[OpenWrt-Devel] Release 17.01.5 is broken for everyone with IPv6 tunnels

Alexander E. Patrakov patrakov at gmail.com
Sun Jul 29 05:17:24 EDT 2018


Hello.

Due to my work duties, I had to guide the customer how to install OpenWRT
on his router (Linksys WRT1900AC v2) and how to configure it. The customer
requires pretty boring tasks such as setting up PPPoE, updating dynamic
DNS, doing IPv4 NAT, port forwarding, and getting IPv6 from Hurricane
Electric for devices in his network. Why OpenWRT - the need to keep two LAN
segments separate, and the fact that the stock firmware does not support
his dynamic DNS provider. And, as a bonus, the ability to troubleshoot
everything easily with tcpdump.

So, we installed OpenWRT 17.01.5. Everything worked well except IPv6. I
could ping devices in his network from a server in Malaysia, but not from
home. Ssh over IPv6 worked but took a lot of time to set up the connection.
Some IPv6 connections also failed. Tcpdumping shows that the packets come
correctly from Hurricane Electric on pppoe-wan, but do not show up in
6in4-wan6. And there are lots of "sit: non-ECT from ... with TOS=..."
messages.

This is https://bugs.openwrt.org/index.php?do=details&task_id=1541

I have looked at the kernel source here. The bug is that the first part of
the incoming IPv6 header (containing the flow label) is misparsed as IPv4
ToS field. Then it is compared to the ECN field of the outer IPv4 packet.
Every time the message is printed, the packet is dropped. And, because this
comparison of the flow label to ECN is meaningless, it is dropped for no
good reason.

Turris Omnia users have also hit this bug:
https://forum.turris.cz/t/performance-issue-with-ipv6-6rd-on-turris-omnia/7505

As this is a kernel bug, it is impossible to fix by publishing updated
packages for the same OpenWRT release. So, we decided to downgrade the
router to 17.01.4, and so far it works flawlessly.

Given the severity of this problem (essentially, broken IPv6), a large base
of affected customers (everybody who uses 6to4, 6rd, or 6in4 tunnel), and
impossibility to fix by publishing a single updated package, I propose that
the 17.01.5 release is retracted.

Please put something like this on the download page:

"""
Users who rely on IPv6 tunnels (6to4, 6rd, 6in4) should not use this
release due to a bug (
https://bugs.openwrt.org/index.php?do=details&task_id=1541) that makes such
tunnels drop packets for no good reason. Such users should download release
17.01.4 instead.
"""

-- 
Alexander E. Patrakov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20180729/487afd14/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list