ipv6 NAT; accept_ra errors and about network choice
Ian Wienand
iwienand at redhat.com
Wed Aug 12 04:33:23 UTC 2020
Hello, thanks for looking!
On Tue, Aug 11, 2020 at 11:52:46PM -0400, Laine Stump wrote:
> > The first problem I hit was trying to start that network:
> >
> > error: internal error: Check the host setup: enabling IPv6 forwarding
> > with RA routes without accept_ra set to 2 is likely to cause routes
> > loss. Interfaces to look at: wlp4s0
> >
> I can see 3 possibilities:
>
> 3) try to make libvirt's code intelligent, and look for clues that RAs are
> handled elsewhere (someone would need to figure out what those "clues" are).
Perhaps my proposal at [1] falls into this category. The theory is to
only warn when an interface is already set to 1 [2] because that seems
to be when you would be expecting the interface to accept RA's, but
enabling forwarding would inhibit it. From sysctl docs:
Possible values are:
0 Do not accept Router Advertisements.
1 Accept Router Advertisements if forwarding is disabled.
2 Overrule forwarding behaviour. Accept Router Advertisements
even if forwarding is enabled.
> > The other thing that I'd like to expand the documentation on, if I can
> > get some clarity, is the choice of network. It seems like it has to
> > be a /64, and it seems like the best choice is within fc00::/7, or at
> > least that is what has been assigned for private networks like this
> > [3]?
>
> "locally assigned" addresses in IPv6 are... different. I've been trying to
> figure this out myself (in order to *automatically* assign a network address
> to a libvirt virtual network, as Dan suggested in the cover letter for the
> IPv6 NAT patches), and I *think* you need to at least set the lowest bit of
> the first byte of the address (that's the "locally assigned" bit). So that
> would mean that all networks should be somewhere within FD00::/8 (but please
> correct me if I'm wrong!)
... different ... indeed! :) I've proposed [3] with what I've found
out. Yes I agree it seems the intent of FD00::/8 is to be somewhat
analogous to 192.168 ... but you know of course it's IPv6 so there's a
page worth of details in the RFC on how to generate 40 random bits ...
> > The only problem with this is that I think glibc filters this range so
> > nothing prefers IPv6.
>
> What?? Exactly what isn't preferring IPv6? Do you mean outbound connections
> that would be to an IPv6 address will be nixed in favor of an IPv4 address
> if the source IP of the connection was going to be in FC00::/7? Or something
> else? Do you have a reference for this?
> The man page for gai.conf *implies* that glibc is following the preference
> rules suggested in RFC3484, which was written prior to RFC4193, so it seems
> strange that it would give any special treatment to addresses in that range.
> Does it behave in the same way if you use FD00::... instead of FC00::...?
> (probably, but worth checking)
Yeah, on my Fedora 32 host I have to override gai.conf to prefer ipv6
(there is no default /etc/gai.conf) with what I took directly from RFC3484
---
label ::1/128 0
label ::/0 1
label 2002::/16 2
label ::/96 3
label ::ffff:0:0/96 4
precedence ::1/128 50
precedence ::/0 40
precedence 2002::/16 30
precedence ::/96 20
precedence ::ffff:0:0/96 10
---
I think the gai.conf it is actually using is reflected in
/usr/share/doc/glibc-common/gai.conf; which has this comment:
# This default differs from the tables given in RFC 3484 by handling
# (now obsolete) site-local IPv6 addresses and Unique Local Addresses.
# The reason for this difference is that these addresses are never
# NATed while IPv4 site-local addresses most probably are. Given
# the precedence of IPv6 over IPv4 (see below) on machines having only
# site-local IPv4 and IPv6 addresses a lookup for a global address would
# see the IPv6 be preferred. The result is a long delay because the
# site-local IPv6 addresses cannot be used while the IPv4 address is
# (at least for the foreseeable future) NATed. We also treat Teredo
# tunnels special.
(it must be compiled in defaults?) So; it seems a choice made by the
practicalities of basically people having these addresses that
*weren't* routable and having a terrible experience. Of course, now
legitimate use is collateral damage. Perhaps we should raise this
with the distro -- but I expect if they update it, they might be back
in the position of people reporting "why is my website taking 30
seconds to load" :/ Of course I'm sure other distros have made other
choices too.
> (BTW, he was playing around with defining an IPv6 libvirt network that used
> the same network as the host's physical interface, then turning on
> ndp-proxy, and finally adding a host route for each guest IP; this permits
> the guests to all be on the same IPv6 network as the host; if we can get all
> of those steps automated in a libvirt virtual network, it will be even
> better than IPv6 NAT!)
I just want to access ipv6 only clouds on my laptop from my work VM
over wifi and plugged into the docking station :) That might be
similar to what VirtualBox does? That allows a guest to have a NIC
bridged to a wifi card, that seems to get an address (RA makes it in?)
but no packets flow for me. Apparently with some wireless NICs it
might work, but not mine I guess.
-i
[1] https://www.redhat.com/archives/libvir-list/2020-August/msg00437.html
[2] https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
[3] https://www.redhat.com/archives/libvir-list/2020-August/msg00438.html
More information about the libvirt-users
mailing list