diff mbox series

doc: add some examples for IPv6 NAT configuration

Message ID 20200812012147.7123-1-iwienand@redhat.com
State Accepted
Commit d3ac12e3a1c01d1205b4db3f6cd640f3da98579b
Headers show
Series doc: add some examples for IPv6 NAT configuration | expand

Commit Message

Ian Wienand Aug. 12, 2020, 1:21 a.m. UTC 
Add some expanded examples for the nat ipv6 introduced with
927acaedec7effbe67a154d8bfa0e67f7d08e6c7.

Unfortunately while for IPv4 it's well-known what addresses ranges are
useful for NAT, with IPv6 unless you enjoy digging through RFC's going
back-and-forth over unique local addresses and the meaning of the word
"site" it's generally much less obvious.  I've tried to add some
details on choosing a range inline with RFC 4193 and then some
pointers for when it maybe doesn't work in the guest as you first
expect despite you doing what the RFC's say!

Signed-off-by: Ian Wienand <iwienand@redhat.com>

---
 docs/formatnetwork.html.in | 47 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

-- 
2.26.2

Comments

Ian Wienand Sept. 8, 2020, 8:55 p.m. UTC | #1 
Gentle ping on this; thanks

-i

On Wed, Aug 12, 2020 at 11:21:47AM +1000, Ian Wienand wrote:
> Add some expanded examples for the nat ipv6 introduced with

> 927acaedec7effbe67a154d8bfa0e67f7d08e6c7.

> 

> Unfortunately while for IPv4 it's well-known what addresses ranges are

> useful for NAT, with IPv6 unless you enjoy digging through RFC's going

> back-and-forth over unique local addresses and the meaning of the word

> "site" it's generally much less obvious.  I've tried to add some

> details on choosing a range inline with RFC 4193 and then some

> pointers for when it maybe doesn't work in the guest as you first

> expect despite you doing what the RFC's say!

> 

> Signed-off-by: Ian Wienand <iwienand@redhat.com>

> ---

>  docs/formatnetwork.html.in | 47 ++++++++++++++++++++++++++++++++++++++

>  1 file changed, 47 insertions(+)

> 

> diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in

> index fb740111b1..94a4cab4d1 100644

> --- a/docs/formatnetwork.html.in

> +++ b/docs/formatnetwork.html.in

> @@ -1209,6 +1209,53 @@

>    &lt;/ip&gt;

>  &lt;/network&gt;</pre>

>  

> +    <h3><a id="examplesNATv6">IPv6 NAT based network</a></h3>

> +

> +    <p>

> +      Below is a variation for also providing IPv6 NAT.  This can be

> +      especially useful when using multiple interfaces where some,

> +      such as WiFi cards, can not be bridged (usually on a laptop),

> +      making it difficult to provide end-to-end IPv6 routing.

> +    </p>

> +

> +    <pre>

> +&lt;network&gt;

> +  &lt;name&gt;default6&lt;/name&gt;

> +  &lt;bridge name="virbr0"/&gt;

> +  &lt;forward mode="nat"&gt;

> +    &lt;nat ipv6='yes'&gt;

> +      &lt;port start='1024' end='65535'/&gt;

> +    &lt;/nat&gt;

> +

> +  &lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;

> +    &lt;dhcp&gt;

> +      &lt;range start="192.168.122.2" end="192.168.122.254"/&gt;

> +    &lt;/dhcp&gt;

> +  &lt;/ip&gt;

> +  &lt;ip family="ipv6" address="fdXX:XXXX:XXXX:NNNN:: prefix="64"/&gt;

> +  &lt;/ip&gt;

> +&lt;/network&gt;</pre>

> +

> +    <p>IPv6 NAT addressing has some caveats over the more straight

> +    forward IPv4 case.

> +    <a href="https://tools.ietf.org/html/rfc4193">RFC 4193</a>

> +    defines the address range <tt>fd00::/8</tt> for <tt>/48</tt> IPv6

> +    private networks.  It should be concatenated with a random 40-bit

> +    string (i.e. 10 random hexadecimal digits replacing the <tt>X</tt>

> +    values above, RFC 4193 provides

> +    an <a href="https://tools.ietf.org/html/rfc4193#section-3.2.2">algorithm</a>

> +    if you do not have a source of sufficient randomness).  This

> +    leaves <tt>0</tt> through <tt>ffff</tt> for subnets (<tt>N</tt>

> +    above) which you can use at will.</p>

> +

> +    <p>Many operating systems will not consider these addresses as

> +    preferential to IPv4, due to some practial history of these

> +    addresses being present but unroutable and causing networking

> +    issues.  On many Linux distributions, you may need to

> +    override <tt>/etc/gai.conf</tt> with values

> +    from <a href="https://www.ietf.org/rfc/rfc3484.txt">RFC 3484</a>

> +    to have your IPv6 NAT network correctly preferenced over IPv4.</p>

> +

>      <h3><a id="examplesRoute">Routed network config</a></h3>

>  

>      <p>

> -- 

> 2.26.2

>
Michal Prívozník Sept. 9, 2020, 2:35 p.m. UTC | #2 
On 8/12/20 3:21 AM, Ian Wienand wrote:
> Add some expanded examples for the nat ipv6 introduced with

> 927acaedec7effbe67a154d8bfa0e67f7d08e6c7.

> 

> Unfortunately while for IPv4 it's well-known what addresses ranges are

> useful for NAT, with IPv6 unless you enjoy digging through RFC's going

> back-and-forth over unique local addresses and the meaning of the word

> "site" it's generally much less obvious.  I've tried to add some

> details on choosing a range inline with RFC 4193 and then some

> pointers for when it maybe doesn't work in the guest as you first

> expect despite you doing what the RFC's say!

> 

> Signed-off-by: Ian Wienand <iwienand@redhat.com>

> ---

>   docs/formatnetwork.html.in | 47 ++++++++++++++++++++++++++++++++++++++

>   1 file changed, 47 insertions(+)

> 


Reviewed-by: Michal Privoznik <mprivozn@redhat.com>


and pushed. Congratulations on your first libvirt contribution!

Michal
diff mbox series

Patch

diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index fb740111b1..94a4cab4d1 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -1209,6 +1209,53 @@ 
   &lt;/ip&gt;
 &lt;/network&gt;</pre>
 
+    <h3><a id="examplesNATv6">IPv6 NAT based network</a></h3>
+
+    <p>
+      Below is a variation for also providing IPv6 NAT.  This can be
+      especially useful when using multiple interfaces where some,
+      such as WiFi cards, can not be bridged (usually on a laptop),
+      making it difficult to provide end-to-end IPv6 routing.
+    </p>
+
+    <pre>
+&lt;network&gt;
+  &lt;name&gt;default6&lt;/name&gt;
+  &lt;bridge name="virbr0"/&gt;
+  &lt;forward mode="nat"&gt;
+    &lt;nat ipv6='yes'&gt;
+      &lt;port start='1024' end='65535'/&gt;
+    &lt;/nat&gt;
+
+  &lt;ip address="192.168.122.1" netmask="255.255.255.0"&gt;
+    &lt;dhcp&gt;
+      &lt;range start="192.168.122.2" end="192.168.122.254"/&gt;
+    &lt;/dhcp&gt;
+  &lt;/ip&gt;
+  &lt;ip family="ipv6" address="fdXX:XXXX:XXXX:NNNN:: prefix="64"/&gt;
+  &lt;/ip&gt;
+&lt;/network&gt;</pre>
+
+    <p>IPv6 NAT addressing has some caveats over the more straight
+    forward IPv4 case.
+    <a href="https://tools.ietf.org/html/rfc4193">RFC 4193</a>
+    defines the address range <tt>fd00::/8</tt> for <tt>/48</tt> IPv6
+    private networks.  It should be concatenated with a random 40-bit
+    string (i.e. 10 random hexadecimal digits replacing the <tt>X</tt>
+    values above, RFC 4193 provides
+    an <a href="https://tools.ietf.org/html/rfc4193#section-3.2.2">algorithm</a>
+    if you do not have a source of sufficient randomness).  This
+    leaves <tt>0</tt> through <tt>ffff</tt> for subnets (<tt>N</tt>
+    above) which you can use at will.</p>
+
+    <p>Many operating systems will not consider these addresses as
+    preferential to IPv4, due to some practial history of these
+    addresses being present but unroutable and causing networking
+    issues.  On many Linux distributions, you may need to
+    override <tt>/etc/gai.conf</tt> with values
+    from <a href="https://www.ietf.org/rfc/rfc3484.txt">RFC 3484</a>
+    to have your IPv6 NAT network correctly preferenced over IPv4.</p>
+
     <h3><a id="examplesRoute">Routed network config</a></h3>
 
     <p>