They immediately think of dual stack and it's sort of like people put equation between
IPv6 and dual stack and think that dual stack is the best.
It sort of is except for one tiny detail and that is the one in the bottom that basically
by using dual stack you are not addressing the problem by IPv6 was deployed in the first
place and this addressing of scarcity of IPv4.
Therefore there are some other transition mechanisms I think there are some other transition mechanisms
that can help you with this thing and one that stands out is called NAT64 and yeah we
are at this event where the network uses NAT64 for the default network since 2015
if I remember correctly.
How does it work?
Well for IPv6 it's easy the path is clear for IPv4 the path is goes via translation
box that is called NAT64 box into IPv4 internet.
This works very well you can see it that yeah you can use it basically mostly for most networks
but sometimes you can hit some very corner cases for which for some people could be very
noticeable but for some people can be like critical usually it starts giving you hard
time when you start playing with virtual machine or containers on your computer then usually
those kinds of software are usually relying on IPv4 connectivity that native IPv4 connectivity
that is not available.
So there is another standard called 464XLAT which tries to closing the gap by editing
a piece of software on the computer the piece of software is called CLAT and in that sort
of like reverse translation to what NAT64 does which is called PLAT in this case and
and then so by this trick of double translation first IPv4 into IPv6 here and then transferring
via IPv6 to another translator translates IPv6 back to IPv4 we can have applications
super happy because they see sort of like dual stack they see they see both IPv4 and
IPv6 and everything works well.
This is a technology that is very well used in many devices but not in Linux so I put
there a slide with some like typical cases of what you plug into networks and how do
they work on V6 only network like the one the main network here the one that is called
FOSDEM.
If you connect your Android phone your iOS device or your Mac OS computer it should work
fully these three categories have CLAT there and also there are mobile networks in the
world who are running V6 only for their mobile phones like for millions I said billions on
the slide maybe it's just millions but it doesn't really matter lots of devices.
These devices into one network and yet not waste IPv4 address for every single device
that is in the left most category which objectively doesn't need it.
That's the question here and the answer for this is quite recent RFC which introduced
a new feature to DHCP the old DHCP protocol is used for IPv4 and this this option is called
IPv6 only preferred.
And it works like this if you have a standard every time a device attached to a network
it starts this DHCP handshake it has these four messages discover offer request and
aqua knowledge and the device if the device is capable of running IPv6 only it will just
signal this in the request parameter list it's the option 108 and if the DHCP server
is ignoring it and does not send the option 108 back in the offer that means the network
is not capable of running IPv6 only therefore it will use normal DHCP and it will use normal
IPv4 this is the case of the most networks but what if the server actually offers something
in the DHCP offer in that case the device says oh that means I'm in an I'm in a network
which does not need IPv4 for operation and therefore I will just stop the handshake here
because the handshake is stopped midway it means the address is not committed the address
is will be released after some time out and not used and therefore the address will be
saved in the in the in the in the DHCP pool that's exactly how you define network that
has a name the most stable name is IPv6 mostly IPv6 mostly doesn't mean that it's most it
means that the network is designed to run IPv6 only but still have some IPv4 for legacy
devices like windows or Linux or smart home such network has to provide perfectly working
IPv6 and the IPv6 have to have not six for support ideal there should be signal 96 for
support with this prep six for option which is an option in router advertisement so when
you attach to network you receive route to advertisement you immediately know that there
is not six for and how you configure it and also must provide not native IPv4 for the legacy
devices so everything works yeah this was like sorry I'm a little rushing into it but yeah I
want to focus on the main point of this talk which is Linux on IPv6 only basically how to
move Linux from the second category works mostly into the first category works perfectly where
are what are the gaps that needs to be closed to to have Linux not depend on native IPv4 there
are basically two options how to tackle this problem and we somehow has to be and it turns out
system yet for the has sort of like unsensible default that it's actually on by default so system
yet for the in the latest version is refusing before even though it doesn't set up sealant so
it makes your computer sort of broken but it has been reported and hopefully it will be fixed one
way or another now how you learn sealant on your computer bad news is there is no native way of
translating v4 into v6 inside Linux kernel so unlike BSD for instance it's not possible the good
thing is there are at least four software solutions that are like third party but can be run easily
first two of them are user space they use the tune tab device and they are working user space
the next two net four six and jewel are actually kernel space so you can just compile the kernel
module install it and it works there's also Perl script cause sealant D which takes care of setting
up sealant it works sort of okay but it has some limitations that are making it not universally
accessible and not something that will be in every single every single distribution the biggest
issue here is that it works like this that the sealant is sort of like on a stick it's a separate
network interface that means that to make it work you sort of have to set up router in your
computer and also set up firewall to allow traffic between two interfaces on your computer and not
only this you have to also undo it once you want to turn off sealant and just imagine the
varieted the diversity of illinux distributions this is virtually impossible to do correct way so I
don't think this this is going to fly what is supposed to fly ideal sealant should look like
this it should support multiple instances so you can have more interfaces more interfaces can be
connected to different IPv6 only networks so maybe you can have more instances of sealant it should
set up automatically as soon as you detect net64 and it should that is key point also react
dynamically to change IPv6 has changing protocol it supports dynamic renumbering of networks and
all those things that can happen dynamically so it's not like you run it once and then it's then
it stays it has to react on all the dynamic changes on the network and it shouldn't need to touch
firewall or forwarding there's actually draft in ITF that is being worked on right now setting up
the requirement for sealant so I was discussing with many people how such a sealant could work and
I found out this solution that I'm quite happy with it and that's why I'm presenting in here it
basically use IPv1 and network namespaces so the thing is you run the translator inside the
network namespace to you and I hope some of you can maybe pick up on it is that I'm missing the
piece of software that will orchestrate it that will listen to netlink events see that there is a new
router it has net64 set up an IPv6 address for it finds a free address for the translation
space from IPv4 we have another IPv4 scale set it are only eight address assigned for sealants
so you can realistically run about four sealants if you are very creative you can maybe run a little
bit more but to be honest four instances of sealant should be okay but the problem is you have to
always dynamically figure out which addressing the sealant should use and react to subsequent
configurations and of course my goal is to have this in common Linux distribution which means
hopefully network manager will pick this up hopefully system dn4d and this will this will make
the life of on IPv6 own network on linux much nicer that's everything for me if there's any question
hello excellent presentation and work one question have you figured out how macOS x does it
yes macOS does it by the sealant is actually integrated in the network interface so from
from application point of view you see network card and has this v address 192002 just have a look
if you have mac we will see it on your on this network and if you use vileshark and look what is
getting out of the network card it's just ipv6 so basically so basically the translation happens
between what application sends to it and what gets out of the on the wire so is it the kernel
implementation or is it it's in the kernel and it's and it's and it's you know because it's part
of the network interface it can be even duplicated if you have multiple interfaces active both each
one has its own instance of sealant
hi actually two questions first do you know how android is doing it because it's a bit closer to
common links the solutions and also is there an argument against doing it in the kernel or is it
just a case of nobody having done it yet sorry i missed the first first question how how is android
doing it and is there an argument against doing it in the kernel or is it just that nobody did it
oh yeah how is how is the android doing it android is doing it um similar way uh they have several
generations and the last uh the last uh part of the android code is heavily using
these three letter aquarium of network code that i don't remember uh e b thank you