Re: little bit off topic CLAT-Daemon for 464xlat for "Linux" (not android)

[Tore Anderson <tore fud no>]

* Thomas Schäfer

> echo 1 > /proc/sys/net/ipv6/conf/eth0/proxy_ndp
> ip -6 neigh add proxy 2001:6f8:120c::c1a7 dev eth0

Aha, so that's how it's done. Yep, this'll work, although it isn't
strictly RFC compliant., which demands that the IPv6 address you pick
must be «defended with Duplicate Address Detection».

> Back to the original intention. Is it useful to integrate this in the
> NetworkManager on "normal" Linux-Desktops?

I would find 464XLAT an useful addition, yes. Although I'm not really
sure if doing it with TAYGA would be optimal, as it doesn't appear to
have seen any developement in the last three years. I would have
preferred to see an in-kernel implementation of SIIT, I think.

It would probably be possible to implement it as a dispatcher script
though. You'd have to figure out:

1) If there's native IPv4 connectivity present (in which case you don't
need 464XLAT). This might be more tricky than it sounds; I believe the
dispatcher scripts get run as soon as NM considers the connection to be
up, which might be before IPv4 has completed (if IPV4_FAILURE_FATAL=no).

2) If there's NAT64 present. Probably the easiest way to do that is to
look up the AAAA records for a known IPv4-only host-name and see if you
get a DNS64-generated record back. If you know what the IPv4 address is
supposed to be you can infer what the NAT64 prefix is.

Once you know that, you're good to go. However, a proper implementation
is more tricky on Ethernet than on 3GPP mobile broadband, for several
reasons:

- As described above, you're supposed to run DAD for the IPv6 address
used. Not sure if you can make the kernel do that for a proxied address.
Maybe libndp can do it though? On 3GPP, however, the architecture
guarantees that you're alone in your delegated /64, so you can safely
pick any address (that you're not already using), and forego DAD altogether.

- If we can rely on all 3GPP modems that are operating in fake Ethernet
mode to do blind forwarding of all IPv6 traffic to the MAC address of
the fake Ethernet interface without doing NS for them first (my HP
hs2350 a.k.a. Ericsson F5321gw behaves like that), you don't have to
muck about with ND proxy at all.

- You can only grab an arbitrary IPv6 address for the CLAT if SLAAC is
in use. The 3GPP architecture guarantees that is the case. On Ethernet
however you might be faced with networks not using SLAAC for address
assignments, and where this is the case you would need to obtain the
CLAT's IPv6 address through other means like DHCPv6 IA_PD or IA_NA.

That said, we'd have to learn to walk before we run... As it happens, NM
doesn't support IPv6 on mobile broadband *at all* - the IPv4 tab is
simply missing (see bgo#682623). It is possible to make it work though,
when I use "mmcli --simple-connect" (thanks Bjørn for this tip!) NM will
manage connectivity on the fake Ethernet interface just as if it was a
real wired one, which includes setting up IPv6. The only minor drawback
is that NM doesn't appear to know that it is indeed a mobile broadband
link, so the systray applet shows the icon for a normal wired ethernet
rather than the one you'd normally see for mobile broadband, so there's
no signal level indicator or anything like that.

While I believe that 464XLAT is most useful on 3GPP mobile links (that's
what it was designed for, after wll), it would be cool to have NM
support it on Ethernet as well. That would certainly result in thumbs up
during the next FOSDEM meeting. :-)

Tore