> On Jun 19, 2025, at 6:00 AM, Karl Denninger <k...@denninger.net> wrote: > > Resurrecting an older thread.... > >
Can you please point me to the thread ? I'd like to gather more context from
that.
> I have Kub Fiber here and have run into an interesting problem I've not seen
> on anything else (this same config, absent dhcpcd but on the stock FreeBSD
> config, worked fine on both Cox and Spectrum without changes.)
>
> On a first use dhcpcd gets both IPv4 and IPv6 addresses, but sometimes the
> IPv4 side fails to be able to ARP (!!!!) the other end. If I drop the
> interface (ifconfig ix0 down; ifconfig ix0 up) it never fails on the second
> try. If it fails on the first try doing a "arp -d" on the other end resolves
> nothing; only recycling the interface does. Once it comes up its 100% stable
> and never drops it. Obviously with no arp for the other end you get nothing
> (in either direction.)
>
> That I can handle (but its damned annoying) with a script that checks
> connection to the other side and, if it can't get anything, does the above.
>
> The more serious problem is with Ipv6. If I shut down my gear (and the
> company's ONT) and then turn the power back on (say, because I need to work
> on the UPS in my rack!) it will come back up on IpV4 but never gets an answer
> to the SOLICIT response. It also never sees anything from the neighbor
> request!
>
> In other words ("tcpdump -i ip6 ix0"):
>
> 14:42:25.301564 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:30.573650 IP6 fe80::2e0:b4ff:fe68:f894 > ff02::2: ICMP6, router
> solicitation, length 16
> 14:42:31.594474 IP6 fe80::2e0:b4ff:fe68:f894.dhcpv6-client >
> ff02::1:2.dhcpv6-server: dhcp6 solicit
> 14:42:32.690063 IP6 fe80::2e0:b4ff:fe68:f894.dhcpv6-client >
> ff02::1:2.dhcpv6-server: dhcp6 solicit
> 14:42:34.506030 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:34.574904 IP6 fe80::2e0:b4ff:fe68:f894 > ff02::2: ICMP6, router
> solicitation, length 16
> 14:42:34.764176 IP6 fe80::2e0:b4ff:fe68:f894.dhcpv6-client >
> ff02::1:2.dhcpv6-server: dhcp6 solicit
> 14:42:35.501814 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:35.934710 IP6 2a06:4880:4000::68.53490 >
> 2606:83c0:8000:ff00:ba27:ebff:fe39:701d.4567: Flags [S], seq 605251823, win
> 14600, options [mss 1440], length 0
> 14:42:36.509588 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:38.580627 IP6 fe80::2e0:b4ff:fe68:f894 > ff02::2: ICMP6, router
> solicitation, length 16
> 14:42:38.732812 IP6 fe80::2e0:b4ff:fe68:f894.dhcpv6-client >
> ff02::1:2.dhcpv6-server: dhcp6 solicit
> 14:42:40.337515 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:41.321509 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:42.329737 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:42.595011 IP6 fe80::2e0:b4ff:fe68:f894 > ff02::2: ICMP6, router
> solicitation, length 16
> 14:42:44.782492 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:45.749503 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:46.745515 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:47.109267 IP6 fe80::2e0:b4ff:fe68:f894.dhcpv6-client >
> ff02::1:2.dhcpv6-server: dhcp6 solicit
> 14:42:48.809742 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:49.805572 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
> 14:42:50.801697 IP6 fe80::3a94:edff:fe47:f2f8 > ff02::1:ff0b:946d: ICMP6,
> neighbor solicitation, who has fe80::6a22:8e00:c80b:946d, length 32
>
> The interface is up and is passing Ip4 traffic.
>
> And even more odd I get this once in a while:
>
> 14:45:26.688858 IP6 enviable.census.internet-measurement.com.53565 >
> 2606:83c0:8600::10c.58222: Flags [S], seq 3619826346, win 14600, options [mss
> 1440], length 0
> 14:45:26.696834 IP6 stupendous.census.internet-measurement.com.53321 >
> 2606:83c0:8600::10c.rsf-1: Flags [S], seq 3940102705, win 14600, options [mss
> 1440], length 0
>
> The prefix IS part of the provider's delegation but I have no IPv6 address so
> I have absolutely no idea how they think routing that to me is reasonable --
> but they do.
>
>
For unwanted IPv6 packets, the net stack should drop them silently, and
fundamentally you can NOT prevent your provider from sending them. Also be
aware that tcpdump(1) by default turns the interface into promisc mode.
> They're pointing at "my gear" as I'm not using their router. Uh, yeah, ok.
> Its not hardware -- the same thing happens on a pcEngines box with two "igb"
> interfaces, a "cube" box that has two "re" interfaces and my current box
> (which I want to keep using) that has two SFP+ interfaces that come up on the
> "ix" driver. All behave exactly the same way.
>
> If I call and bitch they reset everything on their end and it comes up --
> once and from there its stable. But if I take a power hit beyond my UPS's
> capacity, well, it'll happen again.
>
> I see absolutely nothing in tcpdump that implies there's a problem, other
> than that when this happens they never answer anything I send them. They
> claim their dhcp6 server has locked out my MAC due to "invalid" things
> they're seeing from me.
>
Do ( can ) they provide the details of the "invalid" things ? I'm recently
overhauling the attaching process of interfaces. For ethernet interfaces,
there're rare races that the driver see un-initialized link-layer address (
00:00:00:00:00:00 ) or incomplete link-layer address ( occurs when renaming the
interface ) . So I'm curious what "invalid" things your provider sees.
> Well, it can't be coming from the inside devices because (1) there's no
> route until IPv6 comes up except for the link-local, which I verify is in
> fact there but there is no default route until they send it and I receive it
> and therefore its ridiculously implausible any inside device with a "stale"
> IPv6 address is sending, and everything in the rack (this last time at least)
> went down with the power and all that gets its IPv6 by SLACC -- so until it
> gets a delegation it obviously didn't have any.
>
> I'm trying to get their engineering people on the line to get a packet
> capture while I power cycle and see exactly why they're getting big-mad but
> my suspicion is that their ONT is in some way obtaining and forwarding things
> before it negotiates fully -- which of course it shouldn't, but.....
>
> Any ideas here? Once it comes up its completely stable, but obviously a
> power loss while I'm not around is going to be a pain in the neck. One thing
> I've contemplated is sticking a delay in the rc script for dhcpcd so it
> doesn't start for a bit after a boot, which perhaps gives the port time to
> negotiate. Since it does the same thing with an igb, re, and ix port (with a
> 1G SFP transceiver in it) I assume the issue has nothing to do per se with
> negotiation, but somehow their end is getting "big mad" with me when it comes
> to IPv6 delegations and once it does it never clears it on its own.
>
> Putting this in freebsd-net rather than directly to Roy because I see the
> same behavior using the "stock" dhcp6c client......
>
> On 6/7/2024 09:12, Roy Marples wrote:
>> Hi Ed
>>
>> ---- On Thu, 06 Jun 2024 02:48:36 +0100 Ed Maste wrote ---
>> > On Sun, 7 Aug 2022 at 01:32, Ben Woods woods...@freebsd.org
>> <mailto:woods...@freebsd.org>> wrote:
>> > In the previous threads some objections were raised about dhcpcd's
>> > lack of sandboxing (Capsicum / privilege separation), which has since
>> > been addressed.
>> >
>> > I would like to start building and installing dhcpcd by default so
>> > that it is available for testing and experimentation. I do not intend
>> > to replace dhclent or rtsold, at least without more information, test
>> > results, and consensus.
>>
>> That's nice news, thanks for carrying the torch here :)
>>
> --
> Karl Denninger
> k...@denninger.net <mailto:k...@denninger.net>
> The Market Ticker
> [S/MIME encrypted email preferred]
Best regards,
Zhenlei
signature.asc
Description: Message signed with OpenPGP
