[libvirt] Proposal: no dnsmasq (no dhcp and no dns) and no radvd option

Gene Czarcinski gene at czarc.net
Mon Nov 26 20:40:39 UTC 2012 

On 11/26/2012 11:19 AM, Gene Czarcinski wrote:
> On 11/26/2012 10:40 AM, Gene Czarcinski wrote:
>> I understand that you can define multiple IPv4 and multiple IPv6 
>> gateway addresses on a network interface but only one IPv4 DHCP and 
>> one IPv6 DHCP.  I can see the need for both IPv4 and IPv6 protocols 
>> on a single network "fabric" but I am not sure how many real network 
>> "fabrics" have multiple subnetworks on them.  Yes, it could be done 
>> but I am not certain why you would do that (and I am also sure that 
>> someone has a very valid reason for doing that). 
> Oops!  There may be a problem here with radvd!.
>
> I have difficulty in understanding why one would define multiple IPv6 
> (or even IPv4) subnetworks on a single interface.  Well, I guess the 
> radvd authors did also: the AdvManagedFlag on/off applies to the 
> entire interface and no a specific network.
>
> I am verifying this but there is a chance that dsnmasq could support 
> both for different subnetworks.
>
> I guess that dnsmasq could be used to support one and radvd used to 
> support the other but ???
>
> I believe this may need more discussion from others.  I would like to 
> have someone other than the two of us chime in on this.
The answer is not good.  Both radvd and dnsmasq are the same and you 
must choose state-full (DHCPv6) or state-less (SLAAC):

As Simon Kelley says:

  "OK, you prompted me to look at the code, which makes radvd's behavior 
more understandable. The Managed flag is in the header of the 
route-advertisement packet so it has, logically, to apply at all the 
prefixes contained therein. The dnsmasq implementation sets the managed 
flag if any of the prefixes has DHCPv6 available, but clients will take 
is applying to them all."

So, for IPv6 on a virtual network you either have one IPv6 subnetwork 
with state-full DHCPv6 or you can have multiple IPv6 subnetworks with 
SLAAC addressing.

Options:

1. Ignore the true situation and keep going.  I believe some users might 
not like this and I certainly do not like this.

2. Start a separate radvd (or dnsmasq) to support state-full DHCPv6 and 
another radvd to support additional SLAAC subnetworks. [Personally, I do 
not like this solution.]  /// The problem is that this solution may not 
work.  /// I just checked and now I remember ... it will not work.  Only 
one RA server per network fabric (think virtual network interface) since 
ff02:: addresses are being used.

3. If an IPv6 DHCP range is specified, then any additional IPv6 
subnetworks are a configuration error.  I believe that this is the only 
reasonable thing to do.  So, if you want to define two IPv6 subnets, do 
it on two different interfaces.  I believe there is not much choice in 
this ... it is just the way IPv6 was defined and works.

[Aside:  I sure would like to know of a real-world need for multiple 
IPv4 or multiple IPv6 subnetworks on a single network "fabric."  The 
only possible thing I could think of is the need for a data network and 
a separate control network.  But, from a security perspective, you 
really need to use either networks with encryption separation or real 
hardware separation.]

Gene

More information about the libvir-list mailing list