Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Stephen John Smoogen 
On 4 November 2015 at 02:20, Toby Goodwin  wrote:
> As well as Fedora itself, we need to get the infrastructure IPv6 ready.
> My company has developed an IPv6 health checker. Given a domain, it
> tests its nameservers, webservers, and mailservers for IPv6 readiness.
>
> Currently fedoraproject.org scores 4 out of 9, so there's some room for
> improvement!
>
>   https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org
>
> It seems odd that there are  records for ns0[25], but they point to
> "dead:beef" addresses that are unreachable. Is this deliberate? Seems
> like it will just slow things down for any resolver that happens to
> try the IPv6 address first. (And of course the domain is completely
> unresolvable from a "pure" IPv6 client.)
>

Thank you for letting us know this. No it is not deliberate... and I
would really like to know this outside of a message marketing your
service on a mailing list.

> Toby.
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct



-- 
Stephen J Smoogen.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Pavel Simerda 
- Original Message -
> From: "Zdenek Kabelac" <zkabe...@redhat.com>
> To: "Development discussions related to Fedora" 
> <devel@lists.fedoraproject.org>
> Sent: Wednesday, November 4, 2015 1:43:12 PM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> Dne 4.11.2015 v 13:24 Petr Spacek napsal(a):
> > On 3.11.2015 18:50, Moez Roy wrote:
> >> Hi Pavel Simerda,
> >>
> >> The IPv6 updates are breaking stuff (and probably increasing the
> >> attack surface):
> >>
> >> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> >> in /etc/sysctl.conf
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> >>
> >> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> >> in /etc/sysctl.conf
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1251762
> >>
> >> (maybe other software like avahi also don't remember right now)
> >>
> >> You can reproduce this by putting "ipv6.disable=1" in the kernel command
> >> line.
> >>
> >> Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
> >> security provided by SELinux so it is not an option.
> >>
> >> Would appreciate fixes please. Thanks.
> >
> > "ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary
> > ways how network APIs. Many contemporary software projects are
> > using IPv6-enabled network calls by default because both IPv6 and IPv4
> > share the same name space on the machine so you only need to listen on a
> > IPv6 port to accept both IPv4 and IPv6.
> >
> > Apparently this is not Fedora-specific in any way because ArchLinux says
> > the same:
> > https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6
> >
> > "net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have
> > negative
> > side-effects of "ipv6.disable=1".
> >
> > Having said that, I'm proposing to close all issues caused by
> > "ipv6.disable=1"
> > as WONTFIX.
> 
> Hi
> 
> I strongly object against this idea.
> 
> System needs to work in  IPv4 environment  and with kernel without IPv6
> enabled.
> 
> There is number of reasons for keeping this possibility enabled - e.g.
> I want to use  older kernel for regression testing, I want to have disabled
> IPv6 stack for security reasons and lots of other...

I'm not taking any side in this discussion and will mostly attempt to reflect
actual usage, i.e. most installations dual-stack, some installations with
IPv6 disabled, no installations with IPv4 disabled (due to kernel inability
to disable IPv4).

> So please do not replace coder's inability

The project is about IPv6 and dual-stack testing and improvements. Insulting
authors who didn't make their software work with ipv6.disabled=1 isn't helpful.

> to write correct code to handle dual socket interface

In some cases software authors do not expect a situation when
`socket(family=AF_INET6)` fails but `socket(family=AF_INET)`
succeeds. It is indeed a very special situation that such a
basic thing in the system fails.

And that is indeed a very special situation. On most installation
the `socket()` calls with correct arguments will never fail. And
the IPv4 variant won't fail in any case which creates an undue
assymetry.

> with disabling usage of while Fedora on kernel with
> IPv6 disabled.
> 
> I'm fine if the particular software package would be  IPv6 only - as long
> as there is no IPv4-only user who cares - it's correct way.

Whether a package is IPv6 only and whether a package works with
ipv6.disabled=1 are two distinct things that need to be tested
separately. On the other IPv6 only packages are a very rare
phenomenon.

> Just do NOT make such package a core system dependency - it has to remain
> optional.

I don't see any reason to make a distinction between a dual-stack package
with IPv4 and IPv6 functionality and two distinct packages, one IPv4 only,
the other IPv6 only in this respect. Either way you end up with features
required for both protocols.

Anyway, are there any specific packages that are mandatory in Fedora or
might become so? I'd like to avoid discussions about something purely
hypothetical.

Cheers,

Pavel
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Pavel Simerda 
- Original Message -
> From: "Toby Goodwin" <t...@paccrat.org>
> To: devel@lists.fedoraproject.org
> Sent: Wednesday, November 4, 2015 10:20:00 AM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> As well as Fedora itself, we need to get the infrastructure IPv6 ready.

Definitely. Although it is such a distinct subproject that we could really
use some help.

> My company has developed an IPv6 health checker. Given a domain, it
> tests its nameservers, webservers, and mailservers for IPv6 readiness.
> 
> Currently fedoraproject.org scores 4 out of 9, so there's some room for
> improvement!
> 
>   https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org
> 
> It seems odd that there are  records for ns0[25], but they point to
> "dead:beef" addresses that are unreachable.

Good catch. Now we have our own infrastructure to test how clients cope with
DNS records pointing to blackhole addresses. It's even worse than a missing
IPv6 capable NS. Could you please start a bug report for that?

Cheers,

Pavel

> Is this deliberate? Seems
> like it will just slow things down for any resolver that happens to
> try the IPv6 address first. (And of course the domain is completely
> unresolvable from a "pure" IPv6 client.)
> 
> Toby.
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Petr Spacek 
On 3.11.2015 18:50, Moez Roy wrote:
> Hi Pavel Simerda,
> 
> The IPv6 updates are breaking stuff (and probably increasing the
> attack surface):
> 
> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> 
> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1251762
> 
> (maybe other software like avahi also don't remember right now)
> 
> You can reproduce this by putting "ipv6.disable=1" in the kernel command line.
> 
> Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
> security provided by SELinux so it is not an option.
> 
> Would appreciate fixes please. Thanks.

"ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary
ways how network APIs. Many contemporary software projects are
using IPv6-enabled network calls by default because both IPv6 and IPv4
share the same name space on the machine so you only need to listen on a
IPv6 port to accept both IPv4 and IPv6.

Apparently this is not Fedora-specific in any way because ArchLinux says the 
same:
https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6

"net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have negative
side-effects of "ipv6.disable=1".

Having said that, I'm proposing to close all issues caused by "ipv6.disable=1"
as WONTFIX.

-- 
Petr Spacek  @  Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Zdenek Kabelac 

Dne 4.11.2015 v 13:24 Petr Spacek napsal(a):

On 3.11.2015 18:50, Moez Roy wrote:

Hi Pavel Simerda,

The IPv6 updates are breaking stuff (and probably increasing the
attack surface):

Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
in /etc/sysctl.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1231946

Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
in /etc/sysctl.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1251762

(maybe other software like avahi also don't remember right now)

You can reproduce this by putting "ipv6.disable=1" in the kernel command line.

Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
security provided by SELinux so it is not an option.

Would appreciate fixes please. Thanks.


"ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary
ways how network APIs. Many contemporary software projects are
using IPv6-enabled network calls by default because both IPv6 and IPv4
share the same name space on the machine so you only need to listen on a
IPv6 port to accept both IPv4 and IPv6.

Apparently this is not Fedora-specific in any way because ArchLinux says the 
same:
https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6

"net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have negative
side-effects of "ipv6.disable=1".

Having said that, I'm proposing to close all issues caused by "ipv6.disable=1"
as WONTFIX.


Hi

I strongly object against this idea.

System needs to work in  IPv4 environment  and with kernel without IPv6 enabled.

There is number of reasons for keeping this possibility enabled - e.g.
I want to use  older kernel for regression testing, I want to have disabled
IPv6 stack for security reasons and lots of other...

So please do not replace coder's inability to write correct code to handle 
dual socket interface with disabling usage of while Fedora on kernel with IPv6 
disabled.


I'm fine if the particular software package would be  IPv6 only - as long
as there is no IPv4-only user who cares - it's correct way.

Just do NOT make such package a core system dependency - it has to remain 
optional.


Regards

Zdenek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Tomas Hozza 
On 04.11.2015 15:22, Pavel Simerda wrote:
> - Original Message -
> > From: "Zdenek Kabelac" <zkabe...@redhat.com>
> > To: "Development discussions related to Fedora" 
> > <devel@lists.fedoraproject.org>
> > Sent: Wednesday, November 4, 2015 1:43:12 PM
> > Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> >
> > Dne 4.11.2015 v 13:24 Petr Spacek napsal(a):
> >> On 3.11.2015 18:50, Moez Roy wrote:
> >>> Hi Pavel Simerda,
> >>>
> >>> The IPv6 updates are breaking stuff (and probably increasing the
> >>> attack surface):
> >>>
> >>> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> >>> in /etc/sysctl.conf
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> >>>
> >>> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> >>> in /etc/sysctl.conf
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1251762
> >>>
> >>> (maybe other software like avahi also don't remember right now)
> >>>
> >>> You can reproduce this by putting "ipv6.disable=1" in the kernel command
> >>> line.
> >>>
> >>> Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
> >>> security provided by SELinux so it is not an option.
> >>>
> >>> Would appreciate fixes please. Thanks.
> >>
> >> "ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary
> >> ways how network APIs. Many contemporary software projects are
> >> using IPv6-enabled network calls by default because both IPv6 and IPv4
> >> share the same name space on the machine so you only need to listen on a
> >> IPv6 port to accept both IPv4 and IPv6.
> >>
> >> Apparently this is not Fedora-specific in any way because ArchLinux says
> >> the same:
> >> https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6
> >>
> >> "net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have
> >> negative
> >> side-effects of "ipv6.disable=1".
> >>
> >> Having said that, I'm proposing to close all issues caused by
> >> "ipv6.disable=1"
> >> as WONTFIX.
> >
> > Hi
> >
> > I strongly object against this idea.
> >
> > System needs to work in  IPv4 environment  and with kernel without IPv6
> > enabled.
> >
> > There is number of reasons for keeping this possibility enabled - e.g.
> > I want to use  older kernel for regression testing, I want to have disabled
> > IPv6 stack for security reasons and lots of other...
>
> I'm not taking any side in this discussion and will mostly attempt to reflect
> actual usage, i.e. most installations dual-stack, some installations with
> IPv6 disabled, no installations with IPv4 disabled (due to kernel inability
> to disable IPv4).
>
> > So please do not replace coder's inability
>
> The project is about IPv6 and dual-stack testing and improvements. Insulting
> authors who didn't make their software work with ipv6.disabled=1 isn't 
> helpful.
>
> > to write correct code to handle dual socket interface
>
> In some cases software authors do not expect a situation when
> `socket(family=AF_INET6)` fails but `socket(family=AF_INET)`
> succeeds. It is indeed a very special situation that such a
> basic thing in the system fails.
>
> And that is indeed a very special situation. On most installation
> the `socket()` calls with correct arguments will never fail. And
> the IPv4 variant won't fail in any case which creates an undue
> assymetry.
>
> > with disabling usage of while Fedora on kernel with
> > IPv6 disabled.
> >
> > I'm fine if the particular software package would be  IPv6 only - as long
> > as there is no IPv4-only user who cares - it's correct way.
>
> Whether a package is IPv6 only and whether a package works with
> ipv6.disabled=1 are two distinct things that need to be tested
> separately. On the other IPv6 only packages are a very rare
> phenomenon.
>
> > Just do NOT make such package a core system dependency - it has to remain
> > optional.
>
> I don't see any reason to make a distinction between a dual-stack package
> with IPv4 and IPv6 functionality and two distinct packages, one IPv4 only,
> the other IPv6 only in this respect. Either way you end up with features
> required for both protocols.
>
> Anyway, are there any specific packages that are mandatory in Fedora or
> might become so? I'd like to avoid discussions about something purely
> hypothetical.

With the default DNS resolver change Unbound and dnssec-trigger would be
installed by default.

> Cheers,
>
> Pavel
>

Regards,
-- 
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience

PGP: 1D9F3C2D
UTC+2 (CEST)
Red Hat Inc. http://cz.redhat.com
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Kevin Fenzi 
On 04 Nov 2015 09:20:00 -
Toby Goodwin  wrote:

> As well as Fedora itself, we need to get the infrastructure IPv6
> ready. My company has developed an IPv6 health checker. Given a
> domain, it tests its nameservers, webservers, and mailservers for
> IPv6 readiness.
> 
> Currently fedoraproject.org scores 4 out of 9, so there's some room
> for improvement!
> 
>   https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org
> 
> It seems odd that there are  records for ns0[25], but they point
> to "dead:beef" addresses that are unreachable. Is this deliberate?

no. When you see something like this, please report it to Fedora
infrastructure so we can get it fixed. 

> Seems like it will just slow things down for any resolver that
> happens to try the IPv6 address first. (And of course the domain is
> completely unresolvable from a "pure" IPv6 client.)

Right. 

I have fixed the 2 nameservers now. 

We now score 7 of 9. 

The other 2 points seem to be for ipv6 MX records. 
I'm not sure thats likely to change anytime soon. We currently have
redhat.com handle our incoming emails to fedoraproject.org and do some
spam filtering, etc. While we could change this, it's not something we
want to do quickly or lightly. 

kevin




pgpFdaJwQtQZk.pgp
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-04 Thread Toby Goodwin 
As well as Fedora itself, we need to get the infrastructure IPv6 ready.
My company has developed an IPv6 health checker. Given a domain, it
tests its nameservers, webservers, and mailservers for IPv6 readiness.

Currently fedoraproject.org scores 4 out of 9, so there's some room for
improvement!

  https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org

It seems odd that there are  records for ns0[25], but they point to
"dead:beef" addresses that are unreachable. Is this deliberate? Seems
like it will just slow things down for any resolver that happens to
try the IPv6 address first. (And of course the domain is completely
unresolvable from a "pure" IPv6 client.)

Toby.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: SELinux & disabled IPv6 (was: Re: Fedora IPv6 testing and improvements - request for ideas)

2015-11-04 Thread Moez Roy 
On Tue, Nov 3, 2015 at 9:06 PM, Scott Schmit  wrote:
> On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote:
>> The IPv6 updates are breaking stuff (and probably increasing the
>> attack surface):
>>
>> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
>> in /etc/sysctl.conf
>> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
>>
>> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
>> in /etc/sysctl.conf
>> https://bugzilla.redhat.com/show_bug.cgi?id=1251762
>
> Your bugs' subjects complain that software X is ignoring configuration for
> software Y.  That's expected for any X & Y where X != Y.  In other
> words, you shouldn't expect unbound and/or dnssec-triggerd to be looking
> at *kernel* configuration settings.
>
> Looking at the bugs' bodies, it appears that because IPv6 isn't there,
> some kernel module auto-load configuration is trying to auto-load IPv6
> and SELinux is prohibiting the action.  That or the tool is explicitly
> trying to load the module, but I rather doubt this.
>
> You note the SELinux policy alert but don't identify if this actually
> breaks anything.  The right answer could be as simple as changing the
> SELinux policy to mark this transition/action as dontaudit (or just
> ignore the audit message).
>
> Ah, a google search for `selinux "request-module"' leads me here:
> https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to
> agree with the above.
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Yes in this case it doesn't break anything if you just ignore the
message. I am forwarding this to the SElinux list so hopefully they
can add a rule if ipv6 is disabled in the grub config don't audit this
message.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Chris Adams" <li...@cmadams.net>
> To: devel@lists.fedoraproject.org
> Sent: Thursday, October 29, 2015 9:30:12 PM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> Once upon a time, Zach Villers <zachvatw...@gmail.com> said:
> > If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly
> > recommended tunnel broker. I have not tried it and am not affiliated. I do
> > have ipv6 capability from my isp, so could help with testing.

Hi Zach (replying at once),

I'm afraid we generally cannot recommend SixXS as they are very strict
and very picky on connecting automatically to the service and we (Fedora)
had problems with that before.

> There's also Hurricane Electric's free IPv6 tunnels.

Their tunnelbroker.net service is already mentioned in the following page.

https://fedoraproject.org/wiki/QA/Networking/Test_environment

Cheers,

Pavel
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Josef Bacik 
So one thing I would suggest is testing ipv6 only environments.  At
Facebook we are running into and fixing a whole host of problems with
NetworkManager, Anaconda, Dracut, etc. because they don't handle ipv6
only very well.  It seems that having ipv4 enabled allows things to
work well enough that nobody notices problems with ipv6.  Thanks,

Josef

On Tue, Nov 3, 2015 at 12:50 PM, Moez Roy  wrote:
> Hi Pavel Simerda,
>
> The IPv6 updates are breaking stuff (and probably increasing the
> attack surface):
>
> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
>
> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1251762
>
> (maybe other software like avahi also don't remember right now)
>
> You can reproduce this by putting "ipv6.disable=1" in the kernel command line.
>
> Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
> security provided by SELinux so it is not an option.
>
> Would appreciate fixes please. Thanks.
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Moez Roy 
Hi Pavel Simerda,

The IPv6 updates are breaking stuff (and probably increasing the
attack surface):

Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
in /etc/sysctl.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1231946

Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
in /etc/sysctl.conf
https://bugzilla.redhat.com/show_bug.cgi?id=1251762

(maybe other software like avahi also don't remember right now)

You can reproduce this by putting "ipv6.disable=1" in the kernel command line.

Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
security provided by SELinux so it is not an option.

Would appreciate fixes please. Thanks.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Scott Schmit" <i.g...@comcast.net>
> To: devel@lists.fedoraproject.org
> Sent: Friday, October 30, 2015 2:10:41 AM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> On Thu, Oct 29, 2015 at 11:15:10AM -0400, Pavel Simerda wrote:
> > I am writing to Fedora development mailing lists to get opinions
> > and ideas regarding our project on improving IPv6 support in
> > Fedora across its components.
> > 
> > https://fedoraproject.org/wiki/QA/Networking
> > 
> > Most prominent subpages:
> > 
> >  * https://fedoraproject.org/wiki/QA/Networking/Test_environment
> 
> It may make sense to have a IPv6 case between global & local that has
> all 4 categories of address (I see this as loosely analogous to the IPv4
> masqueraded case).

Hi Scott,

thanks for your feedback.

You can of course have combinations. We can add that once we have
specific test cases that would show importance of a standalone category
for such a setup. Otherwise one would usually view IPv6 global and IPv6
local communication as two isolated things.

> Another case would be multi-homed IPv6, where you have global IPv6
> addresses from multiple sources (could be two ISPs, two tunnel
> providers, or one ISP and one tunnel provider).

Interesting. Any specific test cases for that?

> IPv6 is designed to be inherently more dynamic than IPv4 (particularly
> with RAs) -- we should test transitions between connectivity states
> (simulating an ISP connection dropping and coming back up or a router
> going down and coming back up).

While IPv6 is designed to be inherently dynamic, operators seem to be
avoiding it as much as possible and use it in a way more similar to
IPv4. Specific test cases and common usage are welcome, though.

> Speed differences between IPv6 & IPv4 could be a factor as well (happy
> eyeballs) -- though reportedly IPv6 has tended to be faster than IPv4
> rather than the previously-expected inverse.
> 
> Checking support for DHCPv6-PD would also be valuable.

We're not really focusing on a Fedora based router use case. As always,
that doesn't mean someone cannot join and extend the effort. If you're
interested in the classic connection sharing feature, it may be better
to contact NetworkManager developers directly.

Cheers,

Pavel
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Michael Cronenworth" <m...@cchtml.com>
> To: devel@lists.fedoraproject.org
> Sent: Friday, October 30, 2015 10:37:59 PM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> On 10/29/2015 10:15 AM, Pavel Simerda wrote:
> >   *https://fedoraproject.org/wiki/QA/Networking/Test_environment
> 
> Don't forget about 6to4[1]... everyone should have access to this unless your
> ISP
> blocks the routes. It doesn't require an account or 3rd party host that the
> tunnels
> require.
> 
> NetworkManager ifcfg settings:
> IPV6TO4INIT, IPV6TO4_ROUTING, and if you run a server. IPV6_CONTROL_RADVD
> 
> Some ISPs provide 6rd[2] access, which is the next step above 6to4.

Hi Michael,

we will consider this although I think 6to4 and 6rd rather belong to the
network infrastructure and we do not really focus on router use cases.

Cheers,

Pavel

> 
> [1] https://en.wikipedia.org/wiki/6to4
> [2] https://en.wikipedia.org/wiki/IPv6_rapid_deployment
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Peter Robinson 
>> In the above page:
>> * Network configuration: I see NetworkManager in there but nothing
>> about systemd-networkd
>
> I used browser search in that page and 'systemd' (which is the name
> of the source package that provides systemd-networkd) is listed.

I wasn't sure whether it meant systemd in general such as port based
service activation or networkd subset of that or combinations of all
the options.

>> * Other: firewalld including zones and other such configurations (you
>> mention iptables)
>
> The firewalld package is also mentioned.

Yes, I found that later on when re-reading.

>> > Most prominent subpages:
>> >
>> >  * https://fedoraproject.org/wiki/QA/Networking/Test_environment
>>
>> In this section I see "IPv6 node" but nothing that covers a IPv6 only
>> routed network with IPv6 to IPv4 gateway ie it runs v6 only internally
>> but uses 6 to 4 services for legacy services.
>
> That is an interesting points. It sort of falls into the IPv6 only case
> but has enough specifics to be mentioned, at the least.
>
>> >  * https://fedoraproject.org/wiki/QA/Networking/Client_software
>>
>> Again nothing about a native IPv6 only network with a gateway that
>> supports 6to4 for legacy services outside the network.
>
> To be honest we are most interested in native connectivity. If anyone
> needs to use tunneled connectivity as a workaround, he should probably
> choose a mechanism that provides comparable results. On the other hand,
> the biggest difference in 6to4 when using the `2002::/16` subprefixes
> is that it is not preferred over IPv4 addresses by default according
> to RFC 6724.

It's still a valid use case that we should be testing to ensure as
networks migrate it provides a good user experience.

>> What about a iOS9 style preferring of IPv6 over IPv4 in the general
>> desktop. In the iOS9 case they do network measurements and favour IPv6
>> bydefault, and if it's going to be faster but fail back quickly if
>> it's not, how would we deal with this?
>
> In my opinion this is out of scope of the networking QA project as
> we see it.

Why? It's a completely relevant usecase and if there's options where
it'd faster and provides better user experience, or the inverse it's
slower and provides a poor user experience why wouldn't we want to
test it?

>> >  * https://fedoraproject.org/wiki/QA/Networking/Server_software
>>
>> Nothing in here about:
>> * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other
>> such transition servers
>
> That is correct. The page is about general networking server workflow,
> for network configuration details see the respective document below.
>
> https://fedoraproject.org/wiki/QA/Networking/Configuration
>
>> * what about VPN services like a IPv6 only network connecting to a
>> dual stack VPN, or a IPv4 only VPN or a number of combinations there
>> of IE interfaces that are v6 only and ones that are v4 only. What
>> happens with routing then if there's other 6 to 4 services in play?
>
> Like in the following bug report? Yes, that sounds useful to add
> somewhere.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1091356
>
>> * Load balancers ie like facebook uses to bridge external dual stack
>> to IPv6 only internal services, or providing IPv6 externally to
>> present internal v4 services externally to v6
>
> I don't think we (people currently involved in the project) have the
> capacity to test Fedora based services with load balancers. Anyone
> is free to submit bug reports, though.

I meant more for things like HAproxy as shipped in Fedora, or for
things like OpenShift which depends on components like HAproxy, I
mention OpenShift because the council is investigating it as an
objective [1]

[1] 
https://lists.fedoraproject.org/pipermail/council-discuss/2015-September/013694.html

>> There's also nothing I can see from a quick read about offload
>> engines. A lot of 10Gb+ network interfaces have offloads for generic
>> IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4,
>> we obviously want acceleration because IPv6 headers are larger and
>> hence take up more memory.
>
> It is not explicitly stated (and that should be fixed) that we
> are focusing on userspace and configuration, not kernel networking
> features. That doesn't prevent anyone from joining and extending the
> project nor from filing kernel bug reports and feature requests.

Well things like dpdk are userspace and integrate with things like
virtualisation, docker, openvswitch etc, are those sort of userspace
in your remit?

>> There's toolkits like dpgk (
>> http://dpdk.org ) for acceleration of packets across large bandwidth
>> interfaces but I don't see any mention of that or network IO
>> virtualisation/offload.
>>
>> Facebook and others have been testing these sorts of things:
>>
>> https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/
>>

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Major Hayden 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 10/29/2015 10:15 AM, Pavel Simerda wrote:
> I am writing to Fedora development mailing lists to get opinions
> and ideas regarding our project on improving IPv6 support in
> Fedora across its components.

I'd be more than happy to work with some folks to write additional 
documentation about IPv6 and:

  * systemd-networkd
  * wide-dhcpv6 / dibbler
  * firewalld
  * openvpn

I'm not very knowledgeable in NetworkManager, unfortunately.

- --
Major Hayden
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWOQn8AAoJEHNwUeDBAR+x0GgP/3ds5ouiytUK+umJNkuCQqJq
kAXosxFZp6LdfXKCJckad62jeBsXxqG868JjLEoL3wdCPNZR8A1hJm7MWS6pJuHm
uoOE6DY0T8C2J2eZB+12+iOE+sqwYsp5FGQZGhGiuhSK5FuY0Jrzg1pW09pN7fjW
TO7vfaNOUKnNaByEjLVQyFF+Y8moSXJR+C+Gmjq0FxKKh7yiazaqaLI5mLV1CssA
4iAipVJBChDhTXodRDlacQo8qTvKBtuJGC1vSTvlMkdQBL78mezxQDM8FysKaknN
TxItPmRIEoQ0pL4wrk98xbFXWQJM/RodsCMJO9rv0WK2RLILmWChJukwGemMYnFt
Z0JfLrbAfNotr9/ymLd3S+Hz5kEAEBm12n3qHMSUS7FKxx+oocgZsq6zV23cuY9w
on4Ytp0cSlRU93uvH1MOvfH/BgXXkSwPlhbQHLDvK3tg2NQwYHIr5gCGl0FtzQPy
WcY1+OydTtmuu25nAaUa/udlmnmbUgvLPi8bE+ntbaca0YBOI6Ukso9CP+bH8WuK
fuWaCOheEfSOdA+fqZ95N+yeretO1Ayjh//Gb8CU8AeKADbROj3jMbwrk0Kd0AUC
VMIKpavVtKXxclgQ8rSORG+JaGsVHIzYTwKM9nWAuxtz6cKbMZKdiafUEMr3b3yY
u2UCLch/PmvYF4HOheHS
=MgJ3
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Josef Bacik" <jo...@toxicpanda.com>
> To: "Development discussions related to Fedora" 
> <devel@lists.fedoraproject.org>
> Cc: "Pavel Simerda" <psime...@redhat.com>, "Paul Wouters" 
> <pwout...@redhat.com>, "Tore Anderson" <t...@fud.no>
> Sent: Tuesday, November 3, 2015 6:56:42 PM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> So one thing I would suggest is testing ipv6 only environments.  At
> Facebook we are running into and fixing a whole host of problems with
> NetworkManager, Anaconda, Dracut, etc. because they don't handle ipv6
> only very well.  It seems that having ipv4 enabled allows things to
> work well enough that nobody notices problems with ipv6.  Thanks,

Hi Josef,

there is indeed a lot of assumptions in software regarding availability of
IPv4. Is there a possibility you or anyone could provide a list of issues
and reproducers related to IPv6-only installation and operation? In that
case we could add them to the wiki.

Cheers,

Pavel

> 
> Josef
> 
> On Tue, Nov 3, 2015 at 12:50 PM, Moez Roy <moez@gmail.com> wrote:
> > Hi Pavel Simerda,
> >
> > The IPv6 updates are breaking stuff (and probably increasing the
> > attack surface):
> >
> > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> > in /etc/sysctl.conf
> > https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> >
> > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> > in /etc/sysctl.conf
> > https://bugzilla.redhat.com/show_bug.cgi?id=1251762
> >
> > (maybe other software like avahi also don't remember right now)
> >
> > You can reproduce this by putting "ipv6.disable=1" in the kernel command
> > line.
> >
> > Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the
> > security provided by SELinux so it is not an option.
> >
> > Would appreciate fixes please. Thanks.
> > --
> > devel mailing list
> > devel@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/devel
> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> 
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Moez Roy" <moez@gmail.com>
> To: "Development discussions related to Fedora" 
> <devel@lists.fedoraproject.org>, "Pavel Simerda"
> <psime...@redhat.com>
> Cc: "Tore Anderson" <t...@fud.no>, "Tomas Hozza" <tho...@redhat.com>, "Paul 
> Wouters" <pwout...@redhat.com>
> Sent: Tuesday, November 3, 2015 6:50:53 PM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> Hi Pavel Simerda,
> 
> The IPv6 updates are breaking stuff (and probably increasing the
> attack surface):

Hi Moez,

please could you explain the above statement and back it by specific
data for the tickets below?

> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1231946

It seems to suggest there was a regression due to an update
related to IPv6 but:

1) The ticket doesn't suggest a regression.
2) The ticket doesn't talk about any specific update.
3) I am not aware of any recent unbound update motivated by IPv6.

If you still think it is the case, please address the above points
in the bugzilla ticket.

> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1251762

This looks very similar in nature.

> (maybe other software like avahi also don't remember right now)
> 
> You can reproduce this by putting "ipv6.disable=1" in the kernel command
> line.

Thanks! It looks like we need to test a lot of stuff with IPv6 disabled in
the kernel.

Cheers,

Pavel
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Peter Robinson" <pbrobin...@gmail.com>
> To: "Development discussions related to Fedora" 
> <devel@lists.fedoraproject.org>
> Sent: Tuesday, November 3, 2015 6:27:32 PM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> >> In the above page:
> >> * Network configuration: I see NetworkManager in there but nothing
> >> about systemd-networkd
> >
> > I used browser search in that page and 'systemd' (which is the name
> > of the source package that provides systemd-networkd) is listed.
> 
> I wasn't sure whether it meant systemd in general such as port based
> service activation or networkd subset of that or combinations of all
> the options.

It is merely a list of packages and doesn't suggest any specific usage
of those. I currently don't plan any specific focus on networkd.

> >> * Other: firewalld including zones and other such configurations (you
> >> mention iptables)
> >
> > The firewalld package is also mentioned.
> 
> Yes, I found that later on when re-reading.
> 
> >> > Most prominent subpages:
> >> >
> >> >  * https://fedoraproject.org/wiki/QA/Networking/Test_environment
> >>
> >> In this section I see "IPv6 node" but nothing that covers a IPv6 only
> >> routed network with IPv6 to IPv4 gateway ie it runs v6 only internally
> >> but uses 6 to 4 services for legacy services.
> >
> > That is an interesting points. It sort of falls into the IPv6 only case
> > but has enough specifics to be mentioned, at the least.
> >
> >> >  * https://fedoraproject.org/wiki/QA/Networking/Client_software
> >>
> >> Again nothing about a native IPv6 only network with a gateway that
> >> supports 6to4 for legacy services outside the network.
> >
> > To be honest we are most interested in native connectivity. If anyone
> > needs to use tunneled connectivity as a workaround, he should probably
> > choose a mechanism that provides comparable results. On the other hand,
> > the biggest difference in 6to4 when using the `2002::/16` subprefixes
> > is that it is not preferred over IPv4 addresses by default according
> > to RFC 6724.
> 
> It's still a valid use case that we should be testing to ensure as
> networks migrate it provides a good user experience.
> 
> >> What about a iOS9 style preferring of IPv6 over IPv4 in the general
> >> desktop. In the iOS9 case they do network measurements and favour IPv6
> >> bydefault, and if it's going to be faster but fail back quickly if
> >> it's not, how would we deal with this?
> >
> > In my opinion this is out of scope of the networking QA project as
> > we see it.
> 
> Why? It's a completely relevant usecase and if there's options where
> it'd faster and provides better user experience, or the inverse it's
> slower and provides a poor user experience why wouldn't we want to
> test it?

Relevancy is not enough. The project is rather loosely defined at the moment
and its focus will mainly depend on the focus of its active contributors. I'm
not aware of anyone willing to work on network measurement based dynamic
network configuration.

> >> >  * https://fedoraproject.org/wiki/QA/Networking/Server_software
> >>
> >> Nothing in here about:
> >> * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other
> >> such transition servers
> >
> > That is correct. The page is about general networking server workflow,
> > for network configuration details see the respective document below.
> >
> > https://fedoraproject.org/wiki/QA/Networking/Configuration
> >
> >> * what about VPN services like a IPv6 only network connecting to a
> >> dual stack VPN, or a IPv4 only VPN or a number of combinations there
> >> of IE interfaces that are v6 only and ones that are v4 only. What
> >> happens with routing then if there's other 6 to 4 services in play?
> >
> > Like in the following bug report? Yes, that sounds useful to add
> > somewhere.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1091356
> >
> >> * Load balancers ie like facebook uses to bridge external dual stack
> >> to IPv6 only internal services, or providing IPv6 externally to
> >> present internal v4 services externally to v6
> >
> > I don't think we (people currently involved in the project) have the
> > capacity to test Fedora based services with load balancers. Anyone
> > is free to submit bug reports, though.
> 
> I meant more for things like

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Major Hayden" <ma...@mhtx.net>
> To: devel@lists.fedoraproject.org
> Sent: Tuesday, November 3, 2015 8:24:46 PM
> Subject: Re: Fedora IPv6 testing and improvements - request for ideas
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On 10/29/2015 10:15 AM, Pavel Simerda wrote:
> > I am writing to Fedora development mailing lists to get opinions
> > and ideas regarding our project on improving IPv6 support in
> > Fedora across its components.
> 
> I'd be more than happy to work with some folks to write additional
> documentation about IPv6 and:
> 
>   * systemd-networkd
>   * wide-dhcpv6 / dibbler
>   * firewalld
>   * openvpn

Hi,

let's talk on IRC Freenode. My nickname is pavlix.

> 
> I'm not very knowledgeable in NetworkManager, unfortunately.

I can provide some NetworkManager knowledge as well as contact to
active NetworkManager developers.

Cheers,

Pavel

> 
> - --
> Major Hayden
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJWOQn8AAoJEHNwUeDBAR+x0GgP/3ds5ouiytUK+umJNkuCQqJq
> kAXosxFZp6LdfXKCJckad62jeBsXxqG868JjLEoL3wdCPNZR8A1hJm7MWS6pJuHm
> uoOE6DY0T8C2J2eZB+12+iOE+sqwYsp5FGQZGhGiuhSK5FuY0Jrzg1pW09pN7fjW
> TO7vfaNOUKnNaByEjLVQyFF+Y8moSXJR+C+Gmjq0FxKKh7yiazaqaLI5mLV1CssA
> 4iAipVJBChDhTXodRDlacQo8qTvKBtuJGC1vSTvlMkdQBL78mezxQDM8FysKaknN
> TxItPmRIEoQ0pL4wrk98xbFXWQJM/RodsCMJO9rv0WK2RLILmWChJukwGemMYnFt
> Z0JfLrbAfNotr9/ymLd3S+Hz5kEAEBm12n3qHMSUS7FKxx+oocgZsq6zV23cuY9w
> on4Ytp0cSlRU93uvH1MOvfH/BgXXkSwPlhbQHLDvK3tg2NQwYHIr5gCGl0FtzQPy
> WcY1+OydTtmuu25nAaUa/udlmnmbUgvLPi8bE+ntbaca0YBOI6Ukso9CP+bH8WuK
> fuWaCOheEfSOdA+fqZ95N+yeretO1Ayjh//Gb8CU8AeKADbROj3jMbwrk0Kd0AUC
> VMIKpavVtKXxclgQ8rSORG+JaGsVHIzYTwKM9nWAuxtz6cKbMZKdiafUEMr3b3yY
> u2UCLch/PmvYF4HOheHS
> =MgJ3
> -END PGP SIGNATURE-
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Scott Schmit 
On Tue, Nov 03, 2015 at 01:12:09PM -0500, Pavel Simerda wrote:
> You can of course have combinations. We can add that once we have
> specific test cases that would show importance of a standalone category
> for such a setup. Otherwise one would usually view IPv6 global and IPv6
> local communication as two isolated things.

I only brought it up because both ULA and non-ULA global are "global" so
some software could pick inappropriate prefixes.  That doesn't show up
if you never hand out multiple prefixes to choose from.

> > Another case would be multi-homed IPv6, where you have global IPv6
> > addresses from multiple sources (could be two ISPs, two tunnel
> > providers, or one ISP and one tunnel provider).
> 
> Interesting. Any specific test cases for that?

Assuming link/ISP/prefix A vs B.
Check that:
- Apps connected to via A respond from A and not B.
- If A is preferred over B, apps source via A instead of B unless/until
  A has been withdrawn/is unavailable.
- Things keep working if A is withdrawn/is unavailable.
- If the preference is reconfigured, that the apps respect that change.
- Starting with only A, advertise higher-priority B and watch that
  things switch.

I think that covers what people usually want for multi-homing.

This ignores the router end of actually being able to
express/route/manage the above correctly.

> > IPv6 is designed to be inherently more dynamic than IPv4 (particularly
> > with RAs) -- we should test transitions between connectivity states
> > (simulating an ISP connection dropping and coming back up or a router
> > going down and coming back up).
> 
> While IPv6 is designed to be inherently dynamic, operators seem to be
> avoiding it as much as possible and use it in a way more similar to
> IPv4. Specific test cases and common usage are welcome, though.

Yeah, I've noticed that, too.  Seems like a bit of wanting their cake
(dynamically provisioning & reconfiguring customers) while eating it too
(not wanting to support/use protocols intended to allow that without
breaking things).  To be fair, I don't think it's just the operators.

As for test cases: have the router withdraw the global prefix and see
that things drop back to IPv4 (if you've got only one prefix) or switch
over to another configured global prefix (if there's more than one).
Then do the opposite and see that the new prefixes get picked up.
Alternatively, have the router transition the network to new prefixes
(renumbering).

I feel like those are somewhat obvious (re)statements, so I'm not sure
if this is what you're looking for.

FWIW, I expect most software to handle this poorly unless the kernel
somehow does this automagically for userspace programs, but I get the
impression that you're trying to assess current state as much as fix
things.

> > Speed differences between IPv6 & IPv4 could be a factor as well (happy
> > eyeballs) -- though reportedly IPv6 has tended to be faster than IPv4
> > rather than the previously-expected inverse.
> > 
> > Checking support for DHCPv6-PD would also be valuable.
> 
> We're not really focusing on a Fedora based router use case. As always,
> that doesn't mean someone cannot join and extend the effort. If you're
> interested in the classic connection sharing feature, it may be better
> to contact NetworkManager developers directly.

Fair enough re DHCPv6-PD (I suspected that was a bit of a long shot
), but you maybe missed the "happy eyeballs" bit above that...


smime.p7s
Description: S/MIME cryptographic signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

SELinux & disabled IPv6 (was: Re: Fedora IPv6 testing and improvements - request for ideas)

2015-11-03 Thread Scott Schmit 
On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote:
> The IPv6 updates are breaking stuff (and probably increasing the
> attack surface):
> 
> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
> 
> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
> in /etc/sysctl.conf
> https://bugzilla.redhat.com/show_bug.cgi?id=1251762

Your bugs' subjects complain that software X is ignoring configuration for
software Y.  That's expected for any X & Y where X != Y.  In other
words, you shouldn't expect unbound and/or dnssec-triggerd to be looking
at *kernel* configuration settings.

Looking at the bugs' bodies, it appears that because IPv6 isn't there,
some kernel module auto-load configuration is trying to auto-load IPv6
and SELinux is prohibiting the action.  That or the tool is explicitly
trying to load the module, but I rather doubt this.

You note the SELinux policy alert but don't identify if this actually
breaks anything.  The right answer could be as simple as changing the
SELinux policy to mark this transition/action as dontaudit (or just
ignore the audit message).

Ah, a google search for `selinux "request-module"' leads me here:
https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to
agree with the above.


smime.p7s
Description: S/MIME cryptographic signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Michael Hampton 
On Thu Oct 29 15:15:10 UTC 2015, Pavel Simerda wrote:
> I am writing to Fedora development mailing lists to get opinions
> and ideas regarding our project on improving IPv6 support in
> Fedora across its components.
>
> https://fedoraproject.org/wiki/QA/Networking
>
> Most prominent subpages:
>
>  * https://fedoraproject.org/wiki/QA/Networking/Test_environment
>  * https://fedoraproject.org/wiki/QA/Networking/Client_software
>  * https://fedoraproject.org/wiki/QA/Networking/Server_software
>
> During the first phase we are interested in getting feedback on
> testing methods and test cases. Any other ideas are of course
> welcome. Even contacts for future collaboration would be great.

I was an early adopter of IPv6; I've had it in some form or another 
continuously since 2006. I may have a few ideas to share.

My late response today was motivated in part by my attempting to install Fedora 
in a VM from my private IPv6-only Fedora mirror, and having it completely fail 
to download .treeinfo and squashfs.img, despite picking up an SLAAC IPv6 
address and being bridged to the same subnet as the mirror...

One of the REALLY early adopters of IPv6 was Microsoft, who began rolling it 
out internally in the early 2000s, when XP was the new OS on the block. I 
recently read a Microsoft book, Understanding IPv6 (Third Edition) and one of 
the things I took away from that, with regard to testing, is that since 
Vista/2008 they do not test Windows without the IPv6 stack, nor can it even be 
fully removed! But you can uninstall the IPv4 stack from Windows, and this is a 
fully supported configuration.

A short bit from the book:

> From Microsoft's perspective, IPv6 is a mandatory part of the Windows 
> operating system, and it is enabled and included in standard Windows service 
> and application testing during the operating system development process. 
> Because Windows was designed specifically with IPv6 present, Microsoft does 
> not perform any testing to determine the effects of disabling IPv6. If IPv6 
> is disabled in Windows, some components will not function. Moreover, 
> applications that you might not think are using IPv6—such as Remote 
> Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

I'm aware that there remain kernel issues preventing IPv4 from being entirely 
disabled, but it should be possible today to test Fedora in an (almost) 
entirely IPv6-only configuration. Such a setup could shake loose a very large 
pile of bugs (on the order of thousands, across all Fedora packages). One 
interesting test in particular would be to remove 127.0.0.1 from the lo 
interface, leaving only ::1; there is a lot of software out there that assumes 
that 127.0.0.1 will always be there, and this is not a valid assumption.

For some background on things that can be expected to go wrong in an IPv6-only 
network, RFC 6586 makes good reading.

OK, maybe I just had one idea...

(Note that I'm on digest and usually only skim it, so I might miss any messages 
not CC'd to me.)


-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-11-03 Thread Pavel Simerda 
- Original Message -
> From: "Peter Robinson" 
> > https://fedoraproject.org/wiki/QA/Networking

Hi,

thanks for your feedback.

> In the above page:
> * Network configuration: I see NetworkManager in there but nothing
> about systemd-networkd

I used browser search in that page and 'systemd' (which is the name
of the source package that provides systemd-networkd) is listed.

> * Other: firewalld including zones and other such configurations (you
> mention iptables)

The firewalld package is also mentioned.

> > Most prominent subpages:
> >
> >  * https://fedoraproject.org/wiki/QA/Networking/Test_environment
> 
> In this section I see "IPv6 node" but nothing that covers a IPv6 only
> routed network with IPv6 to IPv4 gateway ie it runs v6 only internally
> but uses 6 to 4 services for legacy services.

That is an interesting points. It sort of falls into the IPv6 only case
but has enough specifics to be mentioned, at the least.

> >  * https://fedoraproject.org/wiki/QA/Networking/Client_software
> 
> Again nothing about a native IPv6 only network with a gateway that
> supports 6to4 for legacy services outside the network.

To be honest we are most interested in native connectivity. If anyone
needs to use tunneled connectivity as a workaround, he should probably
choose a mechanism that provides comparable results. On the other hand,
the biggest difference in 6to4 when using the `2002::/16` subprefixes
is that it is not preferred over IPv4 addresses by default according
to RFC 6724.

> What about a iOS9 style preferring of IPv6 over IPv4 in the general
> desktop. In the iOS9 case they do network measurements and favour IPv6
> bydefault, and if it's going to be faster but fail back quickly if
> it's not, how would we deal with this?

In my opinion this is out of scope of the networking QA project as
we see it.

> >  * https://fedoraproject.org/wiki/QA/Networking/Server_software
> 
> Nothing in here about:
> * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other
> such transition servers

That is correct. The page is about general networking server workflow,
for network configuration details see the respective document below.

https://fedoraproject.org/wiki/QA/Networking/Configuration

> * what about VPN services like a IPv6 only network connecting to a
> dual stack VPN, or a IPv4 only VPN or a number of combinations there
> of IE interfaces that are v6 only and ones that are v4 only. What
> happens with routing then if there's other 6 to 4 services in play?

Like in the following bug report? Yes, that sounds useful to add
somewhere.

https://bugzilla.redhat.com/show_bug.cgi?id=1091356

> * Load balancers ie like facebook uses to bridge external dual stack
> to IPv6 only internal services, or providing IPv6 externally to
> present internal v4 services externally to v6

I don't think we (people currently involved in the project) have the
capacity to test Fedora based services with load balancers. Anyone
is free to submit bug reports, though.

> There's also nothing I can see from a quick read about offload
> engines. A lot of 10Gb+ network interfaces have offloads for generic
> IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4,
> we obviously want acceleration because IPv6 headers are larger and
> hence take up more memory.

It is not explicitly stated (and that should be fixed) that we
are focusing on userspace and configuration, not kernel networking
features. That doesn't prevent anyone from joining and extending the
project nor from filing kernel bug reports and feature requests.

> There's toolkits like dpgk (
> http://dpdk.org ) for acceleration of packets across large bandwidth
> interfaces but I don't see any mention of that or network IO
> virtualisation/offload.
> 
> Facebook and others have been testing these sorts of things:
> 
> https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/
> https://code.facebook.com/posts/938078729581886/improving-the-linux-kernel-with-upstream-contributions/
> 
> Along these lines also I see nothing about Open vSwitch and SND
> encapsulation protocols testing such as vxlan, GRE, GENEVE etc

I think this is the same situation as above.

> > During the first phase we are interested in getting feedback on
> > testing methods and test cases. Any other ideas are of course
> > welcome. Even contacts for future collaboration would be great.
> 
> A future development would be around 6LoWPAN and the routing protocols
> etc for that so we can communicate with IoT devices.
> 
> The way I read a lot of the pages above is a "this is how we did it on
> IPv4 lets test it on IPv6" rather than a review of how things are
> going to change with IPv6, how would I get to a IPv4 site if I'm on a
> IPv6 network, visa versa and the whole sets of new use cases that are
> appearing as a result of it.

Let us now if there are specific cases that need to be covered to make
Fedora packages

Re: Fedora IPv6 testing and improvements - request for ideas

2015-10-30 Thread Chris Adams 
Once upon a time, Dan Williams  said:
> You can set this on a per-connection basis with NM.  It just defaults to
> "unset", which then defaults to "on".  You can also set a global default
> through /etc/NetworkManager/NetworkManager.conf so that all new
> connections on your system get "disabled" when they have the privacy
> value unset.

I like privacy extensions - that's not the point.  The point is that
Fedora with NM is violating the RFC by removing deprecated addresses
while they are still in use, something that the kernel managed to get
right (why NM had to take over this management of them from the kernel,
and then get it wrong, I don't know).

I reported this a year ago to BZ but never got a single response.
-- 
Chris Adams 
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-10-30 Thread Michael Cronenworth 

On 10/29/2015 10:15 AM, Pavel Simerda wrote:

  *https://fedoraproject.org/wiki/QA/Networking/Test_environment


Don't forget about 6to4[1]... everyone should have access to this unless your ISP 
blocks the routes. It doesn't require an account or 3rd party host that the tunnels 
require.


NetworkManager ifcfg settings:
IPV6TO4INIT, IPV6TO4_ROUTING, and if you run a server. IPV6_CONTROL_RADVD

Some ISPs provide 6rd[2] access, which is the next step above 6to4.

[1] https://en.wikipedia.org/wiki/6to4
[2] https://en.wikipedia.org/wiki/IPv6_rapid_deployment
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-10-30 Thread Dan Williams 
On Thu, 2015-10-29 at 15:30 -0500, Chris Adams wrote:
> Once upon a time, Zach Villers  said:
> > If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly
> > recommended tunnel broker. I have not tried it and am not affiliated. I do
> > have ipv6 capability from my isp, so could help with testing.
> 
> There's also Hurricane Electric's free IPv6 tunnels.
> 
> BTW: one issue that I have seen with IPv6 and address privacy extensions
> is that, since temporary address handling moved to user-space
> (NetworkManager I guess?) instead of kernel-space, temporary addresses
> are expired even when they are still in use.  This affects anything that
> uses long-lived sessions (such as SSH to a server) and is highly
> annoying.
> 
> The RFC (4941 section 3.4) says:
> 
>   "As an optional optimization, an implementation MAY remove a
>deprecated temporary address that is not in use by applications or
>upper layers as detailed in Section 6."

You can set this on a per-connection basis with NM.  It just defaults to
"unset", which then defaults to "on".  You can also set a global default
through /etc/NetworkManager/NetworkManager.conf so that all new
connections on your system get "disabled" when they have the privacy
value unset.

nmcli con mod "" ipv6.ip6-privacy 0

Dan

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-10-29 Thread Peter Robinson 
On Thu, Oct 29, 2015 at 3:15 PM, Pavel Simerda  wrote:
> Hi all,
>
> I am writing to Fedora development mailing lists to get opinions
> and ideas regarding our project on improving IPv6 support in
> Fedora across its components.
>
> https://fedoraproject.org/wiki/QA/Networking

In the above page:
* Network configuration: I see NetworkManager in there but nothing
about systemd-networkd
* Other: firewalld including zones and other such configurations (you
mention iptables)

> Most prominent subpages:
>
>  * https://fedoraproject.org/wiki/QA/Networking/Test_environment

In this section I see "IPv6 node" but nothing that covers a IPv6 only
routed network with IPv6 to IPv4 gateway ie it runs v6 only internally
but uses 6 to 4 services for legacy services.

>  * https://fedoraproject.org/wiki/QA/Networking/Client_software

Again nothing about a native IPv6 only network with a gateway that
supports 6to4 for legacy services outside the network.

What about a iOS9 style preferring of IPv6 over IPv4 in the general
desktop. In the iOS9 case they do network measurements and favour IPv6
bydefault, and if it's going to be faster but fail back quickly if
it's not, how would we deal with this?

>  * https://fedoraproject.org/wiki/QA/Networking/Server_software

Nothing in here about:
* IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other
such transition servers
* what about VPN services like a IPv6 only network connecting to a
dual stack VPN, or a IPv4 only VPN or a number of combinations there
of IE interfaces that are v6 only and ones that are v4 only. What
happens with routing then if there's other 6 to 4 services in play?
* Load balancers ie like facebook uses to bridge external dual stack
to IPv6 only internal services, or providing IPv6 externally to
present internal v4 services externally to v6

There's also nothing I can see from a quick read about offload
engines. A lot of 10Gb+ network interfaces have offloads for generic
IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4,
we obviously want acceleration because IPv6 headers are larger and
hence take up more memory. There's toolkits like dpgk (
http://dpdk.org ) for acceleration of packets across large bandwidth
interfaces but I don't see any mention of that or network IO
virtualisation/offload.

Facebook and others have been testing these sorts of things:

https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/
https://code.facebook.com/posts/938078729581886/improving-the-linux-kernel-with-upstream-contributions/

Along these lines also I see nothing about Open vSwitch and SND
encapsulation protocols testing such as vxlan, GRE, GENEVE etc

> During the first phase we are interested in getting feedback on
> testing methods and test cases. Any other ideas are of course
> welcome. Even contacts for future collaboration would be great.

A future development would be around 6LoWPAN and the routing protocols
etc for that so we can communicate with IoT devices.

The way I read a lot of the pages above is a "this is how we did it on
IPv4 lets test it on IPv6" rather than a review of how things are
going to change with IPv6, how would I get to a IPv4 site if I'm on a
IPv6 network, visa versa and the whole sets of new use cases that are
appearing as a result of it.

Peter
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-10-29 Thread Zach Villers 
If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly
recommended tunnel broker. I have not tried it and am not affiliated. I do
have ipv6 capability from my isp, so could help with testing.

On Thu, Oct 29, 2015 at 3:35 PM, Peter Robinson 
wrote:

> On Thu, Oct 29, 2015 at 3:15 PM, Pavel Simerda 
> wrote:
> > Hi all,
> >
> > I am writing to Fedora development mailing lists to get opinions
> > and ideas regarding our project on improving IPv6 support in
> > Fedora across its components.
> >
> > https://fedoraproject.org/wiki/QA/Networking
>
> In the above page:
> * Network configuration: I see NetworkManager in there but nothing
> about systemd-networkd
> * Other: firewalld including zones and other such configurations (you
> mention iptables)
>
> > Most prominent subpages:
> >
> >  * https://fedoraproject.org/wiki/QA/Networking/Test_environment
>
> In this section I see "IPv6 node" but nothing that covers a IPv6 only
> routed network with IPv6 to IPv4 gateway ie it runs v6 only internally
> but uses 6 to 4 services for legacy services.
>
> >  * https://fedoraproject.org/wiki/QA/Networking/Client_software
>
> Again nothing about a native IPv6 only network with a gateway that
> supports 6to4 for legacy services outside the network.
>
> What about a iOS9 style preferring of IPv6 over IPv4 in the general
> desktop. In the iOS9 case they do network measurements and favour IPv6
> bydefault, and if it's going to be faster but fail back quickly if
> it's not, how would we deal with this?
>
> >  * https://fedoraproject.org/wiki/QA/Networking/Server_software
>
> Nothing in here about:
> * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other
> such transition servers
> * what about VPN services like a IPv6 only network connecting to a
> dual stack VPN, or a IPv4 only VPN or a number of combinations there
> of IE interfaces that are v6 only and ones that are v4 only. What
> happens with routing then if there's other 6 to 4 services in play?
> * Load balancers ie like facebook uses to bridge external dual stack
> to IPv6 only internal services, or providing IPv6 externally to
> present internal v4 services externally to v6
>
> There's also nothing I can see from a quick read about offload
> engines. A lot of 10Gb+ network interfaces have offloads for generic
> IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4,
> we obviously want acceleration because IPv6 headers are larger and
> hence take up more memory. There's toolkits like dpgk (
> http://dpdk.org ) for acceleration of packets across large bandwidth
> interfaces but I don't see any mention of that or network IO
> virtualisation/offload.
>
> Facebook and others have been testing these sorts of things:
>
>
> https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/
>
> https://code.facebook.com/posts/938078729581886/improving-the-linux-kernel-with-upstream-contributions/
>
> Along these lines also I see nothing about Open vSwitch and SND
> encapsulation protocols testing such as vxlan, GRE, GENEVE etc
>
> > During the first phase we are interested in getting feedback on
> > testing methods and test cases. Any other ideas are of course
> > welcome. Even contacts for future collaboration would be great.
>
> A future development would be around 6LoWPAN and the routing protocols
> etc for that so we can communicate with IoT devices.
>
> The way I read a lot of the pages above is a "this is how we did it on
> IPv4 lets test it on IPv6" rather than a review of how things are
> going to change with IPv6, how would I get to a IPv4 site if I'm on a
> IPv6 network, visa versa and the whole sets of new use cases that are
> appearing as a result of it.
>
> Peter
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-10-29 Thread Chris Adams 
Once upon a time, Zach Villers  said:
> If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly
> recommended tunnel broker. I have not tried it and am not affiliated. I do
> have ipv6 capability from my isp, so could help with testing.

There's also Hurricane Electric's free IPv6 tunnels.

BTW: one issue that I have seen with IPv6 and address privacy extensions
is that, since temporary address handling moved to user-space
(NetworkManager I guess?) instead of kernel-space, temporary addresses
are expired even when they are still in use.  This affects anything that
uses long-lived sessions (such as SSH to a server) and is highly
annoying.

The RFC (4941 section 3.4) says:

  "As an optional optimization, an implementation MAY remove a
   deprecated temporary address that is not in use by applications or
   upper layers as detailed in Section 6."

-- 
Chris Adams 
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Fedora IPv6 testing and improvements - request for ideas

2015-10-29 Thread Scott Schmit 
On Thu, Oct 29, 2015 at 11:15:10AM -0400, Pavel Simerda wrote:
> I am writing to Fedora development mailing lists to get opinions
> and ideas regarding our project on improving IPv6 support in
> Fedora across its components.
> 
> https://fedoraproject.org/wiki/QA/Networking
> 
> Most prominent subpages:
> 
>  * https://fedoraproject.org/wiki/QA/Networking/Test_environment

It may make sense to have a IPv6 case between global & local that has
all 4 categories of address (I see this as loosely analogous to the IPv4
masqueraded case).

Another case would be multi-homed IPv6, where you have global IPv6
addresses from multiple sources (could be two ISPs, two tunnel
providers, or one ISP and one tunnel provider).

IPv6 is designed to be inherently more dynamic than IPv4 (particularly
with RAs) -- we should test transitions between connectivity states
(simulating an ISP connection dropping and coming back up or a router
going down and coming back up).

Speed differences between IPv6 & IPv4 could be a factor as well (happy
eyeballs) -- though reportedly IPv6 has tended to be faster than IPv4
rather than the previously-expected inverse.

Checking support for DHCPv6-PD would also be valuable.

>  * https://fedoraproject.org/wiki/QA/Networking/Client_software
>  * https://fedoraproject.org/wiki/QA/Networking/Server_software
> 
> During the first phase we are interested in getting feedback on
> testing methods and test cases. Any other ideas are of course
> welcome. Even contacts for future collaboration would be great.

-- 
Scott
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct