Re: DHCPv6 and OPTION_USER_CLASS
Mattieu Baptiste
Sun Apr 29 10:00:47 2018
Hi Roy,
On Sun, Apr 29, 2018 at 11:15 AM, Roy Marples <roy@xxxxxxxxxxxx> wrote:
> Hi Mattieu
>
>
> On 28/04/2018 09:30, Mattieu Baptiste wrote:
>>
>> So, with all the patches you committed recently to support the
>> mandatory options, I finally managed to get a reply from the server.
>> I use this minimal dhcpcd config:
>>
>> ipv6only
>> duid
>> authprotocol token
>> authtoken 0 "" 0 fti/xxxxxxx
>> userclass FSVDSL_livebox.Internet.softathome.livebox3
>> vendclass 1038 sagem
>> persistent
>> noipv6rs
>> allowinterfaces vlan832
>> interface vlan832
>> ia_pd 1
>>
>> The point is I think my ISP is filtering on the DUID value. In order
>> to have a reply from the server, I MUST use the exact same DUID that
>> dibbler generates the first time I launched it some months ago.
>> If I change one bit in it (link type, time or macaddress), the server
>> doesn't reply anymore.
>>
>> I tried to change it with clientid, but in my comprehension it seems
>> limited to DHCPv4: any value I set is ignored, and a DUID is
>> generated.
>> So, I edited /var/db/dhcpcd/duid to set the value that dibbler uses...
>> and the server replies.
>> Maybe it's a filtering policy to doesn't allow the client to use
>> something else than the official internet boxes...
>
>
> This is quite likely.
> Added to the man page here:
> https://roy.marples.name/git/dhcpcd.git/commit/?id=3532ad672ada845501796b30a8c5cca6e2f41979
>
>
>>
>> So now that the server replies, dhcpcd complains about not beeing able
>> to authenticate the server:
>> # dhcpcd -Bd
>> dhcpcd-7.0.3 starting
>> vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' PREINIT
>> vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' CARRIER
>> DUID 00:01:00:06:20:f6:4d:7a:00:0d:b9:33:8e:8c
>> vlan832: IAID ff:00:03:40
>> vlan832: IAID 00:00:00:01
>> vlan832: reading lease `/var/db/dhcpcd/vlan832.lease6'
>> vlan832: soliciting a DHCPv6 lease
>> vlan832: delaying SOLICIT6 (xid 0xbea62c), next in 0.4 seconds
>> vlan832: broadcasting SOLICIT6 (xid 0xbea62c), next in 0.9 seconds
>> vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
>> vlan832: broadcasting SOLICIT6 (xid 0xbea62c), next in 1.9 seconds
>> vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
>> vlan832: broadcasting SOLICIT6 (xid 0xbea62c), next in 3.9 seconds
>> vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
>> ^Creceived SIGINT, stopping
>> vlan832: removing interface
>> vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' STOPPED
>> dhcpcd exited
>>
>> I send:
>> Authentication
>> Option: Authentication (11)
>> Length: 22
>> Value: 000000de8eac8dc8f3228f6674692fXXXXXXXXXXXXXX
>> Protocol: 0
>> Algorithm: 0
>> RDM: 0
>> Replay Detection: de8eac8dc8f3228f
>> Authentication Information: 6674692fXXXXXXXXXXXXXX
>>
>> The server replies with:
>> Authentication
>> Option: Authentication (11)
>> Length: 27
>> Value: 0000000000000000000000646863706c697665626f786672...
>> Protocol: 0
>> Algorithm: 0
>> RDM: 0
>> Replay Detection: 0000000000000000
>> Authentication Information: 646863706c697665626f786672323530
>> (The value is the string: dhcpliveboxfr)
>>
>> Maybe the replay detection in the advertise isn't correct?
>> Or, shouldn't I set the server authentication parameters in dhcpcd's
>> config?
>
>
> Oh the replay dhcpcd is sending *is* correct.
> What is NOT correct is the server's reply.
Yes you're absolutely right. This is annoying, tese telco devices are
a total nightmare.
> Well, if you really really really want to pick nits the is as the errata
> update is only for RFC3118 and not RFC3115 even though the authentication
> description is 100% identical.
>
> Attached is a patch for this, along with the prior patch so we're just
> maintiaing one patch until this is resolved!
>
> BTW, now that you have obtained a reply from dhcpcd, do you get a reply if
> the authentication option is omitted from the requested options?
I confirm I can get a reply without the authentication option in the
requested options.
On top of dhcpcd 7.0.3, I applied these commited patches + the
authentication patch you just sent me:
https://www.brimbelle.org/mattieu/stuff/patch-src_auth_c
https://www.brimbelle.org/mattieu/stuff/patch-src_dhcp6_c
https://www.brimbelle.org/mattieu/stuff/patch-src_dhcp6_h
https://www.brimbelle.org/mattieu/stuff/patch-src_if-options_c
Alas with the patch, I have the same "authentication failed" behavior:
# dhcpcd -Bd
dhcpcd-7.0.3 starting
vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' PREINIT
vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' CARRIER
DUID 00:01:00:06:20:f6:4d:7a:00:0d:b9:33:8e:8c
vlan832: IAID ff:00:03:40
vlan832: IAID 00:00:00:01
vlan832: reading lease `/var/db/dhcpcd/vlan832.lease6'
vlan832: soliciting a DHCPv6 lease
vlan832: delaying SOLICIT6 (xid 0x2bfb39), next in 0.0 seconds
vlan832: broadcasting SOLICIT6 (xid 0x2bfb39), next in 1.0 seconds
vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
vlan832: broadcasting SOLICIT6 (xid 0x2bfb39), next in 1.9 seconds
vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
vlan832: broadcasting SOLICIT6 (xid 0x2bfb39), next in 3.6 seconds
vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
^Creceived SIGINT, stopping
vlan832: removing interface
vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' STOPPED
dhcpcd exited
Here is the full dhcpv6 advert the server send me:
DHCPv6
Message type: Advertise (2)
Transaction ID: 0x191db8
Identity Association for Prefix Delegation
Option: Identity Association for Prefix Delegation (25)
Length: 41
Value: 000000010000b98400032a00001a00190003f4800003f480...
IAID: 00000001
T1: 47492
T2: 207360
IA Prefix
Option: IA Prefix (26)
Length: 25
Value: 0003f4800003f480382a01cb0007c87f0000000000000000...
Preferred lifetime: 259200
Valid lifetime: 259200
Prefix length: 56
Prefix address: 2a01:cb00:7c8:7f00::
Server Identifier
Option: Server Identifier (2)
Length: 20
Value: 0002000005584445534841594553535544524f54
DUID: 0002000005584445534841594553535544524f54
DUID Type: assigned by vendor based on Enterprise number (2)
Enterprise ID: Orange (formerly 'France Telecom') (1368)
Identifier: 4445534841594553535544524f54
Client Identifier
Option: Client Identifier (1)
Length: 14
Value: 0001000620f64d7a000db9338e8c
DUID: 0001000620f64d7a000db9338e8c
DUID Type: link-layer address plus time (1)
Hardware type: IEEE 802 (6)
DUID Time: Jul 10, 2017 16:36:42.000000000 CEST
Link-layer address: 00:0d:b9:33:8e:8c
Authentication
Option: Authentication (11)
Length: 27
Value: 0000000000000000000000646863706c697665626f786672...
Protocol: 0
Algorithm: 0
RDM: 0
Replay Detection: 0000000000000000
Authentication Information: 646863706c697665626f786672323530
Preference
Option: Preference (7)
Length: 1
Value: ff
Pref-value: 255
--
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."
Archive administrator: postmaster@marples.name