thomasnoll / oas Goto Github PK

Hi,

I have a system with the following configuration:

[115/5089]mh@salida:~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:a9:68:07 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 192.168.192.209/24 metric 1024 brd 192.168.192.255 scope global dynamic ens3
       valid_lft 8668sec preferred_lft 8668sec
    inet6 2001:16b8:3040:8d2:5054:ff:fea9:6807/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 6081sec preferred_lft 2481sec
    inet6 2a01:238:42bc:a192:5054:ff:fea9:6807/64 scope global deprecated dynamic mngtmpaddr noprefixroute 
       valid_lft 3429sec preferred_lft 0sec
    inet6 2a01:238:42bc:a192::d1:100/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fea9:6807/64 scope link 
       valid_lft forever preferred_lft forever
[116/5090]mh@salida:~ $ 

Please note that one of the SLAAC addresses on ens3 isl deprecated; the router announces it with a zero lifetime, and a static address is set via DHCPv6 with a non-zero lifetime.

I have the following oas.conf, which should be the same on all systems:

[116/5090]mh@salida:~ $ cat /etc/oas.conf 
cmdlines:
ssh

addresses:
2a01:238:42bc:a180::/60
2a01:238:42bc:a100::/56
[117/5091]mh@salida:~ $ 

In this setup, ssh to another system with the IP address 2a01:238:42bc:a192::d2:100 causes oas to select the deprecated SLAAC address while a non-deprecated address is actually available.

This is not what I want, this is not how a system without oas would behave, and I am pretty sure that I can find an RFC forbidding the use of a deprecated address when a non-deprecated address is available (RFC6724 probably).

It looks like oas cannot blindly choose the first matching address it finds, it needs to

• detect whether an address is deprecated
• make note of this address
• continue searching for a non-deprecated address
• if a non-deprecated address is found, abort search, use non-deprecated address
• if no non-deprecated address is found, use the deprecated one

The last step is probably an RFC violation as well, but it's acting according to local configuration.

Thanks in advance!

Greetings
Marc

Hi,

setting -DDEBUG at compile time is a bit clumsy when using oas from a distribution package. Please consider supporting an OAS_DEBUG environment variable or a configuration file option instead. I guess that having OAS_DEBUG is reasonably easy to implement.

Greetings
Marc

Hi,

I think it might be a good idea to include the relevant environment variables (LD_PRELOAD, OAS_CONF_F, OAS_LOGLEVEL) in debug output.

Greetings
Marc