SEO

Cory Albrecht (coryalbrecht+-news+AEA-hotmail.com) wrote:
+AD4- Helmut Schneider wrote:
+AD4APg- Michael Dombrowski +ADw-legodudenein+AEA-hammycorp.com+AD4- wrote:
+AD4APgA+- problems. However, when installing packages from ports I noticed
+AD4APgA+- that it took a long time to start to download the package, leading
+AD4APgA+- me to think there was maybe a DNS problem. Upon investigations with
+AD4APgA+- lynx, ftp, and ssh I found out that DNS takes a very long time
+AD4APgA+- (+AD4-60s) to resolve. However, dig and ping both return IPs
+AD4APgA+- immediately. With some help from +ACM-openbsd, I stumbled on the -4
+AD4APgA+- option for ssh, without the option it takes a very long time to ask
+AD4APgA+- my password, with -4 the password prompt appears in +ADw-.5 seconds.
+AD4APgA+- This leads me to think there is some ipv6 problem... I haven't
+AD4APgA+- touched the network settings on this machine and am not doing
+AD4APgA+- anything with ipv6 on my router/network. Any ideas? This is a really
+AD4APgA+- aggravating bug.
+AD4-
+AD4APg- What is in /etc/resolv.conf? 'npd -a' could be interesting, too.
+AD4-
+AD4- This sounds a lot like the typical problem of when system has IPv6
+AD4- capability but no actual IPv6 network links. The system does a DNS query
+AD4- and gets back an AAAA record for a host and then, because it has no IPv6
+AD4- link, it times out waiting for a response to an IPv6 connection to the
+AD4- returned address. Could this also be Mr. Dombrowski's problem?

Yes. What does the faq say, activate pf and reject anything that sounds like
IPv6?

--
Please do not feed my mailbox, Swen still does his job well

Michael Dombrowski <legodude_rrrrremove_@hammycorp.com> wrote:
> Helmut Schneider wrote:
>> Cory Albrecht (coryalbrecht+news@hotmail.com) wrote:
>>> Helmut Schneider wrote:
>>>> Michael Dombrowski <legodudenein@hammycorp.com> wrote:
>>>>> problems. However, when installing packages from ports I noticed
>>>>> that it took a long time to start to download the package, leading
>>>>> me to think there was maybe a DNS problem. Upon investigations with
>>>>> lynx, ftp, and ssh I found out that DNS takes a very long time
>>>>> (>60s) to resolve. However, dig and ping both return IPs
>>>>> immediately. With some help from #openbsd, I stumbled on the -4
>>>>> option for ssh, without the option it takes a very long time to ask
>>>>> my password, with -4 the password prompt appears in <.5 seconds.
>>>>> This leads me to think there is some ipv6 problem... I haven't
>>>>> touched the network settings on this machine and am not doing
>>>>> anything with ipv6 on my router/network. Any ideas? This is a really
>>>>> aggravating bug.
>>>
>>>> What is in /etc/resolv.conf? 'npd -a' could be interesting, too.
>>>
>>> This sounds a lot like the typical problem of when system has IPv6
>>> capability but no actual IPv6 network links. The system does a DNS query
>>> and gets back an AAAA record for a host and then, because it has no IPv6
>>> link, it times out waiting for a response to an IPv6 connection to the
>>> returned address. Could this also be Mr. Dombrowski's problem?
>>
>> Yes. What does the faq say, activate pf and reject anything that sounds
>> like IPv6?
>
> To the best of my reading, both the faq and google say nothing on the
> topic, would rejecting ipv6 traffic solve the problem? Is this a known
> issue in the default install?

This is not an issue I've ever had myself, or ever heard of anyone else
having; so I'd say it's not a `known issue in the default install'.

I'm guessing you might have an IPv6 route somewhere; my system here has
$ netstat -rnf inet6
Routing tables

Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::/104 ::1 UGRS 0 0 - lo0
::/96 ::1 UGRS 0 0 - lo0
::1 ::1 UH 12 0 33224 lo0
::127.0.0.0/104 ::1 UGRS 0 0 - lo0
::224.0.0.0/100 ::1 UGRS 0 0 - lo0
::255.0.0.0/104 ::1 UGRS 0 0 - lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 - lo0
2002::/24 ::1 UGRS 0 0 - lo0
2002:7f00::/24 ::1 UGRS 0 0 - lo0
2002:e000::/20 ::1 UGRS 0 0 - lo0
2002:ff00::/24 ::1 UGRS 0 0 - lo0
fe80::/10 ::1 UGRS 0 0 - lo0
fe80::%rl0/64 link#1 UC 0 0 - rl0
fe80::250:bfff:fed9:7f67%rl0 00:50:bf:d9:7f:67 UHL 0 0 - lo0
fe80::%lo0/64 fe80::1%lo0 U 0 0 - lo0
fe80::1%lo0 link#4 UHL 0 0 - lo0
fec0::/10 ::1 UGRS 0 0 - lo0
ff01::%rl0/32 link#1 UC 0 0 - rl0
ff01::%lo0/32 ::1 UC 0 0 - lo0
ff02::%rl0/32 link#1 UC 0 0 - rl0
ff02::%lo0/32 ::1 UC 0 0 - lo0

That is, some link-local stuff and pretty much everything else pointing
to localhost. I've never tried connecting to a link-local address, but
otherwise this routing table seems to work (i.e., make sure IPv6 isn't
tried).

Joachim

Cory Albrecht <coryalbrecht+news@hotmail.com> wrote:
> Helmut Schneider wrote:
>> Cory Albrecht (coryalbrecht+news@hotmail.com) wrote:
>>> Helmut Schneider wrote:
>>>> Michael Dombrowski <legodudenein@hammycorp.com> wrote:
>>>>> This leads me to think there is some ipv6 problem... I haven't
>>>>> touched the network settings on this machine and am not doing
>>>>> anything with ipv6 on my router/network. Any ideas? This is a really
>>>>> aggravating bug.
>
>>> This sounds a lot like the typical problem of when system has IPv6
>>> capability but no actual IPv6 network links. The system does a DNS query
>>> and gets back an AAAA record for a host and then, because it has no IPv6
>>> link, it times out waiting for a response to an IPv6 connection to the
>>> returned address. Could this also be Mr. Dombrowski's problem?
>
>> Yes. What does the faq say, activate pf and reject anything that sounds
>> like IPv6?
>
> I can't see how blocking IPv6 with pf would do anything unless it would
> return a no route to host or some other error. I can see it doing
> nothing and the app still waiting for a connection timeout.
>
> I've had a /48 for years from freenet6, so I'm struggling to remember
> what my system was like in this regard. I just don't remember pauses
> like this back then. When I encountered this timeout problem it was in
> Win2K and not having IPv6 properly set up and routed there.
>
> My thoughts would be to make sure that all of route6d, rtadvd and rtsold
> are turned off in /etc/rc.conf, set net.inet6.ip6.forwarding=0 and then
> "route delete -inet6 default". Maybe that might eliminate the timeout,
> but I am not sure. Or maybe using ifconfig to try and remove any
> link-local IPv6 addresses from all interfaces? (Or would they
> automagically reappear?)
>
> I don't see a sysctl setting to disable IPv6, so the only definitely
> workable situation would be to build a kernel without IPv6. However, I
> believe I have seen others mentioning potential nasty side effects with
> system utilities that expect IPv6 to be there.
>
> Out of curiosity, anybody involved with OpenBSD kernel development want
> to comment on the feasibility of a sysctl item (call it
> net.inet6.disable) that would effectively disable IPv6 and prevent
> annoying timeouts like this without having to build a new kernel? Or
> maybe just a "noipv6" for the options keyword in resolv.conf so IPv6
> addresses never get returned?

I'm not involved, but such a switch would break a lot of things (::1),
and since nobody else seems to have this problem, I don't see the
benefit.

If you want to be sure that you receive no IPv6 traffic, use pf.

Joachim

Joachim Schipper wrote:
> Michael Dombrowski <legodude_rrrrremove_@hammycorp.com> wrote:
>> Helmut Schneider wrote:
>>> Cory Albrecht (coryalbrecht+news@hotmail.com) wrote:
>>>> Helmut Schneider wrote:
>>>>> Michael Dombrowski <legodudenein@hammycorp.com> wrote:
>>>>>> problems. However, when installing packages from ports I noticed
>>>>>> that it took a long time to start to download the package, leading
>>>>>> me to think there was maybe a DNS problem. Upon investigations with
>>>>>> lynx, ftp, and ssh I found out that DNS takes a very long time
>>>>>> (>60s) to resolve. However, dig and ping both return IPs
>>>>>> immediately. With some help from #openbsd, I stumbled on the -4
>>>>>> option for ssh, without the option it takes a very long time to ask
>>>>>> my password, with -4 the password prompt appears in <.5 seconds.
>>>>>> This leads me to think there is some ipv6 problem... I haven't
>>>>>> touched the network settings on this machine and am not doing
>>>>>> anything with ipv6 on my router/network. Any ideas? This is a really
>>>>>> aggravating bug.
>>>>> What is in /etc/resolv.conf? 'npd -a' could be interesting, too.
>>>> This sounds a lot like the typical problem of when system has IPv6
>>>> capability but no actual IPv6 network links. The system does a DNS query
>>>> and gets back an AAAA record for a host and then, because it has no IPv6
>>>> link, it times out waiting for a response to an IPv6 connection to the
>>>> returned address. Could this also be Mr. Dombrowski's problem?
>>> Yes. What does the faq say, activate pf and reject anything that sounds
>>> like IPv6?
>> To the best of my reading, both the faq and google say nothing on the
>> topic, would rejecting ipv6 traffic solve the problem? Is this a known
>> issue in the default install?
>
> This is not an issue I've ever had myself, or ever heard of anyone else
> having; so I'd say it's not a `known issue in the default install'.
>
I'll add my metoo and say that I'm running the stock (well, patched) 4.0
kernel on i386. The box has two NICs running as an edge box, NATting
all traffic.

All nodes on the network understand IPv6 and in all cases it is enabled
but unused.

ssh connections are all fast as long as I have a proper resolver for
internal addresses.