4

I have read Adding a whole IPv6 /64 block to an network interface on debian We want to make use of the AnyIP feature to add a whole IPv6 /64 subnet block to a web hosting server but using Netplan because we are on Ubuntu 18.04

Side note: a couple of experts have advised against using AnyIP to configure IPv6 so we will also look at alternative solutions like manually configuring a smaller number of IPs.

Our datacenter does already route the /64 to a single IP, for example

The range  2001:db8:1:10::0/64  is routed to the IP  2001:db8:1::1:10
The range  2001:db8:1:11::0/64  is routed to the IP  2001:db8:1::1:11

In Netplan I can configure single IPs this way

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      accept-ra: no
      addresses:
        - '2001:db8:1::1:10/48'
        - '2001:db8:1:10::0/64'
        - '2001:db8:1:10::1/64'
      gateway6: '2001:db8:1::1'

And this works. However I want to use the whole 2001:db8:1:10::/64 range on this server and I don't want to configure it in 18446744073709551616 lines.

Executing this command makes me able to ping all the /64 IPs from outside:

ip -6 route add local 2001:db8:1:10::/64 dev lo

Side note: a server daemon needs to support IP_FREEBIND to be able to bind to an IP which is not explicitly configured on an interface.

My question is: instead of having to execute ip -6 route add local .. after each reboot I would like to configure it the proper way inside the Netplan Yaml config.

Jeroen Vermeulen - MageHost
  • 654
  • 5
  • 15
  • Why are you want a single host to have `18,446,744,073,709,551,616` addresses? Also, IPv6 allows you to use every address in s subnet, including the subnet address, so assigning `1aaa:2bbb:1:10::/64` to an interface is actually only assigning that single address to the interface, not the entire subnet. – Ron Maupin Oct 23 '18 at 18:42
  • @RonMaupin It is quite common practice to add a whole /64 subnet to a single web hosting server. This makes sure you will never ever run out of IP addresses on the server. I know adding `1aaa:2bbb:1:10::/64` only adds one IP being `1aaa:2bbb:1:10::0`. The question is how to add the whole range at once. – Jeroen Vermeulen - MageHost Oct 23 '18 at 18:45
  • No, it isn't. Many people get confused because IPv6 uses the CIDR notation, e.g. `/64`, rather than an explicitly mask, e.g. `255.255.255.0` that is the equivalent of saying `/24`, that IPv4 uses, but most servers get a single global IPv6 address. Think about it. The server must have an address on the network to which it is connected, and the gateway must also be on the same network. If you assign the entire network to the host, what network and address do you use to connect it to other networks? – Ron Maupin Oct 23 '18 at 18:50
  • We host lots of customers on one server each one gets their own IP. This server will use the IP `1aaa:2bbb:1::1:10/48` with default gateway `1aaa:2bbb:1::1` to communicate with other networks. (end of discussion about if we should want it) – Jeroen Vermeulen - MageHost Oct 23 '18 at 18:53
  • Then you are bridging to the VMs and assigning each its own address, not assigning the network to the physical interface. How do you do it for IPv4? It is really the same thing for IPv6. By the way, you should not use example IPv6 addresses the way you do. There is a specific IPv6 range for such examples: `2001:db8::/32` that you can use subnet from for examples. – Ron Maupin Oct 23 '18 at 18:57
  • 1
    Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/84833/discussion-between-jeroen-vermeulen-magehost-and-ron-maupin). – Jeroen Vermeulen - MageHost Oct 23 '18 at 19:01
  • 1
    IP addresses for VMs and containers need to be assigned within the guest, not on the host. The host must route the addresses to the guest. – Michael Hampton Oct 23 '18 at 19:42
  • The address you configured as `/48` looks incorrect. I believe that should have been a `/64` instead. – kasperd Oct 23 '18 at 20:16
  • @MichaelHampton There are no VMs involved. This is shared hosting. – Jeroen Vermeulen - MageHost Oct 23 '18 at 20:31
  • 1
    In that case you're just fine to route the whole block to `lo`. Just be aware of it if you do start hosting containers or VMs in future. – Michael Hampton Oct 23 '18 at 20:42

1 Answers1

1

Found a solution, but maybe someone knows a better one?

cat <<EOF > /usr/lib/networkd-dispatcher/routable.d/50-ipv6-block
#!/bin/sh
ip -6 route add local 2001:db8:1:10::/64 dev lo
exit 0
EOF

chmod 755 /usr/lib/networkd-dispatcher/routable.d/50-ipv6-block

To check if it works:

ip -6 route del local 2001:db8:1:10::/64
netplan apply
systemctl --no-pager status networkd-dispatcher.service
route -6 | grep 2001:db8:1:10::/64
ping6 -c2 2001:db8:1:10::1234

If you see a RTNETLINK answers: File exists this is because a route is added which already existed because of an earlier netplan apply

kasperd
  • 29,894
  • 16
  • 72
  • 122
Jeroen Vermeulen - MageHost
  • 654
  • 5
  • 15
  • That is adding a route, not the addresses to a host. There is a big difference. Routing will send a packet to the network with the host having the destination address on a packet, but assigning an address to an interface means that the payload for a packet received on that interface will be handled by the network stack assigned to the interface. – Ron Maupin Oct 23 '18 at 20:22
  • My question is to use the [AnyIP](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ab79ad14a2d51e95f0ac3cef7cd116a57089ba82) feature, and adding a route is the way to do that. – Jeroen Vermeulen - MageHost Oct 23 '18 at 20:30
  • "_However I want to use the whole 2001:db8:1:10::/64 range on this server and I don't want to configure it in 18446744073709551616 lines._" That would be assigning addresses to the host, and you are asking about assigning to the host, but you are actually adding a route on the host, not assigning the network to the host. Based on how you asked the question, it sounds like you are confused about how it works. It is routing the packets, not assigning addresses to the server. – Ron Maupin Oct 23 '18 at 20:34
  • 1
    @RonMaupin Routes of type `local` are special. The documentation for type `local` says this: **the destinations are assigned to this host. The packets are looped back and delivered locally.** So it really does behave like every one of the IPs in the range are assigned to the host. Only caveat is that applications have to set a socket option before being able to bind to them explicitly. (Sockets listening on `::` will receive connections on every IP address in the range.) – kasperd Oct 23 '18 at 21:47
  • Since no other answer has shown up I am going to award the bounty to this one. If you are still looking for a better answer you can use that reputation to start a new bounty. – kasperd Nov 01 '18 at 20:28