The patch change the IPv6 addresses order to match the behaviour from the previous version. If that was buggy the routing order would still be wrong, so we should check that IPv6 setups behave as expected.
-------
Situation:
My network has both DHCPv6 and SLAAC (autoconf) for IPv6. From a privacy perspective, for readability reasons and for network management policies, DHCPv6 should *always* be preferred over SLAAC addresses when available. And according to RFC 6724, the smaller /128 scope of the DHCPv6 address should be chosen over the larger /64 scope of the SLAAC address.
NetworkManager has always been able to adhere to that by simply setting ip6.privacy=0 for the connection (in nm-connection-
So if you would - for instance - run `curl ifconfig.co`, the DHCPv6 address would be used to connect to the outside world and be echoed back.
Regression:
Since the update to 1.36.6, this is no longer the case. NetworkManager now routes outgoing traffic through the SLAAC address, even if ip6.privacy=0 is set for the connection.
Constantly removing the SLAAC addresses with `ip addr del` or disabling SLAAC RA's on the router are now the only ways to stop NetworkManager from preferring SLAAC over DHCPv6. None of the local options in NetworkManager 1.36.6 are able to restore the previous, desired and correct way of working: the SLAAC address should never be used as the preferred address if a DHCPv6 lease is given.
Looking at the changelog of NetworkManager 1.36.6, multiple things regarding IP address order and temporary addresses have been changed in that release, any of them (or a combination) introducing this bug:
* Fix a bug in synchronization of IP addresses with kernel that could lead to a wrong address order.
* Ignore addresses from DHCPv6 when the Otherconf router advertisement flag is set.
* Ensure temporary IPv6 addresses are removed on disconnect and reapply.
https:/
Steps to reproduce:
1. Connect to a network where the router sends "A" and "M" bits in the RA's and has a DHCPv6 server running (e.g. any OpenWrt router).
2. When running `ip -6 a`, the list now sorts SLAAC addresses above DHCPv6 addresses. With NetworkManager 1.36.4 and earlier, this was not the case. (The Linux kernel uses the address highest in the list as preferred.)
3. When running something like `curl ifconfig.co`, the SLAAC address is being returned, which makes sense as that is now preferred by the kernel. (But it shouldn't be.)
Desired behaviour:
NetworkManager should always sort DHCPv6 addresses above SLAAC addresses, as is the case for all versions prior to 1.36.6 and also corrected again in 1.38.0. In case static addresses are manually set, those should take first priority, with DHCPv6 second and SLAAC/autoconf last.
Implications:
This can break many real-life use cases. For instance, my router gives out static leases to my machines. Those addresses are whitelisted in all kinds of firewalls to allow me to access servers for my work. Now that the "wrong" address is being preferred for outgoing traffic (a SLAAC address that I have no influence on and cannot centrally configure), I am being locked out of the servers in question unless I forcefully remove the addresses or disable SLAAC on my router, so my outgoing traffic is being routed through the DHCPv6 address again.
Note that "just disabling SLAAC RA's on the router" is not something everybody can do, as it requires root access to the device. Moreover, it would break IPv6 connectivity entirely for devices that don't support DHCPv6 (read: Android).
Conclusion:
So this update introduces a very breaking change in IPv6 source address selection to an LTS release, while LTS releases should be stable.
I should note that the bug is not present in NetworkManager 1.38.0 on Debian sid. That just prefers DHCPv6 addresses when available, like it should. As that version is also used in Ubuntu kinetic, most likely this bug is not present there.
Looking at the changelog of 1.38.0:
* Fix bug setting priority for IP addresses.
* Static IPv6 addresses from "ipv6.addresses" are now preferred over addresses from DHCPv6, which are preferred over addresses from autoconf. This affects IPv6 source address selection, if the rules from RFC 6724, section 5 don't give a exhaustive match.
https:/
It looks like Ubuntu just introduced that bug by upgrading to 1.36.6, while a proper fix has only landed in 1.38.0, leaving the 1.36.x series now broken. Please either backport the fix from 1.38.0 or revert to 1.36.4, which was working fine.
System information:
/etc/os-release:
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 LTS (Jammy Jellyfish)"
VERSION_
ID=ubuntu
ID_LIKE=debian
HOME_URL="https:/
SUPPORT_URL="https:/
BUG_REPORT_URL="https:/
PRIVACY_
UBUNTU_
apt info network-manager:
Package: network-manager
Version: 1.36.6-0ubuntu1
More background here: https:/
description: | updated |
description: | updated |
description: | updated |
tags: | added: jammy |
description: | updated |
description: | updated |
description: | updated |
summary: |
- DHCPv6 addresses are no longer preferred over SLAAC addresses + NetworkManager 1.36.6 orders IPv6 addresses incorrectly |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: regression-update |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
summary: |
- NetworkManager 1.36.6 orders IPv6 addresses incorrectly + NetworkManager 1.36.6 no longer prefers DHCPv6 addresses over SLAAC |
tags: | added: rls-jj-incoming |
Changed in network-manager: | |
status: | Unknown → New |
Changed in network-manager: | |
status: | New → Fix Released |
tags: | removed: rls-jj-incoming |
Comparing the output of `ip -6 a`, you can see that the dynamic addresses are no longer at the top of the list, where they should be.
Before (network-manager 1.36.4):
2: eno0: <BROADCAST, MULTICAST, UP,LOWER_ UP> mtu 1500 state UP qlen 1000 xxxx::bd0/ 128 scope global dynamic noprefixroute xxxx::bd0/ 128 scope global dynamic noprefixroute xxxx:0: 9875:4dec: b9f9:e768/ 64 scope global noprefixroute xxxx:0: f802:2428: 9af1:dcb3/ 64 scope global noprefixroute ec4c:fddb: 3c89/64 scope link noprefixroute
inet6 2a10:3781:
valid_lft 43193sec preferred_lft 43194sec
inet6 fd10:3781:
valid_lft 43193sec preferred_lft 43194sec
inet6 fd10:3781:
valid_lft forever preferred_lft forever
inet6 2a10:3781:
valid_lft forever preferred_lft forever
inet6 fe80::36e2:
valid_lft forever preferred_lft forever
After (network-manager 1.36.6):
2: eno0: <BROADCAST, MULTICAST, UP,LOWER_ UP> mtu 1500 state UP qlen 1000 xxxx:0: 9875:4dec: b9f9:e768/ 64 scope global noprefixroute xxxx:0: f802:2428: 9af1:dcb3/ 64 scope global noprefixroute xxxx::bd0/ 128 scope global dynamic noprefixroute xxxx::bd0/ 128 scope global dynamic noprefixroute ec4c:fddb: 3c89/64 scope link noprefixroute
inet6 fd10:3781:
valid_lft forever preferred_lft forever
inet6 2a10:3781:
valid_lft forever preferred_lft forever
inet6 2a10:3781:
valid_lft 43194sec preferred_lft 43194sec
inet6 fd10:3781:
valid_lft 43194sec preferred_lft 43194sec
inet6 fe80::36e2:
valid_lft forever preferred_lft forever
On another machine with Debian sid and network-manager 1.38.0, it looks the way it should be again (dynamic addresses at the top of the list, preferred to autoconfigured / temporary addresses):
2: wlan0: <BROADCAST, MULTICAST, UP,LOWER_ UP> mtu 1500 state UP qlen 1000 xxxx::5bf/ 128 scope global dynamic noprefixroute xxxx::5bf/ 128 scope global dynamic noprefixroute xxxx:0: 42cd:4f1b: 89b8:77fd/ 64 scope global noprefixroute xxxx:0: 8a59:df52: 9ea1:e7c8/ 64 scope global noprefixroute 71dc:f10e: 924e/64 scope link noprefixroute
inet6 fd10:3781:
valid_lft 43193sec preferred_lft 43193sec
inet6 2a10:3781:
valid_lft 43193sec preferred_lft 43193sec
inet6 2a10:3781:
valid_lft forever preferred_lft forever
inet6 fd10:3781:
valid_lft forever preferred_lft forever
inet6 fe80::a738:
valid_lft forever preferred_lft forever
So this bug was not present in NetworkManager 1.36.4, introduced in 1.36.6, and then fixed in 1.38.0.
The correct order for IPv6 addresses should be:
1. Static addresses (if present)
2. DHCPv6 addresses (shown as 'dynamic' with ip -6 a)
3. Temporary SLAAC addresses (in case IPv6 Privacy Extensions are enabled, otherwise not present)
4. Global SLAAC addresses (the long ones with :0: after the network part ending with /64)
With NetworkManager 1.36.6 the order is now 3 > 4 > 1 > 2.
I guess these commits are relevant:
https:/ /gitlab. freedesktop. org/NetworkMana ger/NetworkMana ger/-/commit/ c631aa48f034ade 2b5cb97ccc4462d 56d80174e7
https:/ /gitlab. freedesktop. org/NetworkMana ger/NetworkMana ger/-/commit/ 257221d1986b56c bb2e329fcc74a2d aca145b7aa
Bottom line: addresses are now...