Line 68: | Line 68: | ||
| Global || Dual-stack || || || | | Global || Dual-stack || || || | ||
|- | |- | ||
| Masqueraded || || || || | | Masqueraded || Dual-stack with IPv4 masq.|| || || | ||
|- | |- | ||
| Local || || || || | | Local || || || || | ||
Line 74: | Line 74: | ||
| Zeroconf || || || || | | Zeroconf || || || || | ||
|- | |- | ||
| None || || || || | | None || || || || Isolated host | ||
|} | |} | ||
Revision as of 11:23, 12 October 2015
IPv4 connectivity
connectivity | details |
---|---|
Global | Host is connected to the Internet using a global IPv4 address. |
Masqueraded | Host can access Internet services using a masqueraded private IPv4 address. |
Local | Host has a private address with no global connectivity. |
Zeroconf | Host has a link-local IPv4 address. |
None | Host doesn't have any IPv4 addresses except loopback. |
In most cases you will only need masqueraded IPv4 connectivity and that is the most common way to connect to the Internet nowadays. You can mimic all of the cases above in an isolated testing network by setting up DHCP and DNS servers on one host and configuring the other e.g. using NetworkManager.
How to get IPv4 connectivity
You most often only get actual global connectivity for public servers in datacenters. Beware of corporate setups where you often get global addresses but no connectivity apart from proxy server connections. For most client use cases masqueraded connectivity is sufficient and is typically available in SOHO networks and some corporate environments. You can get local connectivity by connecting to an isolated testing network with a DHCP server. You can very easily achieve none by disconnecting from all networks.
TODO: I have just tested connecting a default Fedora 23 workstation with the goal of getting zeroconf IPv4 connectivity but NetworkManager doesn't set it up. That is not necessarily wrong as we nowadays have link-local IPv6 connectivity which is much more straightforward at least we should document it.
How to emulate IPv4 connectivity in a virtual test environment
Using two virtual machines, one can emulate any type of IPv4 connectivity by picking up an address block intended for documentation and testing ( 192.0.2.0/24
, 198.51.100.0/24
and 203.0.113.0/24
) and setting up DHCP and DNS services on one of the virtual machines, while using the other as a client node.
TODO: Configuration examples.
TODO: Some tools (e.g. glibc name resolution code) may check for existence of the default route or of a specific route to destination and thus an absence of a default route can be considered a configuration issue in itself. We should investigate it further.
IPv6 connectivity
connectivity | details |
---|---|
Global | Host has at least one link-local address and one global address, the latter being used for global connectivity. |
Local | Host has at least one link-local address and one unique local address used for local communication. |
Link-local only | Client only has a link-local address. |
None | Client doesn't have any addresses except loopback. |
In most cases you will either need global connectivity or link-local only connectivity. The latter is typically configured automatically when you connect via IPv4, the former needs to be present in the network. You can overcome this limitation by using an IPv6 tunnel like the one provided by http://www.tunnelbroker.net/. Any of the setups above can be mimicked on an isolated testing network by configuring a router advertisement daemon, an optional DHCP server and a DNS server. You can use dnsmasq to provide all those services at once.
How to get IPv6 connectivity
Only some networks offer IPv6 addresses and only some of them offer actual global connectivity using those addresses. If you are not that lucky to have such a network at hand, you can use one of the many services that offer IPv6 subnets via IPv6 tunnels. For virtually all practical purposes tunnelled connectivity is equivalent to native one. Getting local connectivity is not different from IPv4. On the other hand, you get link-local IPv6 connectivity automatically when connected to a physical ethernet or wireless ethernet network and it is usually kept through the physical connection lifetime unline IPv4 zeroconf addresses. It is normally enough to connect two client machines using a cable to get it.
TODO As far as I know NetworkManager also supports disconnected IPv6 configuration where you don't even have link-local addresses but that needs to be tested first.
How to emulate IPv6 connectivity in a test environment
Using two virtual machines, one can emulate any type of IPv4 connectivity by picking up an address block intended for documentation and testing (2001:DB8::/32
) and setting up RA and DNS services and optional DHCP service on one of the virtual machines, while using the other as a client node.
TODO: Configuration examples.
TODO: Same issues with default route as with IPv4.
IPv4 and IPv6 connectivity combinations
IPv4 \ IPv6 | Global | Local | LL Only | None |
Global | Dual-stack | |||
Masqueraded | Dual-stack with IPv4 masq. | |||
Local | ||||
Zeroconf | ||||
None | Isolated host |
Target DNS
configuration | A query | AAAA query | notes |
---|---|---|---|
Dual-stack | At least one A record | At least one AAAA record | |
IPv4 only | At least one A record | NODATA | |
Lost AAAA reply | At least one A record | Timeout | Typically caused by bad recursive DNS servers |
IPv6 only | NODATA | Answer with at least one AAAA record | |
Multiple IPv4 and IPv6 addresses | At least two A records | At least two AAAA records |
On a host with public Internet access it is usually easiest to choose a target host that fits the criteria. On an isolated testing network this is done using custom DNS data configured in a DNS server. Lost AAAA reply can be mimicked using the DROP rule on firewall.
Note: Other DNS records than A and AAAA typically point to names, not addresses and thus are protocol agnostic but it may still be useful to test e.g. SRV records so that the SRV code path is correct as well.
How to emulate in test environment
At this point you probably already have a test setup with IPv4 and/or IPv6, so now it should be enough to configure some fake domain names under example domains (example.net
and example.com
). The lost AAAA reply case is special in that you need to use firewall or at least blackhole routing to avoid receiving any replies or error messages for a DNS request.
TODO: Examples.
Notes on connectivity checks
Network application behavior may change based on various connectivity checks. Some of them work with IP addresses, some with routes and some are even based on attempting connections. All of the mentioned types of checks are currently present in glibc name resolution code, so you need to be careful about subtle differences in configuration.
Notes on DNS server IPv4/IPv6 accessibility
It usually doesn't matter how recursive servers are accessed, whether via IPv4 and IPv6, the network is expected to be configured correctly.
Authoritative servers inaccessible via one of the protocols is a rather special case important for domain operators. A bad configuration can make otherwise working IPv6 hosts inaccessible from IPv6-only networks with their own recursive servers.