IPv6 addresses and services

Relevant classes: any Cfengine version 2 supports the `Next Generation' IPv6 protocol for client-server communication. The compilation and configuration of these services should happen transparently to the user. However, there is a number of things to be aware of: There are several types of IPv6 address. If you have an IPv6 network up and running, then hosts will autoconfigure several addresses. Here is an example of what you might see from ifconfig/ipconfig: host$ ifconfig -a eth0 Link encap:Ethernet HWaddr 00:90:27:93:67:23 inet addr:128.39.74.16 Bcast:128.39.75.255 Mask:255.255.254.0 inet6 addr: fe80::290:27ff:fe93:6723/10 Scope:Link inet6 addr: 2001:700:700:4:290:27ff:fe93:6723/64 Scope:Global inet6 addr: fe80::90:2793:6723/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:300974648 errors:0 dropped:0 overruns:0 frame:966 TX packets:322343578 errors:0 dropped:0 overruns:0 carrier:4 collisions:25141584 txqueuelen:100 Interrupt:14 Base address:0x4000 This host has come up with one IPv4 address (128.39.74.16), which was configured manually during installation, and three separate IPv6 addresses, which were autoconfigured when the machine came up. The IPv6 addresses fall into two categories. The Scope Link addresses (fe80::) may be used for local cable segment (subnet) communication; they cannot be routed. The Scope Global addresses appear automatically by the presence of a local IPv6 gateway. These are the routable addresses which form an internet. Global link IPv6 addresses look something like this: 2001:700:700:4:290:27ff:fe93:6723 ************** ++ The starred part is a delegated IP-series, given by an internet addressing authority. The "++" numbers are always "ff". The remaining numbers are taken from the MAC (Media Access Control), e.g. ethernet address of the network interface. IPv6 -- DNS and /etc/services Writing IPv6 addresses is even less user-friendly than IPv4 addresses, and address lookup is even more reliant on correct registry than with IPv4. When you specify a remote copy in cfengine, using a host name, e.g. copy: source dest=destination server=remote-host in order to find "remote-host", cfengine looks up the name in DNS, and it looks up the cfengine service in /etc/services. With IPv4, these two lookups are independent, but with IPv6 they are tied together. This means that, if either one fails, an IPv6 address for a server will not be found. Normally, when this happens, DNS will return an IPv4 address instead, and communication will proceed as in the `olden days'. However, this can cause confusion. Your DNS server does not have to be on a machine which itself supports IPv6 in order to serve IPv6 addresses. The DNS server just treats records as hunks of text. The lookuo will happily user IPv4 to look up and IPv6 address and vice versa, transparently. IPv6 registration looks like this, in the zone file: daneel A 128.39.89.230 AAAA 2001:0700:0700:0003:0290:27ff:fea2:477b The address is copied from the autoconfigured result. Since, it is based on constant data (MAC address and IP series) autoconfigured addresses are also constant in time, so registerings them should be a one-time job. cfservd.conf and IPv6 At the server end of a cfengine connection, you will need to grant access to IPv6 connections specially. Here there is a subtley, at the server end, one has to deal with a mixture of clients which are connecting with IPv6 enabled and those which are still using IPv4. The server deals with this by mapping IPv4 addresses to a reserved series of IPv6 addresses, of the form: ::ffff:IPv4-address Cfservd detects such mapped addresses and handles them transparently. Native connections must be allowed explicitly, however. control: AllowConnectionsFrom = ( 128.39.89 # includes ::ffff:128.39.89 128.39.74 # includes ::ffff:128.39.74 128.39.75 # includes ::ffff:128.39.75 2001:700:700 # native v6 2 v6 ) AllowMultipleConnectionsFrom = ( 128.39.89 128.39.74 128.39.75 2001:700:700 ) TrustKeysFrom = ( 128.39.89 128.39.74 2001:700:700: ) Reverse DNS The designers of DNS made a huge mess of the DNS reverse lookup system, and it is even worse with IPv6. Bear in mind when coding access rules, that use of hostnames , or domain-name wildcards requires reverse lookup PTR records to be properly configured in DNS. admit: # or grant: /var/cfengine/bin *.mydomain.com /usr/local *.mycomain.com The alernative is to use IP numerical series: admit: # or grant: /var/cfengine/bin *.mydomain.com /usr/local *.mycomain.com 2001:700:70* 128.39.89* Unexplained behaviour with FreeBSD When binding to an IPv6 wildvard socket FreeBSD doesn't accept IPv4 connections on that port. This can be changed by sudo sysctl -w net.inet6.ip6.v6only=0 or add net.inet6.ip6.v6only=0 to /etc/sysctl.conf and reboot. Back to documentation