Sunday, April 10, 2016

systemd: oh, you wanted to run IPv6?

by Craig Miller


Oh, you wanted to run IPv6?
Regardless of what you think of systemd, it is coming to a Linux computer near you. But what has systemd done for IPv6? The short answer is that it has replaced, superseded, supplanted, the mature kernel IPv6 code with new less mature, more buggy application layer code. For reasons unknown to the author, systemd has decide to take over mundane operations, such as setting up SLAAC addresses, Temporary addresses, and IPv6 routes, rather than allowing the kernel to continue these operations.

That said, since your Linux system will be (or is) running systemd, it is good to know the issues, and how to test them.

How do you get your IPv6 prefix?

Smaller organizations and home users will use PA (Provider Assigned) addressing. Depending on how much you pay your ISP, your prefix block could be changing dynamically. As a new prefix is delegated, SLAAC (Stateless Auto Address Config) will automagically renumber the hosts on your network.

Larger organizations will apply to their RIR (Regional Internet Registry) such as APNIC (Asia), RIPE (Europe), or ARIN (North America) for a PI (Provider Independent) block of addresses.

Know your environment

The first place is to understand your network environment. Large Enterprise has embarked on the road of using DHCPv6 in an attempt to limit the number of IPv6 addresses assigned to each host. In order to increase the ability to track users, and make building ACLs (Access Control Lists) more easily. DHCPv6 is also the preferred method used by IPAM (Internet Protocol Address Management) software, as it makes host discovery easier.

Smaller organizations may opt to use SLAAC since it is pretty much plug and play. Unless you have Windows machines on your network, then you will need to run DHCPv6 at a minimum for DNS server information distribution (see Dual Stack: the good, bad, and the ugly).

Write a Test Plan

What ever environment you are using for address distribution to your hosts, a test plan in a lab setup is always a good idea. A sample set of tests you may want to run:

  • Basic Testing
    • disable/enable interface
    • Restart systemd-networkd, are IPv6 addresses restored?
  • Virtual Machine (VM) and Container Testing (if you are using virtualization)
  • Negative testing/network attacks, such as RA flood (THC IPv6 is an excellent tool)
    • Rogue RA Testing (no, RAGuard will not stop this attack)


A few IPv6 issues with systemd

The devs at systemd (and Redhat) have decided to re-implement functionality already in the kernel code. Therefore there are a few things which worked just fine in a non-systemd system, but do not in a modern system (systemd version 229).

  • IPv6 RA flood (THC flood_router6) causes network disconnection even after flood ceases (systemd issue#2977)
  • Temporary addresses (RFC 4941) are broken from version 224 to 228 (systemd issue#2242)
  • Interface disable/enable IPv4 will reaquire and address, but IPv6 will not (other than link-local), and will remain address-less until restarting networkd (systemd issue #2912)
  • Fails to send Router Solicitation (systemd issue #2365)
  • Unable to view DUID (DHCPv6 Identifier) on host (systemd issue #2952)
  • Bridged Interfaces get IPv6 SLAAC addresses (systemd issue#2572)
  • Systemd in a VM failed to start due to RA parsing error (systemd issue#228)
  • IPv6 incorrectly not enabled on Virtuozzo containers (systemd issue#2059)
  • IPv6cceptRouterAdvertisements=yes or unset accepts too many prefixes (systemd issue#2004)
  • Does not support DHCPV6-PD (systemd issue#1080)
  • Does not support SLAAC RDNSS (Recursive DNS Server) option (systemd issue#1079)

Upgrading to systemd distros

Be careful when upgrading your systems which may have not been running systemd before, when all the issues above worked just fine since they were implemented in the kernel*. Examples of OS changes which introduce systemd are from RHEL 6 to 7, CentOS6 to 7, Ubuntu 14.04LTS to 16.04LTS, and Debian 7 to 8 (aka Jessie). More systemd adoption info can be found on Wikipedia.

Time will improve systemd

Like fine wine, I am sure that systemd will improve IPv6 support. After all, it took years to get where we are with the Linux kernel support today. Reviewing the issues above to see if they apply, and having a test plan, will allow you to go into IPv6/systemd with your eyes wide open.

Given the number of IPv6 issues, I would not recommend putting a systemd machine into an IPv6 production environment at this time. But perhaps you can lean on your distro provider to correct the issues which apply to your network, and we will all benefit.

Update Nov 2016 (see IPv6 & Systemd another look)

*DHCPv6 has not been implemented in the kernel


2 comments:

  1. It's amazing how many things systemd is doing nowadays. I was a bit skeptical when it appeared, but I thought that at least it would bring some kind of standard to Linux distros, regarding init scripts and the like. But every time that I see that systemd does something else that previously was done by another program, or by the kernel, it sends shivers down my spine.

    Thanks for this post: I didn't know that Windows needed DHCPv6. I've read in some RFC that you could advertise DNS servers with NDP, and that made me think that there was no real use for DHCPv6 if you already had SLAAC.

    ReplyDelete
    Replies
    1. I agree, and have similar feelings about systemd replacing really good working code that the kernel was doing (e.g. SLAAC).

      RFC 6106 defines RDNSS (DNS Service) in RAs. But Microsoft plays in the Enterprise market, where they use DHCPv6 to reduce the number of IPv6 addresses down to one. It makes tracking much easier.

      And for years, Linux distros ignored RFC 3315 (DHCPv6) until the advent of systemd. So it flows both ways.

      Let's hope systemd plugs the holes in their IPv6 implementation soon.

      Delete