barefoot   Frontpage - Barefoot - Download - Usage - Status - Support - Modules - Docs - Links - Survey - GDPR
 

IPv6 communication

The Barefoot distribution has IPv6 support, and with both IPv4 and IPv6 support, many different configurations are possible, such as allowing IPv4-only clients to talk to IPv6 server. This page describes how to configure the Barefoot server for IPv6.

Communicating via IPv6

IPv6 in the Barefoot server is to a large extend handled automatically based on the address types found in the server configuration file, but there are some factors that should be considered, depending on the usage scenario.

IPv4-only configurations

Barefoot configurations that only use IPv4-addresses in their barefootd.conf file will generally not need to consider IPv6. IPv4 rules will forward client requests from IPv4 addresses while IPv6 traffic will be blocked unless there are specific IPv6 rules that allow IPv6 clients.

Note that if any rules are specified using hostnames or interface names, rather than IPv4-addresses, the hostnames or interface names might expand to IPv6 addresses. In this case, you do not have a IPv4-only configuration, and should take care to understand the implications IPv6-support in Barefoot entails for your configuration.

The only change it might be desired to make in IPv4-only usage scenarios is if either of Barefoot's client rules or external interfaces are specified in barefootd.conf using interface names (e.g., eth0) or hostnames (e.g., barefootd-ext.example.com).

The Barefoot server will by default use all addresses found on an interface if the interface is specified by it's name (rather than by one of its IP-addresses). If the interface has one or more IPv6 addresses, this will result in the Barefootd server also using the IPv6 addresses.

Unless the barefootd.conf file client rules are changed to also pass IPv6 traffic, or includes hostnames that resolve to IPv6-addresses in Barefootd's ACL rules, all connections made to any IPv6 address will however be blocked, so this should have no practical security related consequences. If it is desired to only listen to IPv4 addresses, the pass rules in the barefootd.conf file should however for clarity, if possible, explicitly specify the IPv4 address the server should bind to, instead of using an interface name or hostname.

Similarly, the external keyword in the barefootd.conf file should explicitly specify the IPv4 address the server should bind to on the external side, instead of using the interface or hostname. This will prevent Barefootd from opening any IPv6 connections.

Only the 0.0.0.0/0 wildcard address should be used when a IPv4 wildcard is needed. In contrast, the new 0/0 wildcard address matches both IPv4 and IPv6 addresses and should be avoided in IPv4-only configurations.

Mixed IPv4/IPv6 configurations

For a Barefootd server to accept requests on both IPv4 and IPv6 addresses, it is necessary to specify either a network interface that has both types of addresses in a client pass rule, or multiple rules with different address types should be used.

#accept ipv4/ipv6 connections on interface eth1, port 80
client pass { from: 0/0 to: eth1 port = http
              bounce to: www.example.org port = http
              protocol: tcp
              log: connect disconnect error
}

The above is an example of a configuration that uses an interface name and will accept connections from both IPv4 and IPv6 clients, as long as the interface has both types of addresses.

#accept ipv4 connections on 10.0.0.1, port 80
client pass { from: 0/0 to: 10.0.0.1 port = http
              bounce to: www.example.org port = http
              protocol: tcp
              log: connect disconnect error
}

#accept ipv6 connections on fc00::01, port 80
client pass { from: 0/0 to: fc00::01 port = http
              bounce to: www.example.org port = http
              protocol: tcp
              log: connect disconnect error
}

The above configuration uses two separate rules to handle both IPv4 and IPv6; one for IPv4 and one for IPv6, with the addresses specified explicitly.

IPv6-only configurations

As with the IPv4-only configurations, allowing only IPv6 clients to connect can be achieved by using rules that only match IPv6 addresses and fully specifying the IPv6 addresses that the server should bind to in the pass rules and external interfaces, rather than using interface names/hostnames.

Specifying an interface name in the to field of a client pass rule will result in the Barefoot server listening to both IPv4 and IPv6 addresses, if that interface has both types of addresses, as noted above.

No IPv4 clients will however be accepted unless the client pass rules in the configuration file also allow access by clients using IPv4 addresses.

Additional notes

  • IPv6 addresses can be specified in several different ways, as is usual for IPv6 addresses. All the following lines refer to the same (any/wildcard) address and are all valid addresses for use in Barefoot configuration files:

    ::
    ::0
    0::0
    0:0:0:0:0:0:0:0
    0000:0000:0000:0000:0000:0000:0000:0000 
    
  • IPv4 mapped IPv6 addresses are mapped internally in the Barefoot server to IPv4 addresses and access control is done on the IPv4 address. There should never be any reason to specify IPv4-mapped IPv6 addresses anywhere in the Barefoot configuration file, and Barefoot will complain if an attempt is made.

  • Barefoot has fully implemented IPv6, with this exception:
    • The TCP Option 28 hostid code, which only supports IPv4 addresses.

Copyright © 1998-2024 Inferno Nettverk A/S