< QA | Networking
Connectivity
The following table lists basic IPv4 connectivity configurations. There are numerous less common configuration including a combination of public and private addresses and multiple public addresses.
| IPv4 connectivity | Address | Details | |||
|---|---|---|---|---|---|
| Pub | Priv | LL | Lo | ||
| Global | yes | no | no | yes | Host is connected to the Internet using a public address. |
| Masqueraded | no | yes | no | yes | Host can use services on the Internet using a masqueraded private address. |
| Local | no | yes | no | yes | Host can use local services using a private address. |
| Link-local | no | no | yes | yes | Host can use services in the broadcast domain using a link-local address (IPv4LL). |
| None | no | no | no | yes | Host cannot use services in the |
The following table lists basic IPv6 connectivity configurations. There are numerous less common configuration including a combination of public and ULA addresses or public or ULA address without a link-local one.
| IPv6 connectivity | Address | Details | |||
|---|---|---|---|---|---|
| Pub | ULA | LL | Lo | ||
| Global | yes | no | yes | yes | Host has at least one link-local address and one global address, the latter being used for global connectivity. |
| Local | no | yes | yes | yes | Host has at least one link-local address and one unique local address (ULA) used for local communication. |
| Link-local | no | no | yes | yes | Client only has a link-local address (IPv6LL). |
| None | no | no | no | yes | Client doesn't have any addresses except loopback. |
| Disabled | no | no | no | no | IPv6 has been disabled in the kernel. |
The following table lists common or somehow interesting combinations of IPv4 and IPv6 connectivity.
| IPv4 \ IPv6 | Global | Local | Link-local | None | Disabled |
|---|---|---|---|---|---|
| Global | Dual-stack server | IPv4 only server | Disabled IPv6 | ||
| Masqueraded | Dual-stack workstation | IPv4 only workstation | IPv4 only workstation on PPP | ||
| Local | |||||
| Link-local | |||||
| None | IPv6 only | IPv6LL only | Loopback only |
The above table only contains selected combinations that are of some greater interest. For example all combinations with private addresses (ULA in case of IPv6) are left out.
Details for selected connectivity combinations
TODO
How to get connectivity for everyday use
Most home and office setups offer masqueraded IPv4 connectivity. In addition they often offer global IPv6 connectivity, often firewalled. Some corporate setups, on the other hand, don't offer connectivity to remote hosts except via a proxy server. Global and unmasqueraded IPv4 and IPv6 connectivity for servers is typically available in datacenters.
IPv4 and IPv6 loopback addresses are assigned automatically at boot time. IPv6 link-local addresses are specific in that they are automatically assigned by the kernel when an interface gets connected to a network on the link layer. On the other hand, IPv4 link-local addresses only serve as a fallback for unsuccessful DHCPv4 attempt.
Note: It looks like link-local IPv4 addresses never get automatically configured in default Fedora 23 Workstation with NetworkManager. This is not necessarily a problem as it is much better to rely on ubiquitous IPv6 link-local addresses nowadays.
How to get IPv6 connectivity
Only some networks offer IPv6 addresses and only some of them offer actual global connectivity using those addresses. If you are not that lucky to have such a network at hand, you can use one of the many services that offer IPv6 subnets via IPv6 tunnels. For virtually all practical purposes tunnelled connectivity is equivalent to native one. Getting local connectivity is not different from IPv4. On the other hand, you get link-local IPv6 connectivity automatically when connected to a physical ethernet or wireless ethernet network and it is usually kept through the physical connection lifetime unlike IPv4 link-local addresses. It is normally enough to connect two client machines using a cable to get it.
TODO As far as I know NetworkManager also supports disconnected IPv6 configuration where you don't even have link-local addresses but that needs to be tested first.
There are specific situations that aren't covered in this list like global addresses without global connectivity but those need to be addressed carefully in test cases.
IPv6 tunnels
Many networks still only have IPv4 connectivity. You can overcome this limitation by configuring an IPv6 tunnel to a network with IPv6 connectivity. You can use various tunnel technologies to achieve that. There are also services like http://www.tunnelbroker.net/ that offer free tunnelled connectivity with IPv6 subnets.
How to emulate connectivity in a virtual test environment
Using two virtual machines, one can emulate any type of IPv4 and IPv6 connectivity by picking up an address block intended for documentation and testing ( 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 and 2001:DB8::/32) and setting up DHCPv4, RA, DHCPv6 and DNS services on one of the virtual machines, while using the other as a client node.
Router
Server always needs to have a valid static configuration. For simple testing, you can configure the server temporarily using iproute package.
# ip address add 192.0.2.1/24 dev eth1 # ip address add 2001:db8::1/64 dev eth1
The easiest way to provide a testing IPv4 and IPv6 configuration server together with a local DNS server is using dnsmasq. The command bellow can be easily transformed into permanent configuration in dnsmasq.conf.
# dnsmasq -d \
--dhcp-range=lan,192.0.2.100,192.0.2.200,10m \
--enable-ra --dhcp-range=lan,2001:db8::1:0,2001:db8::2:0,10m
Workstation
A proper workstation installation will get configured automatically.
On the other hand you can test the server configuration using dhcpcd command from the dhcpcd package. Use the following command. If you leave out
the -T option, dhcpcd would configure kernel and /etc/resolv.conf using the information from the server.
# dhcpcd -d -T eth0
Notes on connectivity checks
Network application behavior may change based on various connectivity checks. Some of them work with IP addresses, some with routes and some are even based on attempting connections. All of the mentioned types of checks are currently present in glibc name resolution code, so you need to be careful about subtle differences in configuration.
DNS configuration
A dual-stack server is announced in DNS by at least one A record and at least one AAAA record. IPv4 only and IPv6 only servers have only A record or AAAA record respectively. Configurations with multiple A and AAAA records are interesting as well and so are configurations with SRV and other intermediate records.
Key requirements:
- The server must have a known host name
- Authoritative DNS servers must provide the right A/AAAA records
- They should be accessible over both IPv4 and IPv6
- Recursive DNS server must be able to get the records
- Local host must be able to query it and get all the records
The test environment often requires a local recursive and authoritative DNS server. In most cases a dnsmasq instance or any other forwarding nameserver with some authoritative capabilities will do the job. For testing, domains can be chosen under example.net and example.com subtrees.
Configuration examples
Dual-stack server
Using dnsmasq, /etc/dnsmasq.conf follows:
address=/server.example.net/192.0.2.1 address=/server.example.net/2001:DB8::1
Testing with netresolve:
$ netresolve --node server.example.net --protocol raw
Dual-stack server with SRV record
Using dnsmasq, /etc/dnsmasq.conf follows:
srv-host=_http._tcp.example.net,server.example.net,80,10,10 address=/server.example.net/192.0.2.1 address=/server.example.net/2001:DB8::1
Testing with netresolve:
$ netresolve --srv --node example.net --service http --protocol tcp
Common DNS issues
DNS server not accessible over IPv4 or IPv6
Recursive servers need to be accessible over one of the protocols supported by the client machine. Therefore if a network serves both IPv4-only and IPv6-only hosts, the recursive name server must be accessible via both protocols and addresses for both protocols must be advertised via automatic configuration protocols.
Authoritative servers need to be accessible over one of the protocols supported by the recursive server. When the condition for recursive servers is met, you can generally assume the recursive server will talk the same protocols the client does. Therefore an authoritative server serving A records should generally be available at least over IPv4 and one serving AAAA records should be available at least over IPv6. An authoritative server serving records for dual-stack servers should therefore be dual-stack as well.
It is therefore important that all DNS server packages are available on both protocols by default.
Lost AAAA request or reply
Lost AAAA request is typically caused by the local firewall. Lost AAAA reply may have the same cause but may also be the result of buggy recursive DNS server, authoritative DNS server or a firewall issue on the way between them.
This issue can be simulated by dropping DNS AAAA requests while keeping other requests intact. Unfortunately there seems to be no easy way to do that using conventional firewall. Possible solutions are through delegating the firewall to userspace or using pcap.
TODO: Provide a way to simulate lost AAAA requests/replies.
Note: A similar issue with dropped A records is theoretically possible.
Test cases: