[squid-users] no fallback to ipv4 if ipv6 remote address is non-functional

Brian J. Murrell brian at interlinx.bc.ca
Mon Jun 15 23:12:20 UTC 2015


On Mon, 2015-06-15 at 06:47 +1200, Amos Jeffries wrote:
> 
> 1)
> I have confirmed my suspicion that your IPv6 routing is a bit broken.

I'm not sure I agree with you entirely on that (more below)...

> The IPv6 address is in a private IP range fc00::/7.

Oh damn.  It's a ULA address.  I did not even recognize that.  The IPv6
addressing space is still foreign enough to me that I don't immediately
recognize what bits of the space certain addresses are in, unlike my
instant recognition of IPv4 private IP space.

> Which is the IPv6
> equivalent of RFC1918 10.0.0.0/8 or 182.168.0.0/16.

s/182/192/, but yes, indeed.  I see that now.

> When your Squid
> contacts it nothing at all happens within 10 seconds.

Unsurprisingly, of course.

> What should be happening is that when Squid tries to contact a network
> range which is not your own LAN fd31:aeb1:48df::/48 sub-net.

It should forward it to the Squid machine's default router.

> The routing
> system in your Squid machine responds with a "network unavailable"
> within nanoseconds.

I disagree.  While I will agree that it is good network management
practice to not allow RFC-1918 and IPv6's corresponding ULA addresses to
leak outside of your network, AFAIK, it's not a requirement.  RFC 4193
4.3 makes it a recommendation ("should") rather than a requirement
("MUST").

This is really no different than RFC-1918 addresses, which were not
always designated for their current practice and only since that
designation are also only recommended against blocking at the site
router.

> This signal which is not appearing is what Squid
> depends on to to do the failover.

(As you point out below, so I think we are in agreement) I would think
that a simple timeout to connect should be just as sufficient, just like
any other piece of software, such as telnet for example.  I would think
no software should really rely on the behaviors of (only) recommended
practices.

> Do you have an entry in the routing table for fc00::/7 or /8 ?

No.

> 2)
> Squid should still be attemoting the IPv4 address though.

Agreed.

> I also see you have Squid-3.4.3. Can you try an upgrade to 3.5.5 ?

OK.  Built and installed.

Still doesn't seem to be working.

> If the problem persists after that upgrade. Please redo with 26,5 in the
> debug list.

Sent to your e-mail.

> Also, check your proxy connect_timeout is shorter than forward_timeout.

#Default:
# forward_timeout 4 minutes

So seems it is.

> The connect timout affects these individual connections, forward_timeout
> needs to allow mulitiple (25?) of them for failover to have a chance in
> lost packet situations like this.

Interestingly enough, my override of the default of connect_timeout to
10 seconds actually makes it as close to 25 times less than
forward_timeout as I could reasonably get.  :-)

b.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150615/62a30f29/attachment.sig>


More information about the squid-users mailing list