IPv6 communication
The Barefoot distribution has IPv6 support, and
with both IPv4 and IPv6 support, many different configurations are
possible, such as allowing IPv4-only clients to talk to IPv6
server. This page describes how to configure the Barefoot server for
IPv6.
Communicating via IPv6
IPv6 in the Barefoot server is to a large extend handled
automatically based on the address types found in the server
configuration file, but there are some factors that should be
considered, depending on the usage scenario.
IPv4-only configurations
Barefoot configurations that only use IPv4-addresses in their
barefootd.conf file will generally not need to consider IPv6. IPv4
rules will forward client requests from IPv4 addresses while IPv6
traffic will be blocked unless there are specific IPv6 rules that
allow IPv6 clients.
Note that if any rules are specified using hostnames or interface
names, rather than IPv4-addresses, the hostnames or interface names
might expand to IPv6 addresses. In this case, you do not
have a IPv4-only configuration, and should take care to understand the
implications IPv6-support in Barefoot entails for your configuration.
The only change it might be desired to make in IPv4-only usage
scenarios is if either of Barefoot's client rules or external
interfaces are specified in barefootd.conf using interface names
(e.g., eth0) or hostnames
(e.g., barefootd-ext.example.com).
The Barefoot server will by default use all addresses found on
an interface if the interface is specified by it's name (rather
than by one of its IP-addresses). If the interface has one or
more IPv6 addresses, this will result in the Barefootd server
also using the IPv6 addresses.
Unless the barefootd.conf file client rules are changed to also
pass IPv6 traffic, or includes hostnames that resolve to
IPv6-addresses in Barefootd's ACL rules, all connections made to
any IPv6 address will however be blocked, so this should have no
practical security related consequences. If it is desired to
only listen to IPv4 addresses, the pass rules in the
barefootd.conf file should however for clarity, if possible,
explicitly specify the IPv4 address the server should bind to,
instead of using an interface name or hostname.
Similarly, the external keyword in the barefootd.conf
file should explicitly specify the IPv4 address the server
should bind to on the external side, instead of using the
interface or hostname. This will prevent Barefootd from opening
any IPv6 connections.
Only the 0.0.0.0/0 wildcard address should be used when
a IPv4 wildcard is needed. In contrast, the new 0/0
wildcard address matches both IPv4 and IPv6 addresses and should
be avoided in IPv4-only configurations.
Mixed IPv4/IPv6 configurations
For a Barefootd server to accept requests on both IPv4 and IPv6
addresses, it is necessary to specify either a network interface
that has both types of addresses in a client pass rule, or
multiple rules with different address types should be used.
#accept ipv4/ipv6 connections on interface eth1, port 80
client pass { from: 0/0 to: eth1 port = http
bounce to: www.example.org port = http
protocol: tcp
log: connect disconnect error
}
The above is an example of a configuration that uses an interface
name and will accept connections from both IPv4 and IPv6 clients,
as long as the interface has both types of addresses.
#accept ipv4 connections on 10.0.0.1, port 80
client pass { from: 0/0 to: 10.0.0.1 port = http
bounce to: www.example.org port = http
protocol: tcp
log: connect disconnect error
}
#accept ipv6 connections on fc00::01, port 80
client pass { from: 0/0 to: fc00::01 port = http
bounce to: www.example.org port = http
protocol: tcp
log: connect disconnect error
}
The above configuration uses two separate rules to handle both IPv4
and IPv6; one for IPv4 and one for IPv6, with the addresses
specified explicitly.
IPv6-only configurations
As with the IPv4-only configurations, allowing only IPv6
clients to connect can be achieved by using rules that only
match IPv6 addresses and fully specifying the IPv6 addresses
that the server should bind to in the pass rules and external
interfaces, rather than using interface names/hostnames.
Specifying an interface name in the to field of a client
pass rule will result in the Barefoot server listening
to both IPv4 and IPv6 addresses, if that interface has both
types of addresses, as noted above.
No IPv4 clients will however be accepted unless the client
pass rules in the configuration file also allow access by
clients using IPv4 addresses.
Additional notes
IPv6 addresses can be specified in several different ways,
as is usual for IPv6 addresses. All the following lines refer
to the same (any/wildcard) address and are all valid addresses
for use in Barefoot configuration files:
::
::0
0::0
0:0:0:0:0:0:0:0
0000:0000:0000:0000:0000:0000:0000:0000
IPv4 mapped IPv6 addresses are mapped internally in
the Barefoot server to IPv4 addresses and access control is
done on the IPv4 address. There should never be any reason to
specify IPv4-mapped IPv6 addresses anywhere in the Barefoot
configuration file, and Barefoot will complain if an attempt
is made.
- Barefoot has fully implemented IPv6, with this exception:
- The TCP Option 28 hostid code, which only supports IPv4 addresses.
|