Netplan should default accept-ra to false when gateway6 is configured

Bug #1858503 reported by Richard Laager
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
netplan
Triaged
Wishlist
Unassigned
netplan.io (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Netplan has an option, accept-ra, which controls whether IPv6 Router Advertisements are accepted. When unset, it uses the kernel's default. (Presumably, when accept-ra is unset in the configuration, netplan simply doesn't set accept_ra on the interface, which leads to the kernel's default being used.) The kernel's default is to accept RAs.

This behavior is both dangerous and surprising in static IPv6 configurations.

I propose that accept-ra default to false when a gateway6 is configured. In other words, keep the current behavior of always honoring an explicit accept-ra setting, but if accept-ra is not set, then set accept_ra to false if and only if gateway6 is specified.

The danger is as follows: if _any_ device in the layer 2 broadcast domain (VLAN) decides to start sending RAs, then the current defaults are such that systems accept it and send their traffic to that device.

This has bit us a couple of times. Our VPN server runs radvd due to (non-standard) Windows client behavior. Due to how IPsec works (i.e. not having separate interfaces), radvd needs to be configured to use the VPN server's Ethernet interface. This requires firewall rules to prevent the RAs from leaking out. If we break those and RAs leak, the other servers on that network accept the RAs and thus break. We are making changes to the VPN setup to eliminate the RAs now that Windows 10 lets us set routes in the VPN profile via PowerShell and we no longer care about Windows 7, but that's beside the point. It isn't always feasible to isolate servers into separate broadcast domains, nor should that be as necessary as it is with the current netplan behavior.

This behavior is surprising for a couple of reasons. First off, IPv4 does not behave in an analogous way. Second, if I have statically configured a gateway, why would I expect my system to use a different gateway? If the system administrator has configured a static IPv6 gateway, the liklihood of them wanting to accept RAs is very low.

I'm not sure of their relative order, but the two most common (non-DHCP) scenarios are surely A) SLAAC for addressing + RA for gateway and B) static addressing + static gateway. Having a static gateway + RAs is an uncommon use case. Still, my proposal is not to prohibit static gateway + accept RAs, but to change the default. With my proposed change, those in the uncommon case of wanting a static gateway + accept RAs would set "accept-ra: true", as opposed to now, where those in a very common case of static gateway need to set "accept-ra: false" to be safe.

To be clear, RAs _are_ disabled on my router, of course. But that doesn't prevent other devices on the layer 2 network from generating RAs.

Revision history for this message
XSpielinbox (xspielinbox) wrote :

I can still reproduce this issue in Ubuntu 22.04 and Ubuntu 22.10.

I agree that it would be very good to change the default. This is especially dangerous as the kernel default is not only accept_ra=1, but also autoconf=1, what Netplan does not override for the interface when setting a static IPv6. This results in the machine not only accepting potential router advertisements but also possibly configuring itself another unexpected IPv6. This can even result in machines being unexpectedly exposed on the public internet, even though there were not supposed to, because the router/firewall configuration was not considering this extra IPv6.

As a user I expect that when I configure static addresses and a gateway the computer will only have these static addresses and always use my configured gateway (except link-local addresses, of course).

Ifupdown in Debian does it exactly the proposed way too, according to their changelog: When one sets a static IPv6 autoconf gets disabled and when a static gateway is configured router advertisements get disabled as well.

I would therefore also be very happy, if this could be changed or at least be very clear during the configuration and in the documentation that the Netplan config has these absurd side effects.

And wouldn't it be for LP#1807569 I wouldn't be aware of any option at the moment to disable SLAAC within Netplan.

Changed in netplan.io (Ubuntu):
status: New → Confirmed
Changed in netplan:
status: New → Confirmed
Lukas Märdian (slyon)
Changed in netplan:
importance: Undecided → Wishlist
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.