Discussion:
[ipxe-devel] Fallback to IPv4 or disable IPv6
Anatoli Babenia
2018-11-01 17:40:33 UTC
Permalink
Hello,

My upstream provider doesn't support IPv6. No addresses are reachable.
But my router still gives me an IPv6 address and is even able to resolve
AAAA records. Being able to resolve IPv6 address iPXE thinks that it got
IPv6 and fails, but it should try IPv4 instead.

Here is the log - https://github.com/antonym/netboot.xyz/issues/283

Is it possible to make current 133f fallback to IPv4 if IPv6 fetch fails?

Also, is there an option to disable IPv6 from Failsafe Menu? Manual
network configuration doesn't help.
--
Anatoli Babenia
shouldbe q931
2018-11-05 18:51:02 UTC
Permalink
Post by Anatoli Babenia
Hello,
My upstream provider doesn't support IPv6. No addresses are reachable.
But my router still gives me an IPv6 address and is even able to resolve
AAAA records. Being able to resolve IPv6 address iPXE thinks that it got
IPv6 and fails, but it should try IPv4 instead.
Here is the log - https://github.com/antonym/netboot.xyz/issues/283
Is it possible to make current 133f fallback to IPv4 if IPv6 fetch fails?
Also, is there an option to disable IPv6 from Failsafe Menu? Manual
network configuration doesn't help.
--
Anatoli Babenia
Why not just disable RA (Router Advertisement) on your router ?

It seems odd to want to modify iPXE to work around "broken" IPv6 environments?

Cheers
Michael Brown
2018-11-19 10:52:30 UTC
Permalink
Post by Anatoli Babenia
My upstream provider doesn't support IPv6. No addresses are reachable.
But my router still gives me an IPv6 address and is even able to resolve
AAAA records. Being able to resolve IPv6 address iPXE thinks that it got
IPv6 and fails, but it should try IPv4 instead.
Here is the log - https://github.com/antonym/netboot.xyz/issues/283
Is it possible to make current 133f fallback to IPv4 if IPv6 fetch fails?
Also, is there an option to disable IPv6 from Failsafe Menu? Manual
network configuration doesn't help.
iPXE will query for AAAA records only if the DNS server address is
itself an IPv6 address. This is the heuristic we use to decide between
IPv6 and IPv4 when a DNS name is used.

The best solution would be to fix your router to not provide an IPv6
address, since IPv6 is not actually functional. This should also speed
up other computers on your network: they will no longer attempt IPv6
first before timing out and falling back to IPv4.

If fixing your router is not an option, then you can use an embedded
script fragment such as:

dhcp
set dns:ipv4 ${netX.dhcp/dns}

This will override any IPv6 nameserver address by explicitly setting the
DHCPv4-acquired address as the "manual" nameserver address.

Michael
Andreas Fink
2018-11-19 11:13:55 UTC
Permalink
Post by Anatoli Babenia
My upstream provider doesn't support IPv6. No addresses are reachable.
But my router still gives me an IPv6 address and is even able to resolve
AAAA records. Being able to resolve IPv6 address iPXE thinks that it got
IPv6 and fails, but it should try IPv4 instead.
Here is the log - https://github.com/antonym/netboot.xyz/issues/283
Is it possible to make current 133f fallback to IPv4 if IPv6 fetch fails?
Also, is there an option to disable IPv6 from Failsafe Menu? Manual
network configuration doesn't help.
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
This is not really what the idea is.

I would recommend the following logic:

1. If there is a IPv4 address only provided by the DHCP server, do IPv4 only. Consider the host "ipv4 only"
1. If there is a IPv6 address only provided by the DHCP server or through router advertizement (and its not only link local) do IPv6 only. Consider the host "ipv6 only"
3. If there host has a IPv4 and a IPv6 address do both ( Consider the host ipv4/ivp6 capable)

Now to connect to the DNS:
The IP address given by DHCP to the host is either a IPv4 or a IPv6 address.

ipv4 only: Try to query DNS servers which have IPv4 addresses only. Only ask for A records
ipv6 only: Try to query DNS servers which have IPv6 addresses only. Only ask for AAAA records
ipv4/ivp6 capable: Try to query DNS servers which have either address and ask for A and AAAA records


Now to talk to the remote host:

ipv4 only:
connect to the first A records. If that fails, try any subsequent A records.

ipv6 only:
connect to the first AAAA records. If that fails, try any subsequent AAAA records

ipv4/ivp6 capable:
connect to the first AAAA records. If that fails, try any subsequent AAAA records
if all AAAA records have failed, connect to the first A records. If that fails, try any subsequent A records.


This way, it always works. Trying AAAA records which are not reachable might add some delay. But as mentioned before, if you have a router announcing IPv6 to you, you should be able to reach IPv6 hosts. If not, dont let the router announce a subnet which is isolated.
Note: it might be ok to announce a local subnet which is not routed internationally. In this case, the logic to apply would be if the DNS server or the host to connect to can be considered reachable over the router or not. If the IPv6 starts with F... probably not.


Andreas
Geert Stappers
2018-11-19 11:26:33 UTC
Permalink
Post by Andreas Fink
Post by Anatoli Babenia
My upstream provider doesn't support IPv6. No addresses are reachable.
But my router still gives me an IPv6 address and is even able to resolve
AAAA records. Being able to resolve IPv6 address iPXE thinks that it got
IPv6 and fails, but it should try IPv4 instead.
Here is the log - https://github.com/antonym/netboot.xyz/issues/283
Is it possible to make current 133f fallback to IPv4 if IPv6 fetch fails?
Also, is there an option to disable IPv6 from Failsafe Menu? Manual
network configuration doesn't help.
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
This is not really what the idea is.
I would appreciate patches.
Post by Andreas Fink
1. If there is a IPv4 address only provided by the DHCP server, do IPv4 only. Consider the host "ipv4 only"
1. If there is a IPv6 address only provided by the DHCP server or through router advertizement (and its not only link local) do IPv6 only. Consider the host "ipv6 only"
3. If there host has a IPv4 and a IPv6 address do both ( Consider the host ipv4/ivp6 capable)
Bullshit. Reread
Post by Andreas Fink
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
Pay attention to the "decide between IPv6 and IPv4" part.


Cheers
Geert Stappers
Andreas Fink
2018-11-19 12:06:04 UTC
Permalink
Post by Geert Stappers
Post by Andreas Fink
Post by Anatoli Babenia
My upstream provider doesn't support IPv6. No addresses are reachable.
But my router still gives me an IPv6 address and is even able to resolve
AAAA records. Being able to resolve IPv6 address iPXE thinks that it got
IPv6 and fails, but it should try IPv4 instead.
Here is the log - https://github.com/antonym/netboot.xyz/issues/283
Is it possible to make current 133f fallback to IPv4 if IPv6 fetch fails?
Also, is there an option to disable IPv6 from Failsafe Menu? Manual
network configuration doesn't help.
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
This is not really what the idea is.
I would appreciate patches.
I will look into this.
Post by Geert Stappers
Post by Andreas Fink
1. If there is a IPv4 address only provided by the DHCP server, do IPv4 only. Consider the host "ipv4 only"
1. If there is a IPv6 address only provided by the DHCP server or through router advertizement (and its not only link local) do IPv6 only. Consider the host "ipv6 only"
3. If there host has a IPv4 and a IPv6 address do both ( Consider the host ipv4/ivp6 capable)
Bullshit. Reread
Post by Andreas Fink
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
Pay attention to the "decide between IPv6 and IPv4" part.
I still have to disagree. It's perfectly normal and ok to have a IPv4 based DNS server provide AAAA record for a host which is IPv6 only connected.
Having the DNS servers own IP address as a deciding factor to query for AAAA records is a wrong one. If a host can be reached over IPv6 should only be determined by the fact if the remote host has AAAA record and if the local host has an IPv6 connectivity and this potentially could reach the remote node over IPv6. The DNS server can still be IPv4 (unless the local host does not have any IPv4 anymore in which case, it can not even reach that DNS server).

see https://tools.ietf.org/html/rfc2893#page-7 <https://tools.ietf.org/html/rfc2893#page-7> section 2.2 which says:


DNS resolver libraries on IPv6/IPv4 nodes MUST be capable of handling
both A6/AAAA and A records. However, when a query locates an A6/AAAA
record holding an IPv6 address, and an A record holding an IPv4
address, the resolver library MAY filter or order the results
returned to the application in order to influence the version of IP
packets used to communicate with that node.


So if it's possible to communicate with the target on ipv6 or not is the deciding factor if IPv6 AAAA records should be considered nor not. Not the DNS's own IP address.


Andreas Fink
John Haxby
2018-11-19 12:12:38 UTC
Permalink
Post by Geert Stappers
Post by Andreas Fink
Post by Anatoli Babenia
My upstream provider doesn't support IPv6. No addresses are reachable.
But my router still gives me an IPv6 address and is even able to resolve
AAAA records. Being able to resolve IPv6 address iPXE thinks that it got
IPv6 and fails, but it should try IPv4 instead.
Here is the log - https://github.com/antonym/netboot.xyz/issues/283
Is it possible to make current 133f fallback to IPv4 if IPv6 fetch fails?
Also, is there an option to disable IPv6 from Failsafe Menu? Manual
network configuration doesn't help.
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
This is not really what the idea is.
I would appreciate patches.
Post by Andreas Fink
1. If there is a IPv4 address only provided by the DHCP server, do IPv4 only. Consider the host "ipv4 only"
1. If there is a IPv6 address only provided by the DHCP server or through router advertizement (and its not only link local) do IPv6 only. Consider the host "ipv6 only"
3. If there host has a IPv4 and a IPv6 address do both ( Consider the host ipv4/ivp6 capable)
Bullshit. Reread
That made a lot of sense to me ...
Post by Geert Stappers
Post by Andreas Fink
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
Pay attention to the "decide between IPv6 and IPv4" part.
I guess I'm missing something fundamental here because I don't see how using the DNS server address is going to work in many cases.

The DNS servers at $employer, at home and elsewhere have both IPv4 and IPv6 addresses and, as I recall, you'd have to be pure IPv6 to get an IPv6 DNS server. Most machines are both IPv4 and IPv6 capable and tend to get IPv4 DNS servers and not IPv6 name servers. With a scheme that uses the DNS server to decide whether or not to use IPv6 that would preclude using IPv6 completely. On the other hand, it seems to make more sense to use the address families offered by DHCP/RA -- if you're given an IPv6 address, make AAAA queries etc. And unless you're going to adopt Happy Eyes, then preferring IPv6 over IPv4 is better.

jch
Post by Geert Stappers
Cheers
Geert Stappers
_______________________________________________
ipxe-devel mailing list
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
Andreas Fink
2018-11-19 12:22:41 UTC
Permalink
Post by John Haxby
The DNS servers at $employer, at home and elsewhere have both IPv4 and IPv6 addresses and, as I recall, you'd have to be pure IPv6 to get an IPv6 DNS server. Most machines are both IPv4 and IPv6 capable and tend to get IPv4 DNS servers and not IPv6 name servers. With a scheme that uses the DNS server to decide whether or not to use IPv6 that would preclude using IPv6 completely. On the other hand, it seems to make more sense to use the address families offered by DHCP/RA -- if you're given an IPv6 address, make AAAA queries etc. And unless you're going to adopt Happy Eyes, then preferring IPv6 over IPv4 is better.
It's more than that. It's not only use IPv6 -OR- IPv4. It's IPv6 -AND- IPv4. It should attempt IPv6 first and if it fails try the IPv4 because the IPv6 networks of the target and the source might be interconnected with a IPv4 only backbone in which case a IPv4 end to end connection works but a IPv6 end to end doesn't (assuming both sides are dual-stack connected and the DNS has AAAA and A records).
At least that was the transition idea when IPv6 was designed because it was assumed the international backbones wont all have IPv6 from day one (and this is still the case). And thats exactly the reason why DNS servers usually stay on IPv4 addresses because they always can be reached from IPv4 hosts and dual-stack hosts.

Also there might be multiple hosts listed in the DNS, so the logic should try all AAAA records and if they have all failed try, all A records.

I'm just reading int the code on how its done currently to see how this can be improved.
Michael Brown
2018-11-19 12:27:37 UTC
Permalink
Post by Geert Stappers
Bullshit. Reread
Geert: please be more polite.

Michael
Geert Stappers
2018-11-19 14:08:07 UTC
Permalink
} } On 2018-11-19
} } } do both ( Consider the host ipv4/ivp6 capable)
Post by Michael Brown
Post by Geert Stappers
Bullshit. Reread
Geert: please be more polite.
Acknowlegde
Post by Michael Brown
Michael
Cheers
Geert Stappers
--
How unpolite is it to ignore a fellow community member??
Michael Brown
2018-11-19 12:49:27 UTC
Permalink
Post by Andreas Fink
iPXE will query for AAAA records only if the DNS server address is itself an IPv6 address. This is the heuristic we use to decide between IPv6 and IPv4 when a DNS name is used.
This is not really what the idea is.
<snip>
Yes, the logic is not guaranteed to work. It is, as I stated, a
heuristic. It works in most common scenarios, and it avoids the code
complexity required to handle reachability failures at the point of
initiating the TCP connection.

We could potentially change the logic so that the DNS resolver always
queries AAAA records first, but discards any results that are
unreachable according to the IPv6 routing table. Would this solve your
problem?

Michael
Loading...