Re: Proposal: remove IPv6-only RA draft bits to adopt DHCP option (RFC 8925)

Reply: Pouria Mousavizadeh Tehrani : "Re: Proposal: remove IPv6-only RA draft bits to adopt DHCP option (RFC 8925)"
In reply to: Pouria Mousavizadeh Tehrani : "Proposal: remove IPv6-only RA draft bits to adopt DHCP option (RFC 8925)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Bjoern A. Zeeb <bz_at_freebsd.org>
Date: Thu, 02 Apr 2026 18:36:24 UTC
On Thu, 2 Apr 2026, Pouria Mousavizadeh Tehrani wrote:

Hi,
Cc: net also

> There is an implementation of the DRAFT_IETF_6MAN_IPV6ONLY_FLAG draft in the 
> OS. It is the excellent work of Bjoern (@bz), both the Internet-Draft and its 
> implementation.
>
> I'm requesting removal of the draft-specific bits (which is not compiled by 
> default), but first a short history from an outsider's reading of the IETF 
> archives.
>
> The draft's history is unfortunate. @bz had a great idea about making a 
> network automatically become IPv6-only by advertising it as a RA flag.
> However, the idea had a small flaw: RAs can be trivially forged and could be 
> used to maliciously disable v4 networks, so RA was not a safe transport for 
> such a flag.
> IMHO, the same attack surface could exist for DHCP, but DHCP deployments are 
> commonly protected by DHCP snooping in practice.
> That led to the conclusion that a DHCP option would be a safer place for this 
> signal.
> The draft was eventually abandoned (mailing-list archive: 
> https://mailarchive.ietf.org/arch/msg/ipv6/7nwZ6BUqbSqEC11eTqVqCOZwGI8/).
>
> Shortly after, someone else (google) submitted the same idea as a DHCP 
> option, which became RFC 8925.
> Although the original idea came from Bjoern, neither his name nor his draft 
> is acknowledged in that RFC.
> I have not discussed this with Bjoern (cc'ed), only observed the sequence of 
> events.
> I appreciated his work, it appears to be his last draft.

Most of the above isn't actually historically right but so be it.

Just to clarify one fact: it wasn't my idea in first place;  I joined the others who
had done the first version of the draft and I did the actual implementation
to see if it would work and how well.

That said, it did and does.
People keep forgetting that FreeBSD is (was) (probably still?) the only non-router OS
shipping with a working SeND implementation (kernel + net-mgmt/send, which I think
got removed unfortunately), which can secure your RAs.

Certificates are hard, the world is still not there...


> We should move forward and align with RFC 8925.
> I use the DHCP option at my company and at home, mobiles and most devices 
> support it well.
> I'd like to make this work on my FreeBSD boxes as well.

Please do.  The one drawback DHCPv4 has, on a pure IPv6-only machine you cannot
run DHCPv4 properly anymore to even handle those "dual-stack clients" not wanting
IPv4 anymore but the world will need another decade to get there...

The good news is, that should be purely a user space feature.

You may have seen the IPv6-only semi-only-April1st Linux one yesterday
with the follow-up of thinking it should really happen:
https://lore.kernel.org/lkml/2cb91533e22ed6cb11205dbc56b8aeedbbce0cca.camel@infradead.org/
As I pointed out, it's been 15 years since FreeBSD had done so:
https://lore.kernel.org/lkml/20260401163500.AE4862D029D8@mail.sbone.de/

So by all means, the more IPv6 stuff works and turns off IPv4 on FreeBSD
the better.  I do have more WIP changes pending in places a particular project
we should be in mind.  But let's take that offlist.

Related to your request:

I have a window open here with the SVN sequence of commits which happened
as I wanted to remove this and the EXPERIMENTAL option some time before 16
anyway.  I wanted to do so before 15 but it didn't happen anymore.

Do you want me to do it myself or do you want to do it and just put me on review?
If the latter please try to catch it all in one go, including user space
as you have outlined below.


> In short, I'm asking for willingness to remove or replace the 
> EXPERIMENTAL/DRAFT_IETF_6MAN_IPV6ONLY_FLAG bits and adopt the 
> DHCP-option-based approach (RFC 8925).
> The current code locations referencing the draft are:
> Kernel:
> sys/netinet6/nd6_rtr.c: lines 107–115, 251–355, 602–604, 782–784
> sys/netinet6/nd6.h: lines 77–82
> sys/netinet/icmp6.h: #define ND_RA_FLAG_IPV6_ONLY 0x02
> sys/net/if_ethersubr.c: lines ~478–497, 544–560
>
> Userland:
> grep -r DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/rtadvd/rtadvd.c:#ifdef DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/rtadvd/Makefile:CFLAGS+=     -DDRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/rtadvd/config.c:#ifdef DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/rtadvd/config.c:#ifdef DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/rtadvd/config.c:#ifdef DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/rtadvd/rtadvd.h:#ifdef DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/ndp/Makefile:CFLAGS+=        -DDRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./usr.sbin/ndp/ndp.c:#ifdef DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./sbin/ifconfig/af_nd6.c:#ifdef DRAFT_IETF_6MAN_IPV6ONLY_FLAG
> ./sbin/ifconfig/Makefile:CFLAGS+= -DDRAFT_IETF_6MAN_IPV6ONLY_FLAG
>
> The existing implementation is reusable, but I want to ensure Bjoern and 
> others are comfortable with reworking/removing the draft-specific code and 
> moving to RFC 8925.
> Please reply if you have concerns, objections, or if you're ok with this 
> removal of this option.

/bz

-- 
Bjoern A. Zeeb                                                     r15:7