[Bug 1858503] Re: Netplan should default accept-ra to false when gateway6 is configured

XSpielinbox 1858503 at bugs.launchpad.net
Wed Dec 14 14:43:39 UTC 2022 

** Also affects: netplan.io (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to netplan.io in Ubuntu.
Matching subscriptions: foundations-bugs
https://bugs.launchpad.net/bugs/1858503

Title:
  Netplan should default accept-ra to false when gateway6 is configured

Status in netplan:
  New
Status in netplan.io package in Ubuntu:
  New

Bug description:
  Netplan has an option, accept-ra, which controls whether IPv6 Router
  Advertisements are accepted. When unset, it uses the kernel's default.
  (Presumably, when accept-ra is unset in the configuration, netplan
  simply doesn't set accept_ra on the interface, which leads to the
  kernel's default being used.) The kernel's default is to accept RAs.

  This behavior is both dangerous and surprising in static IPv6
  configurations.

  I propose that accept-ra default to false when a gateway6 is
  configured. In other words, keep the current behavior of always
  honoring an explicit accept-ra setting, but if accept-ra is not set,
  then set accept_ra to false if and only if gateway6 is specified.

  The danger is as follows: if _any_ device in the layer 2 broadcast
  domain (VLAN) decides to start sending RAs, then the current defaults
  are such that systems accept it and send their traffic to that device.

  This has bit us a couple of times. Our VPN server runs radvd due to
  (non-standard) Windows client behavior. Due to how IPsec works (i.e.
  not having separate interfaces), radvd needs to be configured to use
  the VPN server's Ethernet interface. This requires firewall rules to
  prevent the RAs from leaking out. If we break those and RAs leak, the
  other servers on that network accept the RAs and thus break. We are
  making changes to the VPN setup to eliminate the RAs now that Windows
  10 lets us set routes in the VPN profile via PowerShell and we no
  longer care about Windows 7, but that's beside the point. It isn't
  always feasible to isolate servers into separate broadcast domains,
  nor should that be as necessary as it is with the current netplan
  behavior.

  This behavior is surprising for a couple of reasons. First off, IPv4
  does not behave in an analogous way. Second, if I have statically
  configured a gateway, why would I expect my system to use a different
  gateway? If the system administrator has configured a static IPv6
  gateway, the liklihood of them wanting to accept RAs is very low.

  I'm not sure of their relative order, but the two most common (non-
  DHCP) scenarios are surely A) SLAAC for addressing + RA for gateway
  and B) static addressing + static gateway. Having a static gateway +
  RAs is an uncommon use case. Still, my proposal is not to prohibit
  static gateway + accept RAs, but to change the default. With my
  proposed change, those in the uncommon case of wanting a static
  gateway + accept RAs would set "accept-ra: true", as opposed to now,
  where those in a very common case of static gateway need to set
  "accept-ra: false" to be safe.

  To be clear, RAs _are_ disabled on my router, of course. But that
  doesn't prevent other devices on the layer 2 network from generating
  RAs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/netplan/+bug/1858503/+subscriptions

More information about the foundations-bugs mailing list