API tools faq
paste
Guest User

Joe - IPV6 Frag

a guest
Aug 3rd, 2016
262
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.26 KB | None | 0 0
raw download clone embed print report
  1. Hi JT, Allan and Kris,
  2.  
  3. Love the show and all the coverage of all the exciting things going on in BSD land. I have a really thorny problem involving IPv6 Fragmentation on FreeBSD when doing BIND Zone Transfers.
  4.  
  5. For all my personal stuff I run FreeBSD and use jails extensively. I have 2 $5/month FreeBSD VPSes, one of which is on Digital Ocean, for running DNS, Mail relaying to/from my home server and Nginx. I have them setup to use both IPv4 and IPv6. These servers are the DNS servers for my domains, with one as the master and the other as the slave, using BIND and Zone Transfers. I switched the zone transfers from IPv4 to IPv6 and pf started blocking the packets because they were fragmented. Once I added a rule to allow IPv6 fragments it started working, but I would prefer to not have fragmented packets to begin with. I can do a large file transfer over HTTP via Nginx and there's no fragmentation. When I run the same BIND configuration on Ubuntu it doesn't fragment the packets. I'm guessing this is some sort of bug in either FreeBSD or BIND. I know the IPv6 stuff in FreeBSD isn't quite as mature as we'd like but I'm hoping there is some tweak I can do to fix this. If not I will file a bug with either FreeBSD or BIND. I even tried a VPS with FreeBSD 11 Beta 1 to see if it's been fixed and sadly it's still present on FreeBSD 11.
  6.  
  7. Thanks for whatever help/guidance you can provide. Love the show. I've provided some tcpdump and dig output below.
  8.  
  9. ##### tcpdump output showing fragmentation #####
  10.  
  11. root@vps-do-1:~ # tcpdump -vvv host 2001:19f0:5:5d:5400:ff:fe2d:9358
  12.  
  13. tcpdump: listening on vtnet0, link-type EN10MB (Ethernet), capture size 65535 bytes
  14.  
  15. 19:57:55.268641 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 40) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags , cksum 0x3083 (incorrect -> 0x3721), seq 3691768902, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 82013083 ecr 0], length 0
  16.  
  17. 19:57:55.345449 IP6 (flowlabel 0x995ed, hlim 50, next-header TCP (6) payload length: 40) 2001:19f0:5:5d:5400:ff:fe2d:9358.domain > vps-do-1.jdmulloy.com.42905: Flags [S.], cksum 0x425e (correct), seq 1510577645, ack 3691768903, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 172096121 ecr 82013083], length 0
  18.  
  19. 19:57:55.345507 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 32) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [.], cksum 0x307b (incorrect -> 0x6cc5), seq 1, ack 1, win 1026, options [nop,nop,TS val 82013161 ecr 172096121], length 0
  20.  
  21. 19:57:55.345652 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 75) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [P.], cksum 0x30a6 (incorrect -> 0xe817), seq 1:44, ack 1, win 1026, options [nop,nop,TS val 82013161 ecr 172096121], length 4349659 [1au] AXFR? jdmulloy.com. ar: . OPT UDPsize=4096 (41)
  22.  
  23. 19:57:55.423160 IP6 (flowlabel 0x995ed, hlim 50, next-header Fragment (44) payload length: 1240) 2001:19f0:5:5d:5400:ff:fe2d:9358 > vps-do-1.jdmulloy.com: frag (0x304490cb:0|1232) domain > 42905: Flags [P.], seq 1:1201, ack 44, win 1026, options [nop,nop,TS val 172096198 ecr 82013161], length 120049659*- q: AXFR? jdmulloy.com. 43/0/1 jdmulloy.com. [1m] SOA ns1.jdmulloy.com. hostmaster.mulloy.me. 2016071837 28800 7200 2419200 60, jdmulloy.com. [1m] TXT "v=spf1 +mx:mulloy.me +a:vps-do-1.jdmulloy.com ~all", jdmulloy.com. [1m] SPF, jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::4, jdmulloy.com. [1m] NS ns1.jdmulloy.com., jdmulloy.com. [1m] NS ns2.jdmulloy.com., jdmulloy.com. [1m] MX mail.vps-vu-1.jdmulloy.com. 10, jdmulloy.com. [1m] MX mail.vps-do-sfo2-float-1.jdmulloy.com. 20, jdmulloy.com. [1m] A 45.63.5.150, _dmarc.jdmulloy.com. [1m] TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]", ns1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::2, ns1.jdmulloy.com. [1m] A 45.63.5.150, ns2.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4002, ns2.jdmulloy.com. [1m] A 138.68.36.47, test.jdmulloy.com. [1m] A 45.63.5.150, test.jdmulloy.com. [1m] A 138.68.36.47, vps.jdmulloy.com. [1m] CNAME vps-vu-1.jdmulloy.com., vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4001, vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, mail.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4003, mail.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, nagios.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4005, nagios.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, ns.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4002, ns.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, web.vps-do-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4004, web.vps-do-1.jdmulloy.com. [1m] A 138.68.4.44, vps-do-sfo2-float-1.jdmulloy.com. [1m] A 138.68.36.47, mail.vps-do-sfo2-float-1.jdmulloy.com. [1m] AAAA 2604:a880:2:d0::24:4003, mail.vps-do-sfo2-float-1.jdmulloy.com. [1m] A 138.68.36.47, vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::1, vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, mail.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::3, mail.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, nagios.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::5, nagios.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, ns.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::2, ns.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, web.vps-vu-1.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::4, web.vps-vu-1.jdmulloy.com. [1m] A 45.63.5.150, www.jdmulloy.com. [1m] A 45.63.5.150, www.jdmulloy.com. [1m] AAAA 2001:19f0:300:6187::4, jdmulloy.com.[|domain]
  24.  
  25. 19:57:55.423208 IP6 (flowlabel 0x995ed, hlim 50, next-header Fragment (44) payload length: 45) 2001:19f0:5:5d:5400:ff:fe2d:9358 > vps-do-1.jdmulloy.com: frag (0x304490cb:1232|37)
  26.  
  27. 19:57:55.427775 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 32) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [F.], cksum 0x307b (incorrect -> 0x6726), seq 44, ack 1238, win 1026, options [nop,nop,TS val 82013242 ecr 172096198], length 0
  28.  
  29. 19:57:55.504276 IP6 (flowlabel 0x995ed, hlim 50, next-header TCP (6) payload length: 32) 2001:19f0:5:5d:5400:ff:fe2d:9358.domain > vps-do-1.jdmulloy.com.42905: Flags [.], cksum 0x66d4 (correct), seq 1238, ack 45, win 1026, options [nop,nop,TS val 172096280 ecr 82013242], length 0
  30.  
  31. 19:57:55.504417 IP6 (flowlabel 0x995ed, hlim 50, next-header TCP (6) payload length: 32) 2001:19f0:5:5d:5400:ff:fe2d:9358.domain > vps-do-1.jdmulloy.com.42905: Flags [F.], cksum 0x66d3 (correct), seq 1238, ack 45, win 1026, options [nop,nop,TS val 172096280 ecr 82013242], length 0
  32.  
  33. 19:57:55.504458 IP6 (flowlabel 0xcac05, hlim 64, next-header TCP (6) payload length: 32) vps-do-1.jdmulloy.com.42905 > 2001:19f0:5:5d:5400:ff:fe2d:9358.domain: Flags [.], cksum 0x307b (incorrect -> 0x6685), seq 45, ack 1239, win 1026, options [nop,nop,TS val 82013320 ecr 172096280], length 0
  34.  
  35. ##### Dig output from machine requesting AXFR #####
  36.  
  37. root@vps-do-1:~ # dig axfr +tcp @2001:19f0:5:5d:5400:ff:fe2d:9358 jdmulloy.com
  38. ; <<>> DiG 9.10.4-P1 <<>> axfr +tcp @2001:19f0:5:5d:5400:ff:fe2d:9358 jdmulloy.com
  39. ; (1 server found)
  40. ;; global options: +cmd
  41. jdmulloy.com. 60 IN SOA ns1.jdmulloy.com. hostmaster.mulloy.me. 2016071837 28800 7200 2419200 60
  42. jdmulloy.com. 60 IN TXT "v=spf1 +mx:mulloy.me +a:vps-do-1.jdmulloy.com ~all"
  43. jdmulloy.com. 60 IN SPF "v=spf1 +mx:mulloy.me +a:vps-do-1.jdmulloy.com ~all"
  44. jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::4
  45. jdmulloy.com. 60 IN NS ns1.jdmulloy.com.
  46. jdmulloy.com. 60 IN NS ns2.jdmulloy.com.
  47. jdmulloy.com. 60 IN MX 10 mail.vps-vu-1.jdmulloy.com.
  48. jdmulloy.com. 60 IN MX 20 mail.vps-do-sfo2-float-1.jdmulloy.com.
  49. jdmulloy.com. 60 IN A 45.63.5.150
  50. _dmarc.jdmulloy.com. 60 IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]"
  51. ns1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::2
  52. ns1.jdmulloy.com. 60 IN A 45.63.5.150
  53. ns2.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4002
  54. ns2.jdmulloy.com. 60 IN A 138.68.36.47
  55. test.jdmulloy.com. 60 IN A 45.63.5.150
  56. test.jdmulloy.com. 60 IN A 138.68.36.47
  57. vps.jdmulloy.com. 60 IN CNAME vps-vu-1.jdmulloy.com.
  58. vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4001
  59. vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44
  60. mail.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4003
  61. mail.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44
  62. nagios.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4005
  63. nagios.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44
  64. ns.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4002
  65. ns.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44
  66. web.vps-do-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4004
  67. web.vps-do-1.jdmulloy.com. 60 IN A 138.68.4.44
  68. vps-do-sfo2-float-1.jdmulloy.com. 60 IN A 138.68.36.47
  69. mail.vps-do-sfo2-float-1.jdmulloy.com. 60 IN AAAA 2604:a880:2:d0::24:4003
  70. mail.vps-do-sfo2-float-1.jdmulloy.com. 60 IN A 138.68.36.47
  71. vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::1
  72. vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150
  73. mail.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::3
  74. mail.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150
  75. nagios.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::5
  76. nagios.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150
  77. ns.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::2
  78. ns.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150
  79. web.vps-vu-1.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::4
  80. web.vps-vu-1.jdmulloy.com. 60 IN A 45.63.5.150
  81. www.jdmulloy.com. 60 IN A 45.63.5.150
  82. www.jdmulloy.com. 60 IN AAAA 2001:19f0:300:6187::4
  83. jdmulloy.com. 60 IN SOA ns1.jdmulloy.com. hostmaster.mulloy.me. 2016071837 28800 7200 2419200 60
  84. ;; Query time: 77 msec
  85. ;; SERVER: 2001:19f0:5:5d:5400:ff:fe2d:9358#53(2001:19f0:5:5d:5400:ff:fe2d:9358)
  86. ;; WHEN: Tue Jul 19 19:57:55 UTC 2016
  87. ;; XFR size: 43 records (messages 1, bytes 1235)
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!