Skip to Content [alt-c]

Andrew Ayer

Sections

Beware the IPv6 DAD Race Condition

One extremely frustrating problem that arises with IPv6 under Linux is the race condition caused at system boot by IPv6's Duplicate Address Detection (DAD). DAD is a new feature in IPv6 that protects against IP address conflicts. The way it works is that after an address is added to an interface, the operating system uses the Neighbor Discovery Protocol to check if any other host on the network has the same address. If it finds a neighbor with the same address, the address is removed from the interface.

The problem is that until DAD can confirm that there is no other host with the same address, the address is considered to be "tentative." While it is in this state, attempts to bind() to the address fail with EADDRNOTAVAIL, as if the address doesn't exist. That means that if you have a service configured to listen on a particular IPv6 address, and that IPv6 address is still tentative when the service starts, it will fail to bind to that address. Very few programs will try to bind again later. Most either continue without listening on the failed address, or fail to start altogether. Apache, for example, fails to start if it can't bind to an address.

DAD is fast, but not always fast enough. Since services like Apache are started soon after networking is configured on system boot, there is a race condition. Sometimes your critical services start on boot, and sometimes they don't! This is clearly not acceptable behavior for a production server.

For this reason, I always disable DAD on servers that use IPv6. When DAD is disabled, addresses are immediately usable, just like they are with IPv4. Without DAD, I have to trust myself not to shoot myself in the foot with an address conflict, but that's nothing new. Besides, most of these servers are in data centers that restrict the IP addresses on the switch port anyways.

To disable DAD, you need to write 0 to /proc/sys/net/ipv6/conf/ethX/accept_dad, where ethX is the interface, before you configure the interface. In Debian, I accomplish this using a pre-up directive on the interface stanza, like this:

iface eth0 inet6 static address 3ffe:ffff::4a:5000 netmask 64 gateway fe80::1 pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_dad

Clearly, this is less than ideal. To begin with, this problem is not well-documented, which will cause endless frustration to administrators trying to roll out IPv6. Even then, this solution is sub-optimal and would lead to the demise of DAD on servers if widely implemented. But a better solution would require more fundamental changes to either the operating system or to the applications. The operating system could pause on boot until DAD completes. Ideally, it would know which services listen on which addresses, and delay the start of only those services. Services could retry failed binds after a delay, or set the Linux-specific IP_FREEBIND socket option, which permits binding to a non-local or non-existent address. (Unfortunately, IP_FREEBIND would also let you bind to an address that truly doesn't exist.)

As IPv6 becomes more widespread, I expect this to be addressed in earnest, but until then, disabling DAD is the way to go.

Update (2013-05-05): A bug report has been filed in Debian about this issue. It proposes that ifupdown's init script not return until DAD completes on all interfaces.

Hi, I'm Andrew. I'm the founder of SSLMate, a service which automates your SSL certificate deployment. I also develop open source projects like git-crypt and titus.

I blog here about a variety of technology topics, including security, devops, IPv6, and reliable programming. If you liked this post, check out my other posts or subscribe to my Atom feed.

My email address is andrew@agwa.name. I'm AGWA at GitHub and @__agwa on Twitter.

Comments

The comments below are owned by whoever posted them. I am not responsible for them in any way.

Nice article... Helped me not to re-invent the wheel

| Posted on 2014-01-03 at 06:15:58 UTC by Reader Balakumaran | Reply to This

I think dad_transmits is the correct option , accept_dad - not sure.

| Posted on 2015-01-08 at 09:02:20 UTC by Reader Rishabh | Reply to This

dad_transmits might also work, but I've been using accept_dad on dozens of servers for 3+ years and it causes addresses to immediately become non-tentative, so I'm confident it works.

| Posted on 2015-01-08 at 16:51:32 UTC by Andrew Ayer | Reply to This

Linux now has an Optimistic DAD implementation, c.f. https://lwn.net/Articles/218597/ and RFC 4429 at, for instance, https://www.rfc-editor.org/rfc/rfc4429.txt

This option could potentially fix your problems without the need to disable DAD completely.

| Posted on 2015-01-11 at 16:07:21 UTC by Reader Mihai Moldovan | Reply to This

Thank you. This is extremely useful information. On Linux, optimistic DAD is controlled by the net.ipv6.conf.*.optimistic_dad sysctl (which is undocumented, which is why I did not know about it before now). I'll be testing this out and will update the blog post with my findings.

| Posted on 2015-01-11 at 16:31:46 UTC by Andrew Ayer | Reply to This

Interested to know how optimistic DAD worked out for you. I'm not sure why, but I'm still getting services failing to start at boot with optimistic DAD.

In specific, on a VPS back by SSD storage, running OpenSMTPD on Arch Linux, I'm still getting errors regarding the bind address being unavailable.

Weirdly enough, adding sleep times (in the order of 5 seconds) before service start or restarting the service after a time-out did not help (not that they would be acceptable `solutions'), but disabling DAD did. I suspect there is more going on that I don't know about, because I can't explain these observations.

| Posted on 2016-06-07 at 21:34:14 UTC by Reader Maarten | Reply to This

Andrew, thanks much for this article and Mihai, thanks for the info on optimistic DAD. Very useful.

| Posted on 2015-04-23 at 17:42:16 UTC by Reader Joshua Johnson | Reply to This

Thanks for the tip. This issue apparently still exists on Ubuntu 15.10, and this page helped me work around it. I hope the Ubuntu team makes IPv6 support a priority soon... DHCPv6 not working out of the box counts as "badly broken" in my book. (Maybe the issue also exists in Debian still. I have not tested.)

| Posted on 2016-04-09 at 03:42:37 UTC by Reader James Johnston | Reply to This

Here's how I tackle this using zsh without having to disable duplicate address detection:

ip -6 addr add 2001:DB8:1234:f00::2/64 dev eth0 wait_dad=0 until (( ++wait_dad > 100 )) { grep -q 2001:DB8:1234:f00::1 <(ip -6 r l table local) && no_da=1 && break sleep 0.2 } (( no_da )) && ip -6 r a 2001:DB8::/32 via 2001:DB8:1234:f00::ffff dev eth0 src 2001:DB8:1234:f00::2

The trick is; once dad detection has finished and the address is safe to use (no one uses it on the network already), the address is added to the local ipv6 route table. So, we wait max 20 seconds for it (should never be reached) and if we find the address in the local table, we can add the route.

The code should be easy enough for people who don't use zsh to read and adapt for their preferred shell.

Hope this helps others.

| Posted on 2016-09-01 at 23:21:56 UTC by Reader Mark | Reply to This

Post a Comment

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible. Use the "Preview" button to make sure your comment is properly formatted. Name and email address are optional. If you specify an email address it will be kept confidential.

Post Comment


(Optional; will be published)


(Optional; will not be published)


(Optional; will be published)


  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.