dhcpcd-discuss

Re: DHCPv6 and OPTION_USER_CLASS

Mattieu Baptiste

Sun Apr 29 10:00:47 2018

Hi Roy,

On Sun, Apr 29, 2018 at 11:15 AM, Roy Marples <roy@xxxxxxxxxxxx> wrote:
> Hi Mattieu
>
>
> On 28/04/2018 09:30, Mattieu Baptiste wrote:
>>
>> So, with all the patches you committed recently to support the
>> mandatory options, I finally managed to get a reply from the server.
>> I use this minimal dhcpcd config:
>>
>> ipv6only
>> duid
>> authprotocol token
>> authtoken 0 "" 0 fti/xxxxxxx
>> userclass FSVDSL_livebox.Internet.softathome.livebox3
>> vendclass 1038 sagem
>> persistent
>> noipv6rs
>> allowinterfaces vlan832
>> interface vlan832
>>          ia_pd 1
>>
>> The point is I think my ISP is filtering on the DUID value. In order
>> to have a reply from the server, I MUST use the exact same DUID that
>> dibbler generates the first time I launched it some months ago.
>> If I change one bit in it (link type, time or macaddress), the server
>> doesn't reply anymore.
>>
>> I tried to change it with clientid, but in my comprehension it seems
>> limited to DHCPv4: any value I set is ignored, and a DUID is
>> generated.
>> So, I edited /var/db/dhcpcd/duid to set the value that dibbler uses...
>> and the server replies.
>> Maybe it's a filtering policy to doesn't allow the client to use
>> something else than the official internet boxes...
>
>
> This is quite likely.
> Added to the man page here:
> https://roy.marples.name/git/dhcpcd.git/commit/?id=3532ad672ada845501796b30a8c5cca6e2f41979
>
>
>>
>> So now that the server replies, dhcpcd complains about not beeing able
>> to authenticate the server:
>> # dhcpcd -Bd
>> dhcpcd-7.0.3 starting
>> vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' PREINIT
>> vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' CARRIER
>> DUID 00:01:00:06:20:f6:4d:7a:00:0d:b9:33:8e:8c
>> vlan832: IAID ff:00:03:40
>> vlan832: IAID 00:00:00:01
>> vlan832: reading lease `/var/db/dhcpcd/vlan832.lease6'
>> vlan832: soliciting a DHCPv6 lease
>> vlan832: delaying SOLICIT6 (xid 0xbea62c), next in 0.4 seconds
>> vlan832: broadcasting SOLICIT6 (xid 0xbea62c), next in 0.9 seconds
>> vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
>> vlan832: broadcasting SOLICIT6 (xid 0xbea62c), next in 1.9 seconds
>> vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
>> vlan832: broadcasting SOLICIT6 (xid 0xbea62c), next in 3.9 seconds
>> vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
>> ^Creceived SIGINT, stopping
>> vlan832: removing interface
>> vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' STOPPED
>> dhcpcd exited
>>
>> I send:
>> Authentication
>>      Option: Authentication (11)
>>      Length: 22
>>      Value: 000000de8eac8dc8f3228f6674692fXXXXXXXXXXXXXX
>>      Protocol: 0
>>      Algorithm: 0
>>      RDM: 0
>>      Replay Detection: de8eac8dc8f3228f
>>      Authentication Information: 6674692fXXXXXXXXXXXXXX
>>
>> The server replies with:
>> Authentication
>>      Option: Authentication (11)
>>      Length: 27
>>      Value: 0000000000000000000000646863706c697665626f786672...
>>      Protocol: 0
>>      Algorithm: 0
>>      RDM: 0
>>      Replay Detection: 0000000000000000
>>      Authentication Information: 646863706c697665626f786672323530
>> (The value is the string: dhcpliveboxfr)
>>
>> Maybe the replay detection in the advertise isn't correct?
>> Or, shouldn't I set the server authentication parameters in dhcpcd's
>> config?
>
>
> Oh the replay dhcpcd is sending *is* correct.
> What is NOT correct is the server's reply.

Yes you're absolutely right. This is annoying, tese telco devices are
a total nightmare.

> Well, if you really really really want to pick nits the is as the errata
> update is only for RFC3118 and not RFC3115 even though the authentication
> description is 100% identical.
>
> Attached is a patch for this, along with the prior patch so we're just
> maintiaing one patch until this is resolved!
>
> BTW, now that you have obtained a reply from dhcpcd, do you get a reply if
> the authentication option is omitted from the requested options?

I confirm I can get a reply without the authentication option in the
requested options.
On top of dhcpcd 7.0.3, I applied these commited patches + the
authentication patch you just sent me:
https://www.brimbelle.org/mattieu/stuff/patch-src_auth_c
https://www.brimbelle.org/mattieu/stuff/patch-src_dhcp6_c
https://www.brimbelle.org/mattieu/stuff/patch-src_dhcp6_h
https://www.brimbelle.org/mattieu/stuff/patch-src_if-options_c

Alas with the patch, I have the same "authentication failed" behavior:
# dhcpcd -Bd
dhcpcd-7.0.3 starting
vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' PREINIT
vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' CARRIER
DUID 00:01:00:06:20:f6:4d:7a:00:0d:b9:33:8e:8c
vlan832: IAID ff:00:03:40
vlan832: IAID 00:00:00:01
vlan832: reading lease `/var/db/dhcpcd/vlan832.lease6'
vlan832: soliciting a DHCPv6 lease
vlan832: delaying SOLICIT6 (xid 0x2bfb39), next in 0.0 seconds
vlan832: broadcasting SOLICIT6 (xid 0x2bfb39), next in 1.0 seconds
vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
vlan832: broadcasting SOLICIT6 (xid 0x2bfb39), next in 1.9 seconds
vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
vlan832: broadcasting SOLICIT6 (xid 0x2bfb39), next in 3.6 seconds
vlan832: authentication failed from fe80::ba0:bab: Operation not permitted
^Creceived SIGINT, stopping
vlan832: removing interface
vlan832: executing `/usr/local/libexec/dhcpcd-run-hooks' STOPPED
dhcpcd exited

Here is the full dhcpv6 advert the server send me:
DHCPv6
    Message type: Advertise (2)
    Transaction ID: 0x191db8
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        Value: 000000010000b98400032a00001a00190003f4800003f480...
        IAID: 00000001
        T1: 47492
        T2: 207360
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Value: 0003f4800003f480382a01cb0007c87f0000000000000000...
            Preferred lifetime: 259200
            Valid lifetime: 259200
            Prefix length: 56
            Prefix address: 2a01:cb00:7c8:7f00::
    Server Identifier
        Option: Server Identifier (2)
        Length: 20
        Value: 0002000005584445534841594553535544524f54
        DUID: 0002000005584445534841594553535544524f54
        DUID Type: assigned by vendor based on Enterprise number (2)
        Enterprise ID: Orange (formerly 'France Telecom') (1368)
        Identifier: 4445534841594553535544524f54
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        Value: 0001000620f64d7a000db9338e8c
        DUID: 0001000620f64d7a000db9338e8c
        DUID Type: link-layer address plus time (1)
        Hardware type: IEEE 802 (6)
        DUID Time: Jul 10, 2017 16:36:42.000000000 CEST
        Link-layer address: 00:0d:b9:33:8e:8c
    Authentication
        Option: Authentication (11)
        Length: 27
        Value: 0000000000000000000000646863706c697665626f786672...
        Protocol: 0
        Algorithm: 0
        RDM: 0
        Replay Detection: 0000000000000000
        Authentication Information: 646863706c697665626f786672323530
    Preference
        Option: Preference (7)
        Length: 1
        Value: ff
        Pref-value: 255


-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Follow-Ups:
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
References:
DHCPv6 and OPTION_USER_CLASSMattieu Baptiste
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
Re: DHCPv6 and OPTION_USER_CLASSMattieu Baptiste
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
Re: DHCPv6 and OPTION_USER_CLASSMattieu Baptiste
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
Re: DHCPv6 and OPTION_USER_CLASSMattieu Baptiste
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
Re: DHCPv6 and OPTION_USER_CLASSMattieu Baptiste
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
Re: DHCPv6 and OPTION_USER_CLASSMattieu Baptiste
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
Re: DHCPv6 and OPTION_USER_CLASSMattieu Baptiste
Re: DHCPv6 and OPTION_USER_CLASSRoy Marples
Archive administrator: postmaster@marples.name