Re: SELinux & disabled IPv6 (was: Re: Fedora IPv6 testing and improvements - request for ideas)
On Tue, Nov 3, 2015 at 9:06 PM, Scott Schmit wrote: > On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote: >> The IPv6 updates are breaking stuff (and probably increasing the >> attack surface): >> >> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 >> in /etc/sysctl.conf >> https://bugzilla.redhat.com/show_bug.cgi?id=1231946 >> >> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 >> in /etc/sysctl.conf >> https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > > Your bugs' subjects complain that software X is ignoring configuration for > software Y. That's expected for any X & Y where X != Y. In other > words, you shouldn't expect unbound and/or dnssec-triggerd to be looking > at *kernel* configuration settings. > > Looking at the bugs' bodies, it appears that because IPv6 isn't there, > some kernel module auto-load configuration is trying to auto-load IPv6 > and SELinux is prohibiting the action. That or the tool is explicitly > trying to load the module, but I rather doubt this. > > You note the SELinux policy alert but don't identify if this actually > breaks anything. The right answer could be as simple as changing the > SELinux policy to mark this transition/action as dontaudit (or just > ignore the audit message). > > Ah, a google search for `selinux "request-module"' leads me here: > https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to > agree with the above. > > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Yes in this case it doesn't break anything if you just ignore the message. I am forwarding this to the SElinux list so hopefully they can add a rule if ipv6 is disabled in the grub config don't audit this message. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On 04 Nov 2015 09:20:00 - Toby Goodwin wrote: > As well as Fedora itself, we need to get the infrastructure IPv6 > ready. My company has developed an IPv6 health checker. Given a > domain, it tests its nameservers, webservers, and mailservers for > IPv6 readiness. > > Currently fedoraproject.org scores 4 out of 9, so there's some room > for improvement! > > https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org > > It seems odd that there are records for ns0[25], but they point > to "dead:beef" addresses that are unreachable. Is this deliberate? no. When you see something like this, please report it to Fedora infrastructure so we can get it fixed. > Seems like it will just slow things down for any resolver that > happens to try the IPv6 address first. (And of course the domain is > completely unresolvable from a "pure" IPv6 client.) Right. I have fixed the 2 nameservers now. We now score 7 of 9. The other 2 points seem to be for ipv6 MX records. I'm not sure thats likely to change anytime soon. We currently have redhat.com handle our incoming emails to fedoraproject.org and do some spam filtering, etc. While we could change this, it's not something we want to do quickly or lightly. kevin pgpFdaJwQtQZk.pgp Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On 04.11.2015 15:22, Pavel Simerda wrote: > - Original Message - > > From: "Zdenek Kabelac" > > To: "Development discussions related to Fedora" > > > > Sent: Wednesday, November 4, 2015 1:43:12 PM > > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > > > Dne 4.11.2015 v 13:24 Petr Spacek napsal(a): > >> On 3.11.2015 18:50, Moez Roy wrote: > >>> Hi Pavel Simerda, > >>> > >>> The IPv6 updates are breaking stuff (and probably increasing the > >>> attack surface): > >>> > >>> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > >>> in /etc/sysctl.conf > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > >>> > >>> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > >>> in /etc/sysctl.conf > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > >>> > >>> (maybe other software like avahi also don't remember right now) > >>> > >>> You can reproduce this by putting "ipv6.disable=1" in the kernel command > >>> line. > >>> > >>> Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the > >>> security provided by SELinux so it is not an option. > >>> > >>> Would appreciate fixes please. Thanks. > >> > >> "ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary > >> ways how network APIs. Many contemporary software projects are > >> using IPv6-enabled network calls by default because both IPv6 and IPv4 > >> share the same name space on the machine so you only need to listen on a > >> IPv6 port to accept both IPv4 and IPv6. > >> > >> Apparently this is not Fedora-specific in any way because ArchLinux says > >> the same: > >> https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6 > >> > >> "net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have > >> negative > >> side-effects of "ipv6.disable=1". > >> > >> Having said that, I'm proposing to close all issues caused by > >> "ipv6.disable=1" > >> as WONTFIX. > > > > Hi > > > > I strongly object against this idea. > > > > System needs to work in IPv4 environment and with kernel without IPv6 > > enabled. > > > > There is number of reasons for keeping this possibility enabled - e.g. > > I want to use older kernel for regression testing, I want to have disabled > > IPv6 stack for security reasons and lots of other... > > I'm not taking any side in this discussion and will mostly attempt to reflect > actual usage, i.e. most installations dual-stack, some installations with > IPv6 disabled, no installations with IPv4 disabled (due to kernel inability > to disable IPv4). > > > So please do not replace coder's inability > > The project is about IPv6 and dual-stack testing and improvements. Insulting > authors who didn't make their software work with ipv6.disabled=1 isn't > helpful. > > > to write correct code to handle dual socket interface > > In some cases software authors do not expect a situation when > `socket(family=AF_INET6)` fails but `socket(family=AF_INET)` > succeeds. It is indeed a very special situation that such a > basic thing in the system fails. > > And that is indeed a very special situation. On most installation > the `socket()` calls with correct arguments will never fail. And > the IPv4 variant won't fail in any case which creates an undue > assymetry. > > > with disabling usage of while Fedora on kernel with > > IPv6 disabled. > > > > I'm fine if the particular software package would be IPv6 only - as long > > as there is no IPv4-only user who cares - it's correct way. > > Whether a package is IPv6 only and whether a package works with > ipv6.disabled=1 are two distinct things that need to be tested > separately. On the other IPv6 only packages are a very rare > phenomenon. > > > Just do NOT make such package a core system dependency - it has to remain > > optional. > > I don't see any reason to make a distinction between a dual-stack package > with IPv4 and IPv6 functionality and two distinct packages, one IPv4 only, > the other IPv6 only in this respect. Either way you end up with features > required for both protocols. > > Anyway, are there any specific packages that are mandatory in Fedora or > might become so? I'd like to avoid discussions about something purely > hypothetical. With the default DNS resolver change Unbound and dnssec-trigger would be installed by default. > Cheers, > > Pavel > Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D UTC+2 (CEST) Red Hat Inc. http://cz.redhat.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On 4 November 2015 at 02:20, Toby Goodwin wrote: > As well as Fedora itself, we need to get the infrastructure IPv6 ready. > My company has developed an IPv6 health checker. Given a domain, it > tests its nameservers, webservers, and mailservers for IPv6 readiness. > > Currently fedoraproject.org scores 4 out of 9, so there's some room for > improvement! > > https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org > > It seems odd that there are records for ns0[25], but they point to > "dead:beef" addresses that are unreachable. Is this deliberate? Seems > like it will just slow things down for any resolver that happens to > try the IPv6 address first. (And of course the domain is completely > unresolvable from a "pure" IPv6 client.) > Thank you for letting us know this. No it is not deliberate... and I would really like to know this outside of a message marketing your service on a mailing list. > Toby. > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- Stephen J Smoogen. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Toby Goodwin" > To: devel@lists.fedoraproject.org > Sent: Wednesday, November 4, 2015 10:20:00 AM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > As well as Fedora itself, we need to get the infrastructure IPv6 ready. Definitely. Although it is such a distinct subproject that we could really use some help. > My company has developed an IPv6 health checker. Given a domain, it > tests its nameservers, webservers, and mailservers for IPv6 readiness. > > Currently fedoraproject.org scores 4 out of 9, so there's some room for > improvement! > > https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org > > It seems odd that there are records for ns0[25], but they point to > "dead:beef" addresses that are unreachable. Good catch. Now we have our own infrastructure to test how clients cope with DNS records pointing to blackhole addresses. It's even worse than a missing IPv6 capable NS. Could you please start a bug report for that? Cheers, Pavel > Is this deliberate? Seems > like it will just slow things down for any resolver that happens to > try the IPv6 address first. (And of course the domain is completely > unresolvable from a "pure" IPv6 client.) > > Toby. > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Zdenek Kabelac" > To: "Development discussions related to Fedora" > > Sent: Wednesday, November 4, 2015 1:43:12 PM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > Dne 4.11.2015 v 13:24 Petr Spacek napsal(a): > > On 3.11.2015 18:50, Moez Roy wrote: > >> Hi Pavel Simerda, > >> > >> The IPv6 updates are breaking stuff (and probably increasing the > >> attack surface): > >> > >> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > >> in /etc/sysctl.conf > >> https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > >> > >> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > >> in /etc/sysctl.conf > >> https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > >> > >> (maybe other software like avahi also don't remember right now) > >> > >> You can reproduce this by putting "ipv6.disable=1" in the kernel command > >> line. > >> > >> Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the > >> security provided by SELinux so it is not an option. > >> > >> Would appreciate fixes please. Thanks. > > > > "ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary > > ways how network APIs. Many contemporary software projects are > > using IPv6-enabled network calls by default because both IPv6 and IPv4 > > share the same name space on the machine so you only need to listen on a > > IPv6 port to accept both IPv4 and IPv6. > > > > Apparently this is not Fedora-specific in any way because ArchLinux says > > the same: > > https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6 > > > > "net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have > > negative > > side-effects of "ipv6.disable=1". > > > > Having said that, I'm proposing to close all issues caused by > > "ipv6.disable=1" > > as WONTFIX. > > Hi > > I strongly object against this idea. > > System needs to work in IPv4 environment and with kernel without IPv6 > enabled. > > There is number of reasons for keeping this possibility enabled - e.g. > I want to use older kernel for regression testing, I want to have disabled > IPv6 stack for security reasons and lots of other... I'm not taking any side in this discussion and will mostly attempt to reflect actual usage, i.e. most installations dual-stack, some installations with IPv6 disabled, no installations with IPv4 disabled (due to kernel inability to disable IPv4). > So please do not replace coder's inability The project is about IPv6 and dual-stack testing and improvements. Insulting authors who didn't make their software work with ipv6.disabled=1 isn't helpful. > to write correct code to handle dual socket interface In some cases software authors do not expect a situation when `socket(family=AF_INET6)` fails but `socket(family=AF_INET)` succeeds. It is indeed a very special situation that such a basic thing in the system fails. And that is indeed a very special situation. On most installation the `socket()` calls with correct arguments will never fail. And the IPv4 variant won't fail in any case which creates an undue assymetry. > with disabling usage of while Fedora on kernel with > IPv6 disabled. > > I'm fine if the particular software package would be IPv6 only - as long > as there is no IPv4-only user who cares - it's correct way. Whether a package is IPv6 only and whether a package works with ipv6.disabled=1 are two distinct things that need to be tested separately. On the other IPv6 only packages are a very rare phenomenon. > Just do NOT make such package a core system dependency - it has to remain > optional. I don't see any reason to make a distinction between a dual-stack package with IPv4 and IPv6 functionality and two distinct packages, one IPv4 only, the other IPv6 only in this respect. Either way you end up with features required for both protocols. Anyway, are there any specific packages that are mandatory in Fedora or might become so? I'd like to avoid discussions about something purely hypothetical. Cheers, Pavel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
Dne 4.11.2015 v 13:24 Petr Spacek napsal(a): On 3.11.2015 18:50, Moez Roy wrote: Hi Pavel Simerda, The IPv6 updates are breaking stuff (and probably increasing the attack surface): Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf https://bugzilla.redhat.com/show_bug.cgi?id=1231946 Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf https://bugzilla.redhat.com/show_bug.cgi?id=1251762 (maybe other software like avahi also don't remember right now) You can reproduce this by putting "ipv6.disable=1" in the kernel command line. Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the security provided by SELinux so it is not an option. Would appreciate fixes please. Thanks. "ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary ways how network APIs. Many contemporary software projects are using IPv6-enabled network calls by default because both IPv6 and IPv4 share the same name space on the machine so you only need to listen on a IPv6 port to accept both IPv4 and IPv6. Apparently this is not Fedora-specific in any way because ArchLinux says the same: https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6 "net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have negative side-effects of "ipv6.disable=1". Having said that, I'm proposing to close all issues caused by "ipv6.disable=1" as WONTFIX. Hi I strongly object against this idea. System needs to work in IPv4 environment and with kernel without IPv6 enabled. There is number of reasons for keeping this possibility enabled - e.g. I want to use older kernel for regression testing, I want to have disabled IPv6 stack for security reasons and lots of other... So please do not replace coder's inability to write correct code to handle dual socket interface with disabling usage of while Fedora on kernel with IPv6 disabled. I'm fine if the particular software package would be IPv6 only - as long as there is no IPv4-only user who cares - it's correct way. Just do NOT make such package a core system dependency - it has to remain optional. Regards Zdenek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On 3.11.2015 18:50, Moez Roy wrote: > Hi Pavel Simerda, > > The IPv6 updates are breaking stuff (and probably increasing the > attack surface): > > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > > (maybe other software like avahi also don't remember right now) > > You can reproduce this by putting "ipv6.disable=1" in the kernel command line. > > Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the > security provided by SELinux so it is not an option. > > Would appreciate fixes please. Thanks. "ipv6.disable=1" or blacklisting ipv6 modules is going against contemporary ways how network APIs. Many contemporary software projects are using IPv6-enabled network calls by default because both IPv6 and IPv4 share the same name space on the machine so you only need to listen on a IPv6 port to accept both IPv4 and IPv6. Apparently this is not Fedora-specific in any way because ArchLinux says the same: https://wiki.archlinux.org/index.php/IPv6#Disable_IPv6 "net.ipv6.conf.all.disable_ipv6=1" is good enough and should not have negative side-effects of "ipv6.disable=1". Having said that, I'm proposing to close all issues caused by "ipv6.disable=1" as WONTFIX. -- Petr Spacek @ Red Hat -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
As well as Fedora itself, we need to get the infrastructure IPv6 ready. My company has developed an IPv6 health checker. Given a domain, it tests its nameservers, webservers, and mailservers for IPv6 readiness. Currently fedoraproject.org scores 4 out of 9, so there's some room for improvement! https://www.mythic-beasts.com/ipv6/health-check?domain=fedoraproject.org It seems odd that there are records for ns0[25], but they point to "dead:beef" addresses that are unreachable. Is this deliberate? Seems like it will just slow things down for any resolver that happens to try the IPv6 address first. (And of course the domain is completely unresolvable from a "pure" IPv6 client.) Toby. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On Thu Oct 29 15:15:10 UTC 2015, Pavel Simerda wrote: > I am writing to Fedora development mailing lists to get opinions > and ideas regarding our project on improving IPv6 support in > Fedora across its components. > > https://fedoraproject.org/wiki/QA/Networking > > Most prominent subpages: > > * https://fedoraproject.org/wiki/QA/Networking/Test_environment > * https://fedoraproject.org/wiki/QA/Networking/Client_software > * https://fedoraproject.org/wiki/QA/Networking/Server_software > > During the first phase we are interested in getting feedback on > testing methods and test cases. Any other ideas are of course > welcome. Even contacts for future collaboration would be great. I was an early adopter of IPv6; I've had it in some form or another continuously since 2006. I may have a few ideas to share. My late response today was motivated in part by my attempting to install Fedora in a VM from my private IPv6-only Fedora mirror, and having it completely fail to download .treeinfo and squashfs.img, despite picking up an SLAAC IPv6 address and being bridged to the same subnet as the mirror... One of the REALLY early adopters of IPv6 was Microsoft, who began rolling it out internally in the early 2000s, when XP was the new OS on the block. I recently read a Microsoft book, Understanding IPv6 (Third Edition) and one of the things I took away from that, with regard to testing, is that since Vista/2008 they do not test Windows without the IPv6 stack, nor can it even be fully removed! But you can uninstall the IPv4 stack from Windows, and this is a fully supported configuration. A short bit from the book: > From Microsoft's perspective, IPv6 is a mandatory part of the Windows > operating system, and it is enabled and included in standard Windows service > and application testing during the operating system development process. > Because Windows was designed specifically with IPv6 present, Microsoft does > not perform any testing to determine the effects of disabling IPv6. If IPv6 > is disabled in Windows, some components will not function. Moreover, > applications that you might not think are using IPv6—such as Remote > Assistance, HomeGroup, DirectAccess, and Windows Mail—could be. I'm aware that there remain kernel issues preventing IPv4 from being entirely disabled, but it should be possible today to test Fedora in an (almost) entirely IPv6-only configuration. Such a setup could shake loose a very large pile of bugs (on the order of thousands, across all Fedora packages). One interesting test in particular would be to remove 127.0.0.1 from the lo interface, leaving only ::1; there is a lot of software out there that assumes that 127.0.0.1 will always be there, and this is not a valid assumption. For some background on things that can be expected to go wrong in an IPv6-only network, RFC 6586 makes good reading. OK, maybe I just had one idea... (Note that I'm on digest and usually only skim it, so I might miss any messages not CC'd to me.) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On Tue, Nov 03, 2015 at 01:12:09PM -0500, Pavel Simerda wrote: > You can of course have combinations. We can add that once we have > specific test cases that would show importance of a standalone category > for such a setup. Otherwise one would usually view IPv6 global and IPv6 > local communication as two isolated things. I only brought it up because both ULA and non-ULA global are "global" so some software could pick inappropriate prefixes. That doesn't show up if you never hand out multiple prefixes to choose from. > > Another case would be multi-homed IPv6, where you have global IPv6 > > addresses from multiple sources (could be two ISPs, two tunnel > > providers, or one ISP and one tunnel provider). > > Interesting. Any specific test cases for that? Assuming link/ISP/prefix A vs B. Check that: - Apps connected to via A respond from A and not B. - If A is preferred over B, apps source via A instead of B unless/until A has been withdrawn/is unavailable. - Things keep working if A is withdrawn/is unavailable. - If the preference is reconfigured, that the apps respect that change. - Starting with only A, advertise higher-priority B and watch that things switch. I think that covers what people usually want for multi-homing. This ignores the router end of actually being able to express/route/manage the above correctly. > > IPv6 is designed to be inherently more dynamic than IPv4 (particularly > > with RAs) -- we should test transitions between connectivity states > > (simulating an ISP connection dropping and coming back up or a router > > going down and coming back up). > > While IPv6 is designed to be inherently dynamic, operators seem to be > avoiding it as much as possible and use it in a way more similar to > IPv4. Specific test cases and common usage are welcome, though. Yeah, I've noticed that, too. Seems like a bit of wanting their cake (dynamically provisioning & reconfiguring customers) while eating it too (not wanting to support/use protocols intended to allow that without breaking things). To be fair, I don't think it's just the operators. As for test cases: have the router withdraw the global prefix and see that things drop back to IPv4 (if you've got only one prefix) or switch over to another configured global prefix (if there's more than one). Then do the opposite and see that the new prefixes get picked up. Alternatively, have the router transition the network to new prefixes (renumbering). I feel like those are somewhat obvious (re)statements, so I'm not sure if this is what you're looking for. FWIW, I expect most software to handle this poorly unless the kernel somehow does this automagically for userspace programs, but I get the impression that you're trying to assess current state as much as fix things. > > Speed differences between IPv6 & IPv4 could be a factor as well (happy > > eyeballs) -- though reportedly IPv6 has tended to be faster than IPv4 > > rather than the previously-expected inverse. > > > > Checking support for DHCPv6-PD would also be valuable. > > We're not really focusing on a Fedora based router use case. As always, > that doesn't mean someone cannot join and extend the effort. If you're > interested in the classic connection sharing feature, it may be better > to contact NetworkManager developers directly. Fair enough re DHCPv6-PD (I suspected that was a bit of a long shot ), but you maybe missed the "happy eyeballs" bit above that... smime.p7s Description: S/MIME cryptographic signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
SELinux & disabled IPv6 (was: Re: Fedora IPv6 testing and improvements - request for ideas)
On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote: > The IPv6 updates are breaking stuff (and probably increasing the > attack surface): > > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1251762 Your bugs' subjects complain that software X is ignoring configuration for software Y. That's expected for any X & Y where X != Y. In other words, you shouldn't expect unbound and/or dnssec-triggerd to be looking at *kernel* configuration settings. Looking at the bugs' bodies, it appears that because IPv6 isn't there, some kernel module auto-load configuration is trying to auto-load IPv6 and SELinux is prohibiting the action. That or the tool is explicitly trying to load the module, but I rather doubt this. You note the SELinux policy alert but don't identify if this actually breaks anything. The right answer could be as simple as changing the SELinux policy to mark this transition/action as dontaudit (or just ignore the audit message). Ah, a google search for `selinux "request-module"' leads me here: https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to agree with the above. smime.p7s Description: S/MIME cryptographic signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Major Hayden" > To: devel@lists.fedoraproject.org > Sent: Tuesday, November 3, 2015 8:24:46 PM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 10/29/2015 10:15 AM, Pavel Simerda wrote: > > I am writing to Fedora development mailing lists to get opinions > > and ideas regarding our project on improving IPv6 support in > > Fedora across its components. > > I'd be more than happy to work with some folks to write additional > documentation about IPv6 and: > > * systemd-networkd > * wide-dhcpv6 / dibbler > * firewalld > * openvpn Hi, let's talk on IRC Freenode. My nickname is pavlix. > > I'm not very knowledgeable in NetworkManager, unfortunately. I can provide some NetworkManager knowledge as well as contact to active NetworkManager developers. Cheers, Pavel > > - -- > Major Hayden > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJWOQn8AAoJEHNwUeDBAR+x0GgP/3ds5ouiytUK+umJNkuCQqJq > kAXosxFZp6LdfXKCJckad62jeBsXxqG868JjLEoL3wdCPNZR8A1hJm7MWS6pJuHm > uoOE6DY0T8C2J2eZB+12+iOE+sqwYsp5FGQZGhGiuhSK5FuY0Jrzg1pW09pN7fjW > TO7vfaNOUKnNaByEjLVQyFF+Y8moSXJR+C+Gmjq0FxKKh7yiazaqaLI5mLV1CssA > 4iAipVJBChDhTXodRDlacQo8qTvKBtuJGC1vSTvlMkdQBL78mezxQDM8FysKaknN > TxItPmRIEoQ0pL4wrk98xbFXWQJM/RodsCMJO9rv0WK2RLILmWChJukwGemMYnFt > Z0JfLrbAfNotr9/ymLd3S+Hz5kEAEBm12n3qHMSUS7FKxx+oocgZsq6zV23cuY9w > on4Ytp0cSlRU93uvH1MOvfH/BgXXkSwPlhbQHLDvK3tg2NQwYHIr5gCGl0FtzQPy > WcY1+OydTtmuu25nAaUa/udlmnmbUgvLPi8bE+ntbaca0YBOI6Ukso9CP+bH8WuK > fuWaCOheEfSOdA+fqZ95N+yeretO1Ayjh//Gb8CU8AeKADbROj3jMbwrk0Kd0AUC > VMIKpavVtKXxclgQ8rSORG+JaGsVHIzYTwKM9nWAuxtz6cKbMZKdiafUEMr3b3yY > u2UCLch/PmvYF4HOheHS > =MgJ3 > -END PGP SIGNATURE- > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Peter Robinson" > To: "Development discussions related to Fedora" > > Sent: Tuesday, November 3, 2015 6:27:32 PM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > >> In the above page: > >> * Network configuration: I see NetworkManager in there but nothing > >> about systemd-networkd > > > > I used browser search in that page and 'systemd' (which is the name > > of the source package that provides systemd-networkd) is listed. > > I wasn't sure whether it meant systemd in general such as port based > service activation or networkd subset of that or combinations of all > the options. It is merely a list of packages and doesn't suggest any specific usage of those. I currently don't plan any specific focus on networkd. > >> * Other: firewalld including zones and other such configurations (you > >> mention iptables) > > > > The firewalld package is also mentioned. > > Yes, I found that later on when re-reading. > > >> > Most prominent subpages: > >> > > >> > * https://fedoraproject.org/wiki/QA/Networking/Test_environment > >> > >> In this section I see "IPv6 node" but nothing that covers a IPv6 only > >> routed network with IPv6 to IPv4 gateway ie it runs v6 only internally > >> but uses 6 to 4 services for legacy services. > > > > That is an interesting points. It sort of falls into the IPv6 only case > > but has enough specifics to be mentioned, at the least. > > > >> > * https://fedoraproject.org/wiki/QA/Networking/Client_software > >> > >> Again nothing about a native IPv6 only network with a gateway that > >> supports 6to4 for legacy services outside the network. > > > > To be honest we are most interested in native connectivity. If anyone > > needs to use tunneled connectivity as a workaround, he should probably > > choose a mechanism that provides comparable results. On the other hand, > > the biggest difference in 6to4 when using the `2002::/16` subprefixes > > is that it is not preferred over IPv4 addresses by default according > > to RFC 6724. > > It's still a valid use case that we should be testing to ensure as > networks migrate it provides a good user experience. > > >> What about a iOS9 style preferring of IPv6 over IPv4 in the general > >> desktop. In the iOS9 case they do network measurements and favour IPv6 > >> bydefault, and if it's going to be faster but fail back quickly if > >> it's not, how would we deal with this? > > > > In my opinion this is out of scope of the networking QA project as > > we see it. > > Why? It's a completely relevant usecase and if there's options where > it'd faster and provides better user experience, or the inverse it's > slower and provides a poor user experience why wouldn't we want to > test it? Relevancy is not enough. The project is rather loosely defined at the moment and its focus will mainly depend on the focus of its active contributors. I'm not aware of anyone willing to work on network measurement based dynamic network configuration. > >> > * https://fedoraproject.org/wiki/QA/Networking/Server_software > >> > >> Nothing in here about: > >> * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other > >> such transition servers > > > > That is correct. The page is about general networking server workflow, > > for network configuration details see the respective document below. > > > > https://fedoraproject.org/wiki/QA/Networking/Configuration > > > >> * what about VPN services like a IPv6 only network connecting to a > >> dual stack VPN, or a IPv4 only VPN or a number of combinations there > >> of IE interfaces that are v6 only and ones that are v4 only. What > >> happens with routing then if there's other 6 to 4 services in play? > > > > Like in the following bug report? Yes, that sounds useful to add > > somewhere. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1091356 > > > >> * Load balancers ie like facebook uses to bridge external dual stack > >> to IPv6 only internal services, or providing IPv6 externally to > >> present internal v4 services externally to v6 > > > > I don't think we (people currently involved in the project) have the > > capacity to test Fedora based services with load balancers. Anyone > > is free to submit bug reports, though. > > I meant more for t
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Moez Roy" > To: "Development discussions related to Fedora" > , "Pavel Simerda" > > Cc: "Tore Anderson" , "Tomas Hozza" , "Paul > Wouters" > Sent: Tuesday, November 3, 2015 6:50:53 PM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > Hi Pavel Simerda, > > The IPv6 updates are breaking stuff (and probably increasing the > attack surface): Hi Moez, please could you explain the above statement and back it by specific data for the tickets below? > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 It seems to suggest there was a regression due to an update related to IPv6 but: 1) The ticket doesn't suggest a regression. 2) The ticket doesn't talk about any specific update. 3) I am not aware of any recent unbound update motivated by IPv6. If you still think it is the case, please address the above points in the bugzilla ticket. > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1251762 This looks very similar in nature. > (maybe other software like avahi also don't remember right now) > > You can reproduce this by putting "ipv6.disable=1" in the kernel command > line. Thanks! It looks like we need to test a lot of stuff with IPv6 disabled in the kernel. Cheers, Pavel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Josef Bacik" > To: "Development discussions related to Fedora" > > Cc: "Pavel Simerda" , "Paul Wouters" > , "Tore Anderson" > Sent: Tuesday, November 3, 2015 6:56:42 PM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > So one thing I would suggest is testing ipv6 only environments. At > Facebook we are running into and fixing a whole host of problems with > NetworkManager, Anaconda, Dracut, etc. because they don't handle ipv6 > only very well. It seems that having ipv4 enabled allows things to > work well enough that nobody notices problems with ipv6. Thanks, Hi Josef, there is indeed a lot of assumptions in software regarding availability of IPv4. Is there a possibility you or anyone could provide a list of issues and reproducers related to IPv6-only installation and operation? In that case we could add them to the wiki. Cheers, Pavel > > Josef > > On Tue, Nov 3, 2015 at 12:50 PM, Moez Roy wrote: > > Hi Pavel Simerda, > > > > The IPv6 updates are breaking stuff (and probably increasing the > > attack surface): > > > > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > > in /etc/sysctl.conf > > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > > > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > > in /etc/sysctl.conf > > https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > > > > (maybe other software like avahi also don't remember right now) > > > > You can reproduce this by putting "ipv6.disable=1" in the kernel command > > line. > > > > Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the > > security provided by SELinux so it is not an option. > > > > Would appreciate fixes please. Thanks. > > -- > > devel mailing list > > devel@lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/devel > > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Michael Cronenworth" > To: devel@lists.fedoraproject.org > Sent: Friday, October 30, 2015 10:37:59 PM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > On 10/29/2015 10:15 AM, Pavel Simerda wrote: > > *https://fedoraproject.org/wiki/QA/Networking/Test_environment > > Don't forget about 6to4[1]... everyone should have access to this unless your > ISP > blocks the routes. It doesn't require an account or 3rd party host that the > tunnels > require. > > NetworkManager ifcfg settings: > IPV6TO4INIT, IPV6TO4_ROUTING, and if you run a server. IPV6_CONTROL_RADVD > > Some ISPs provide 6rd[2] access, which is the next step above 6to4. Hi Michael, we will consider this although I think 6to4 and 6rd rather belong to the network infrastructure and we do not really focus on router use cases. Cheers, Pavel > > [1] https://en.wikipedia.org/wiki/6to4 > [2] https://en.wikipedia.org/wiki/IPv6_rapid_deployment > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/29/2015 10:15 AM, Pavel Simerda wrote: > I am writing to Fedora development mailing lists to get opinions > and ideas regarding our project on improving IPv6 support in > Fedora across its components. I'd be more than happy to work with some folks to write additional documentation about IPv6 and: * systemd-networkd * wide-dhcpv6 / dibbler * firewalld * openvpn I'm not very knowledgeable in NetworkManager, unfortunately. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWOQn8AAoJEHNwUeDBAR+x0GgP/3ds5ouiytUK+umJNkuCQqJq kAXosxFZp6LdfXKCJckad62jeBsXxqG868JjLEoL3wdCPNZR8A1hJm7MWS6pJuHm uoOE6DY0T8C2J2eZB+12+iOE+sqwYsp5FGQZGhGiuhSK5FuY0Jrzg1pW09pN7fjW TO7vfaNOUKnNaByEjLVQyFF+Y8moSXJR+C+Gmjq0FxKKh7yiazaqaLI5mLV1CssA 4iAipVJBChDhTXodRDlacQo8qTvKBtuJGC1vSTvlMkdQBL78mezxQDM8FysKaknN TxItPmRIEoQ0pL4wrk98xbFXWQJM/RodsCMJO9rv0WK2RLILmWChJukwGemMYnFt Z0JfLrbAfNotr9/ymLd3S+Hz5kEAEBm12n3qHMSUS7FKxx+oocgZsq6zV23cuY9w on4Ytp0cSlRU93uvH1MOvfH/BgXXkSwPlhbQHLDvK3tg2NQwYHIr5gCGl0FtzQPy WcY1+OydTtmuu25nAaUa/udlmnmbUgvLPi8bE+ntbaca0YBOI6Ukso9CP+bH8WuK fuWaCOheEfSOdA+fqZ95N+yeretO1Ayjh//Gb8CU8AeKADbROj3jMbwrk0Kd0AUC VMIKpavVtKXxclgQ8rSORG+JaGsVHIzYTwKM9nWAuxtz6cKbMZKdiafUEMr3b3yY u2UCLch/PmvYF4HOheHS =MgJ3 -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Scott Schmit" > To: devel@lists.fedoraproject.org > Sent: Friday, October 30, 2015 2:10:41 AM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > On Thu, Oct 29, 2015 at 11:15:10AM -0400, Pavel Simerda wrote: > > I am writing to Fedora development mailing lists to get opinions > > and ideas regarding our project on improving IPv6 support in > > Fedora across its components. > > > > https://fedoraproject.org/wiki/QA/Networking > > > > Most prominent subpages: > > > > * https://fedoraproject.org/wiki/QA/Networking/Test_environment > > It may make sense to have a IPv6 case between global & local that has > all 4 categories of address (I see this as loosely analogous to the IPv4 > masqueraded case). Hi Scott, thanks for your feedback. You can of course have combinations. We can add that once we have specific test cases that would show importance of a standalone category for such a setup. Otherwise one would usually view IPv6 global and IPv6 local communication as two isolated things. > Another case would be multi-homed IPv6, where you have global IPv6 > addresses from multiple sources (could be two ISPs, two tunnel > providers, or one ISP and one tunnel provider). Interesting. Any specific test cases for that? > IPv6 is designed to be inherently more dynamic than IPv4 (particularly > with RAs) -- we should test transitions between connectivity states > (simulating an ISP connection dropping and coming back up or a router > going down and coming back up). While IPv6 is designed to be inherently dynamic, operators seem to be avoiding it as much as possible and use it in a way more similar to IPv4. Specific test cases and common usage are welcome, though. > Speed differences between IPv6 & IPv4 could be a factor as well (happy > eyeballs) -- though reportedly IPv6 has tended to be faster than IPv4 > rather than the previously-expected inverse. > > Checking support for DHCPv6-PD would also be valuable. We're not really focusing on a Fedora based router use case. As always, that doesn't mean someone cannot join and extend the effort. If you're interested in the classic connection sharing feature, it may be better to contact NetworkManager developers directly. Cheers, Pavel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
So one thing I would suggest is testing ipv6 only environments. At Facebook we are running into and fixing a whole host of problems with NetworkManager, Anaconda, Dracut, etc. because they don't handle ipv6 only very well. It seems that having ipv4 enabled allows things to work well enough that nobody notices problems with ipv6. Thanks, Josef On Tue, Nov 3, 2015 at 12:50 PM, Moez Roy wrote: > Hi Pavel Simerda, > > The IPv6 updates are breaking stuff (and probably increasing the > attack surface): > > Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1231946 > > Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 > in /etc/sysctl.conf > https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > > (maybe other software like avahi also don't remember right now) > > You can reproduce this by putting "ipv6.disable=1" in the kernel command line. > > Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the > security provided by SELinux so it is not an option. > > Would appreciate fixes please. Thanks. > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
Hi Pavel Simerda, The IPv6 updates are breaking stuff (and probably increasing the attack surface): Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf https://bugzilla.redhat.com/show_bug.cgi?id=1231946 Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf https://bugzilla.redhat.com/show_bug.cgi?id=1251762 (maybe other software like avahi also don't remember right now) You can reproduce this by putting "ipv6.disable=1" in the kernel command line. Doing 'setsebool -P domain_kernel_load_modules 1' would reduce the security provided by SELinux so it is not an option. Would appreciate fixes please. Thanks. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
>> In the above page: >> * Network configuration: I see NetworkManager in there but nothing >> about systemd-networkd > > I used browser search in that page and 'systemd' (which is the name > of the source package that provides systemd-networkd) is listed. I wasn't sure whether it meant systemd in general such as port based service activation or networkd subset of that or combinations of all the options. >> * Other: firewalld including zones and other such configurations (you >> mention iptables) > > The firewalld package is also mentioned. Yes, I found that later on when re-reading. >> > Most prominent subpages: >> > >> > * https://fedoraproject.org/wiki/QA/Networking/Test_environment >> >> In this section I see "IPv6 node" but nothing that covers a IPv6 only >> routed network with IPv6 to IPv4 gateway ie it runs v6 only internally >> but uses 6 to 4 services for legacy services. > > That is an interesting points. It sort of falls into the IPv6 only case > but has enough specifics to be mentioned, at the least. > >> > * https://fedoraproject.org/wiki/QA/Networking/Client_software >> >> Again nothing about a native IPv6 only network with a gateway that >> supports 6to4 for legacy services outside the network. > > To be honest we are most interested in native connectivity. If anyone > needs to use tunneled connectivity as a workaround, he should probably > choose a mechanism that provides comparable results. On the other hand, > the biggest difference in 6to4 when using the `2002::/16` subprefixes > is that it is not preferred over IPv4 addresses by default according > to RFC 6724. It's still a valid use case that we should be testing to ensure as networks migrate it provides a good user experience. >> What about a iOS9 style preferring of IPv6 over IPv4 in the general >> desktop. In the iOS9 case they do network measurements and favour IPv6 >> bydefault, and if it's going to be faster but fail back quickly if >> it's not, how would we deal with this? > > In my opinion this is out of scope of the networking QA project as > we see it. Why? It's a completely relevant usecase and if there's options where it'd faster and provides better user experience, or the inverse it's slower and provides a poor user experience why wouldn't we want to test it? >> > * https://fedoraproject.org/wiki/QA/Networking/Server_software >> >> Nothing in here about: >> * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other >> such transition servers > > That is correct. The page is about general networking server workflow, > for network configuration details see the respective document below. > > https://fedoraproject.org/wiki/QA/Networking/Configuration > >> * what about VPN services like a IPv6 only network connecting to a >> dual stack VPN, or a IPv4 only VPN or a number of combinations there >> of IE interfaces that are v6 only and ones that are v4 only. What >> happens with routing then if there's other 6 to 4 services in play? > > Like in the following bug report? Yes, that sounds useful to add > somewhere. > > https://bugzilla.redhat.com/show_bug.cgi?id=1091356 > >> * Load balancers ie like facebook uses to bridge external dual stack >> to IPv6 only internal services, or providing IPv6 externally to >> present internal v4 services externally to v6 > > I don't think we (people currently involved in the project) have the > capacity to test Fedora based services with load balancers. Anyone > is free to submit bug reports, though. I meant more for things like HAproxy as shipped in Fedora, or for things like OpenShift which depends on components like HAproxy, I mention OpenShift because the council is investigating it as an objective [1] [1] https://lists.fedoraproject.org/pipermail/council-discuss/2015-September/013694.html >> There's also nothing I can see from a quick read about offload >> engines. A lot of 10Gb+ network interfaces have offloads for generic >> IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4, >> we obviously want acceleration because IPv6 headers are larger and >> hence take up more memory. > > It is not explicitly stated (and that should be fixed) that we > are focusing on userspace and configuration, not kernel networking > features. That doesn't prevent anyone from joining and extending the > project nor from filing kernel bug reports and feature requests. Well things like dpdk are userspace and integrate with things like virtualisation, docker, openvswitch etc, are those sort of userspace in your remit? >> There's toolkits like dpgk ( >> http://dpdk.org ) for acceleration of packets across large bandwidth >> interfaces but I don't see any mention of that or network IO >> virtualisation/offload. >> >> Facebook and others have been testing these sorts of things: >> >> https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/ >> https://code.facebook.com/posts/938078729581886/improving-the-linux-kernel-with-upstream-contribu
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Chris Adams" > To: devel@lists.fedoraproject.org > Sent: Thursday, October 29, 2015 9:30:12 PM > Subject: Re: Fedora IPv6 testing and improvements - request for ideas > > Once upon a time, Zach Villers said: > > If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly > > recommended tunnel broker. I have not tried it and am not affiliated. I do > > have ipv6 capability from my isp, so could help with testing. Hi Zach (replying at once), I'm afraid we generally cannot recommend SixXS as they are very strict and very picky on connecting automatically to the service and we (Fedora) had problems with that before. > There's also Hurricane Electric's free IPv6 tunnels. Their tunnelbroker.net service is already mentioned in the following page. https://fedoraproject.org/wiki/QA/Networking/Test_environment Cheers, Pavel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
- Original Message - > From: "Peter Robinson" > > https://fedoraproject.org/wiki/QA/Networking Hi, thanks for your feedback. > In the above page: > * Network configuration: I see NetworkManager in there but nothing > about systemd-networkd I used browser search in that page and 'systemd' (which is the name of the source package that provides systemd-networkd) is listed. > * Other: firewalld including zones and other such configurations (you > mention iptables) The firewalld package is also mentioned. > > Most prominent subpages: > > > > * https://fedoraproject.org/wiki/QA/Networking/Test_environment > > In this section I see "IPv6 node" but nothing that covers a IPv6 only > routed network with IPv6 to IPv4 gateway ie it runs v6 only internally > but uses 6 to 4 services for legacy services. That is an interesting points. It sort of falls into the IPv6 only case but has enough specifics to be mentioned, at the least. > > * https://fedoraproject.org/wiki/QA/Networking/Client_software > > Again nothing about a native IPv6 only network with a gateway that > supports 6to4 for legacy services outside the network. To be honest we are most interested in native connectivity. If anyone needs to use tunneled connectivity as a workaround, he should probably choose a mechanism that provides comparable results. On the other hand, the biggest difference in 6to4 when using the `2002::/16` subprefixes is that it is not preferred over IPv4 addresses by default according to RFC 6724. > What about a iOS9 style preferring of IPv6 over IPv4 in the general > desktop. In the iOS9 case they do network measurements and favour IPv6 > bydefault, and if it's going to be faster but fail back quickly if > it's not, how would we deal with this? In my opinion this is out of scope of the networking QA project as we see it. > > * https://fedoraproject.org/wiki/QA/Networking/Server_software > > Nothing in here about: > * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other > such transition servers That is correct. The page is about general networking server workflow, for network configuration details see the respective document below. https://fedoraproject.org/wiki/QA/Networking/Configuration > * what about VPN services like a IPv6 only network connecting to a > dual stack VPN, or a IPv4 only VPN or a number of combinations there > of IE interfaces that are v6 only and ones that are v4 only. What > happens with routing then if there's other 6 to 4 services in play? Like in the following bug report? Yes, that sounds useful to add somewhere. https://bugzilla.redhat.com/show_bug.cgi?id=1091356 > * Load balancers ie like facebook uses to bridge external dual stack > to IPv6 only internal services, or providing IPv6 externally to > present internal v4 services externally to v6 I don't think we (people currently involved in the project) have the capacity to test Fedora based services with load balancers. Anyone is free to submit bug reports, though. > There's also nothing I can see from a quick read about offload > engines. A lot of 10Gb+ network interfaces have offloads for generic > IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4, > we obviously want acceleration because IPv6 headers are larger and > hence take up more memory. It is not explicitly stated (and that should be fixed) that we are focusing on userspace and configuration, not kernel networking features. That doesn't prevent anyone from joining and extending the project nor from filing kernel bug reports and feature requests. > There's toolkits like dpgk ( > http://dpdk.org ) for acceleration of packets across large bandwidth > interfaces but I don't see any mention of that or network IO > virtualisation/offload. > > Facebook and others have been testing these sorts of things: > > https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/ > https://code.facebook.com/posts/938078729581886/improving-the-linux-kernel-with-upstream-contributions/ > > Along these lines also I see nothing about Open vSwitch and SND > encapsulation protocols testing such as vxlan, GRE, GENEVE etc I think this is the same situation as above. > > During the first phase we are interested in getting feedback on > > testing methods and test cases. Any other ideas are of course > > welcome. Even contacts for future collaboration would be great. > > A future development would be around 6LoWPAN and the routing protocols > etc for that so we can communicate with IoT devices. > > The way I read a lot of the pages above is a "this is how we did it on > IPv4 lets test it on IPv6" rather than a review of how things are > going to change with IPv6, how would I get to a IPv4 site if I'm on a > IPv6 network, visa versa and the whole sets of new use cases that are > appearing as a result of it. Let us now if there are specific cases that need to be covered to make Fedora packages communicate well over the ver
Re: Fedora IPv6 testing and improvements - request for ideas
Once upon a time, Dan Williams said: > You can set this on a per-connection basis with NM. It just defaults to > "unset", which then defaults to "on". You can also set a global default > through /etc/NetworkManager/NetworkManager.conf so that all new > connections on your system get "disabled" when they have the privacy > value unset. I like privacy extensions - that's not the point. The point is that Fedora with NM is violating the RFC by removing deprecated addresses while they are still in use, something that the kernel managed to get right (why NM had to take over this management of them from the kernel, and then get it wrong, I don't know). I reported this a year ago to BZ but never got a single response. -- Chris Adams -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On 10/29/2015 10:15 AM, Pavel Simerda wrote: *https://fedoraproject.org/wiki/QA/Networking/Test_environment Don't forget about 6to4[1]... everyone should have access to this unless your ISP blocks the routes. It doesn't require an account or 3rd party host that the tunnels require. NetworkManager ifcfg settings: IPV6TO4INIT, IPV6TO4_ROUTING, and if you run a server. IPV6_CONTROL_RADVD Some ISPs provide 6rd[2] access, which is the next step above 6to4. [1] https://en.wikipedia.org/wiki/6to4 [2] https://en.wikipedia.org/wiki/IPv6_rapid_deployment -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On Thu, 2015-10-29 at 15:30 -0500, Chris Adams wrote: > Once upon a time, Zach Villers said: > > If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly > > recommended tunnel broker. I have not tried it and am not affiliated. I do > > have ipv6 capability from my isp, so could help with testing. > > There's also Hurricane Electric's free IPv6 tunnels. > > BTW: one issue that I have seen with IPv6 and address privacy extensions > is that, since temporary address handling moved to user-space > (NetworkManager I guess?) instead of kernel-space, temporary addresses > are expired even when they are still in use. This affects anything that > uses long-lived sessions (such as SSH to a server) and is highly > annoying. > > The RFC (4941 section 3.4) says: > > "As an optional optimization, an implementation MAY remove a >deprecated temporary address that is not in use by applications or >upper layers as detailed in Section 6." You can set this on a per-connection basis with NM. It just defaults to "unset", which then defaults to "on". You can also set a global default through /etc/NetworkManager/NetworkManager.conf so that all new connections on your system get "disabled" when they have the privacy value unset. nmcli con mod "" ipv6.ip6-privacy 0 Dan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On Thu, Oct 29, 2015 at 11:15:10AM -0400, Pavel Simerda wrote: > I am writing to Fedora development mailing lists to get opinions > and ideas regarding our project on improving IPv6 support in > Fedora across its components. > > https://fedoraproject.org/wiki/QA/Networking > > Most prominent subpages: > > * https://fedoraproject.org/wiki/QA/Networking/Test_environment It may make sense to have a IPv6 case between global & local that has all 4 categories of address (I see this as loosely analogous to the IPv4 masqueraded case). Another case would be multi-homed IPv6, where you have global IPv6 addresses from multiple sources (could be two ISPs, two tunnel providers, or one ISP and one tunnel provider). IPv6 is designed to be inherently more dynamic than IPv4 (particularly with RAs) -- we should test transitions between connectivity states (simulating an ISP connection dropping and coming back up or a router going down and coming back up). Speed differences between IPv6 & IPv4 could be a factor as well (happy eyeballs) -- though reportedly IPv6 has tended to be faster than IPv4 rather than the previously-expected inverse. Checking support for DHCPv6-PD would also be valuable. > * https://fedoraproject.org/wiki/QA/Networking/Client_software > * https://fedoraproject.org/wiki/QA/Networking/Server_software > > During the first phase we are interested in getting feedback on > testing methods and test cases. Any other ideas are of course > welcome. Even contacts for future collaboration would be great. -- Scott -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
Once upon a time, Zach Villers said: > If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly > recommended tunnel broker. I have not tried it and am not affiliated. I do > have ipv6 capability from my isp, so could help with testing. There's also Hurricane Electric's free IPv6 tunnels. BTW: one issue that I have seen with IPv6 and address privacy extensions is that, since temporary address handling moved to user-space (NetworkManager I guess?) instead of kernel-space, temporary addresses are expired even when they are still in use. This affects anything that uses long-lived sessions (such as SSH to a server) and is highly annoying. The RFC (4941 section 3.4) says: "As an optional optimization, an implementation MAY remove a deprecated temporary address that is not in use by applications or upper layers as detailed in Section 6." -- Chris Adams -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
If it helps, Sixxs (https://www.sixxs.net/main/) is a very highly recommended tunnel broker. I have not tried it and am not affiliated. I do have ipv6 capability from my isp, so could help with testing. On Thu, Oct 29, 2015 at 3:35 PM, Peter Robinson wrote: > On Thu, Oct 29, 2015 at 3:15 PM, Pavel Simerda > wrote: > > Hi all, > > > > I am writing to Fedora development mailing lists to get opinions > > and ideas regarding our project on improving IPv6 support in > > Fedora across its components. > > > > https://fedoraproject.org/wiki/QA/Networking > > In the above page: > * Network configuration: I see NetworkManager in there but nothing > about systemd-networkd > * Other: firewalld including zones and other such configurations (you > mention iptables) > > > Most prominent subpages: > > > > * https://fedoraproject.org/wiki/QA/Networking/Test_environment > > In this section I see "IPv6 node" but nothing that covers a IPv6 only > routed network with IPv6 to IPv4 gateway ie it runs v6 only internally > but uses 6 to 4 services for legacy services. > > > * https://fedoraproject.org/wiki/QA/Networking/Client_software > > Again nothing about a native IPv6 only network with a gateway that > supports 6to4 for legacy services outside the network. > > What about a iOS9 style preferring of IPv6 over IPv4 in the general > desktop. In the iOS9 case they do network measurements and favour IPv6 > bydefault, and if it's going to be faster but fail back quickly if > it's not, how would we deal with this? > > > * https://fedoraproject.org/wiki/QA/Networking/Server_software > > Nothing in here about: > * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other > such transition servers > * what about VPN services like a IPv6 only network connecting to a > dual stack VPN, or a IPv4 only VPN or a number of combinations there > of IE interfaces that are v6 only and ones that are v4 only. What > happens with routing then if there's other 6 to 4 services in play? > * Load balancers ie like facebook uses to bridge external dual stack > to IPv6 only internal services, or providing IPv6 externally to > present internal v4 services externally to v6 > > There's also nothing I can see from a quick read about offload > engines. A lot of 10Gb+ network interfaces have offloads for generic > IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4, > we obviously want acceleration because IPv6 headers are larger and > hence take up more memory. There's toolkits like dpgk ( > http://dpdk.org ) for acceleration of packets across large bandwidth > interfaces but I don't see any mention of that or network IO > virtualisation/offload. > > Facebook and others have been testing these sorts of things: > > > https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/ > > https://code.facebook.com/posts/938078729581886/improving-the-linux-kernel-with-upstream-contributions/ > > Along these lines also I see nothing about Open vSwitch and SND > encapsulation protocols testing such as vxlan, GRE, GENEVE etc > > > During the first phase we are interested in getting feedback on > > testing methods and test cases. Any other ideas are of course > > welcome. Even contacts for future collaboration would be great. > > A future development would be around 6LoWPAN and the routing protocols > etc for that so we can communicate with IoT devices. > > The way I read a lot of the pages above is a "this is how we did it on > IPv4 lets test it on IPv6" rather than a review of how things are > going to change with IPv6, how would I get to a IPv4 site if I'm on a > IPv6 network, visa versa and the whole sets of new use cases that are > appearing as a result of it. > > Peter > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Fedora IPv6 testing and improvements - request for ideas
On Thu, Oct 29, 2015 at 3:15 PM, Pavel Simerda wrote: > Hi all, > > I am writing to Fedora development mailing lists to get opinions > and ideas regarding our project on improving IPv6 support in > Fedora across its components. > > https://fedoraproject.org/wiki/QA/Networking In the above page: * Network configuration: I see NetworkManager in there but nothing about systemd-networkd * Other: firewalld including zones and other such configurations (you mention iptables) > Most prominent subpages: > > * https://fedoraproject.org/wiki/QA/Networking/Test_environment In this section I see "IPv6 node" but nothing that covers a IPv6 only routed network with IPv6 to IPv4 gateway ie it runs v6 only internally but uses 6 to 4 services for legacy services. > * https://fedoraproject.org/wiki/QA/Networking/Client_software Again nothing about a native IPv6 only network with a gateway that supports 6to4 for legacy services outside the network. What about a iOS9 style preferring of IPv6 over IPv4 in the general desktop. In the iOS9 case they do network measurements and favour IPv6 bydefault, and if it's going to be faster but fail back quickly if it's not, how would we deal with this? > * https://fedoraproject.org/wiki/QA/Networking/Server_software Nothing in here about: * IPv6 services RA, dhcp6, 6 to 4 proxies, 4 to 6 proxies and other such transition servers * what about VPN services like a IPv6 only network connecting to a dual stack VPN, or a IPv4 only VPN or a number of combinations there of IE interfaces that are v6 only and ones that are v4 only. What happens with routing then if there's other 6 to 4 services in play? * Load balancers ie like facebook uses to bridge external dual stack to IPv6 only internal services, or providing IPv6 externally to present internal v4 services externally to v6 There's also nothing I can see from a quick read about offload engines. A lot of 10Gb+ network interfaces have offloads for generic IP, TCP, other acceleration to enable to do line speed 10+gb on IPv4, we obviously want acceleration because IPv6 headers are larger and hence take up more memory. There's toolkits like dpgk ( http://dpdk.org ) for acceleration of packets across large bandwidth interfaces but I don't see any mention of that or network IO virtualisation/offload. Facebook and others have been testing these sorts of things: https://code.facebook.com/posts/1123882380960538/linux-ipv6-improvement-routing-cache-on-demand/ https://code.facebook.com/posts/938078729581886/improving-the-linux-kernel-with-upstream-contributions/ Along these lines also I see nothing about Open vSwitch and SND encapsulation protocols testing such as vxlan, GRE, GENEVE etc > During the first phase we are interested in getting feedback on > testing methods and test cases. Any other ideas are of course > welcome. Even contacts for future collaboration would be great. A future development would be around 6LoWPAN and the routing protocols etc for that so we can communicate with IoT devices. The way I read a lot of the pages above is a "this is how we did it on IPv4 lets test it on IPv6" rather than a review of how things are going to change with IPv6, how would I get to a IPv4 site if I'm on a IPv6 network, visa versa and the whole sets of new use cases that are appearing as a result of it. Peter -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
