Newcomer

Bug in Sagemcom F@st5260 firmware [SG9C120074]

After resetting my router to factory, IPv6 router advertisements with prefix delegation works correctly for all devices on my LAN;  I receive the RA with v6 address of the local gateway [fe80::2481:<<REMOVED>>] and a /64 prefix delegation in the range of [2605:e000:1<<REMOVED>>], however the router is set default to obtain DNS6 from the upstream DHCP6.  That upstream DHCP6 is not offering any DNS6 settings.

 

I therefore manually set the DNS6 settings to be the new Cloudflare 1.1.1.1 equivalents:

  • 2606:4700:4700::1111
  • 2606:4700:4700::1001

Then reboot the router for good measure.

 

After a restart (and also tested without) v6 RAs no longer include the gateway IP nor the /64 prefix delegation. i.e. IPv6 is completely dead and unroutable.  This is case for all devices connected to the LAN.  MacBooks (x3), iPhones (x3), iPads (x1), Android TV (x1), you get the point...

 

Oddly when forcing a router solicitation by running: 

sudo rtsol -dD

I get a valid response from the gateway (though still without the /64 delegation):

rtsol -dD en0
checking if en0 is ready...
en0 is ready
set timer for en0 to 0:686114
New timer is 0:00685908
timer expiration on en0, state = 1
send RS on en0, whose state is 2
set timer for en0 to 4:0
New timer is 4:00000235
received RA from fe80::b467<<REMOVED>> on en0, state is 2
stop timer for en0
there is no timer

This leads me to believe the RA returned is malformed.  I haven't gone to the level of running Wireshark traces to check the RA response but will do to provide more info when I have more time.

 

There is clearly a bug in this version of the router software.  Would you kindly look into this?

 

I'm running:

uname -a
Darwin gscurr-mbp 17.5.0 Darwin Kernel Version 17.5.0: Mon Mar  5 22:24:32 PST 2018; root:xnu-4570.51.1~1/RELEASE_X86_64 x86_64
macOS High Sierra 10.13.4 (fully patched)

 Thanks.

1 REPLY
Newcomer

Re: Bug in Sagemcom F@st5260 firmware [SG9C120074]

So the problem is multiple:

While the router *IS* actually returning Router Advertisements, it is not sending the DHCP6 options set including those parameters:

Frame 14165: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0
Ethernet II, Src: Sagemcom_2c:4a:32 (34:6b:<<REMOVED>>), Dst: IPv6mcast_01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::2<<REMOVED>>, Dst: ff02::1
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x2915 [correct]
    [Checksum Status: Good]
    Cur hop limit: 0
    Flags: 0xc0, Managed address configuration, Other configuration, Prf (Default Router Preference): Medium
        1... .... = Managed address configuration: Set
        .1.. .... = Other configuration: Set
        ..0. .... = Home Agent: Not set
        ...0 0... = Prf (Default Router Preference): Medium (0)
        .... .0.. = Proxy: Not set
        .... ..0. = Reserved: 0
    Router lifetime (s): 9000
    Reachable time (ms): 30000
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : 2605:e000:1<<REMOVED>>::/64)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 64
        Flag: 0x80, On-link flag(L)
            1... .... = On-link flag(L): Set
            .0.. .... = Autonomous address-configuration flag(A): Not set
            ..0. .... = Router address flag(R): Not set
            ...0 0000 = Reserved: 0
        Valid Lifetime: 604800
        Preferred Lifetime: 604800
        Reserved
        Prefix: 2605:e000:1<<REMOVED>>::
    ICMPv6 Option (Source link-layer address : 34:6b:<<REMOVED>>)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: Sagemcom_2c:4a:32 (34:6b:<<REMOVED>>)

And secondly, the router is sending an general ICMPv6 Multicast Listener Report Exclude telling all hosts that it is no longer listening to multicast at address [ff02::2] which just happens to be the address which Router Solicitations is sent to:

Frame 14166: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0
Ethernet II, Src: Sagemcom_2c:4a:32 (34:6b:<<REMOVED>>), Dst: IPv6mcast_16 (33:33:00:00:00:16)
Internet Protocol Version 6, Src: fe80::2<<REMOVED>>, Dst: ff02::16
Internet Control Message Protocol v6
    Type: Multicast Listener Report Message v2 (143)
    Code: 0
    Checksum: 0xd2c2 [correct]
    [Checksum Status: Good]
    Reserved: 0000
    Number of Multicast Address Records: 1
    Multicast Address Record Changed to exclude: ff02::2
        Record Type: Changed to exclude (4)
        Aux Data Len: 0
        Number of Sources: 0
        Multicast Address: ff02::2

I believe this has the effect of telling all hosts that they should ignore any multicast packets received from that gateway.

 

So in summary, the LAN hosts send Router Solicitations to [ff02::2] which the gateway receives, processes and replies with Router Advertisement (though missing the manual DNS6 options specified), but the hosts ignore the multicast response because of the earlier Multicast Listener Report Exclude.