IP-Aliasing for IPv6?

IP-Aliasing for IPv6?

[M. Buecher]

Preamble: I'm just a network hobbyist at home, so please bear with me if 
something in this mail is "stupid" from an expert's point of view.

According to the documentation [1] "IP-Aliasing" is an obsolete way to 
manage multiple IP[v4]-addresses/masks on an interface.
For having multiple IP[v4]-addresses on an interface this is absolutely 
true.

For me "IP-Aliasing" is still a valid, good and easy way to "group" ip 
addresses to run multiple instances of the same service with different 
IPs via virtual interfaces on a single physical NIC.

Short story:
I recently added IPv6 to my LAN setup and recognized that IP-Aliasing is 
not support by the kernel.
Could IP-Aliasing support for IPv6 be added to the kernel?

Long story:
I tried to find out how to do virtual network interfaces "The Right Way 
(tm)" nowadays.
So I came across MACVLAN, IPVLAN and alike on the internet, mostly in 
conjunction with containers or VMs.
But MACVLAN/IPVLAN do not provide the same usability as "IP-Aliasing", 
e.g. user needs to learn a lot about network infrastructre, sysctl 
settings, forwarding, etc.
They also do not provide the same functionality, e.g. the virtual 
interfaces cannot reach their parent interface.

In my tests with MACVLAN (bridge)/IPVLAN (L2) pinging between parent and 
virtual devices with `ping -I <device> <target ip>` failed for IPv4 and 
IPV6.
Pinging from outside MACVLAN worked fine for IPv4 but not IPv6, while 
IPVLAN failed also for pinging with IPv4 to the virtual interfaces. 
Pinging to outside only worked from the parent device.
Unfortunately I could not find any source on the internet that describes 
how to setup MACVLAN/IPVLAN and their surroundings correctly for a 
single machine. It seems they are just used for containers and VMs.

If it is possible to setup MACVLAN/IPVLAN that they can reach and also 
can be reached from their parent device, other virtual devices and from 
outside, then please guide me to the right direction or provide links. 
Would be much appreciated.
Otherwise I would like to see IP-Aliasing for IPv6.

Hope to stimulate further thoughts and thanks for reading
Matthias "Maddes" Bücher

[1] https://www.kernel.org/doc/html/latest/networking/alias.html

Re: IP-Aliasing for IPv6?

[Heiner Kallweit]

On 14.05.2019 20:49, M. Buecher wrote:
> Preamble: I'm just a network hobbyist at home, so please bear with me if something in this mail is "stupid" from an expert's point of view.
> 
> According to the documentation [1] "IP-Aliasing" is an obsolete way to manage multiple IP[v4]-addresses/masks on an interface.
> For having multiple IP[v4]-addresses on an interface this is absolutely true.
> 
> For me "IP-Aliasing" is still a valid, good and easy way to "group" ip addresses to run multiple instances of the same service with different IPs via virtual interfaces on a single physical NIC.
> 
This sounds like you don't necessarily need additional virtual interfaces
but simply additional IP addresses at the primary interface -> ip address help

> Short story:
> I recently added IPv6 to my LAN setup and recognized that IP-Aliasing is not support by the kernel.
> Could IP-Aliasing support for IPv6 be added to the kernel?
> 
> Long story:
> I tried to find out how to do virtual network interfaces "The Right Way (tm)" nowadays.
> So I came across MACVLAN, IPVLAN and alike on the internet, mostly in conjunction with containers or VMs.
> But MACVLAN/IPVLAN do not provide the same usability as "IP-Aliasing", e.g. user needs to learn a lot about network infrastructre, sysctl settings, forwarding, etc.
> They also do not provide the same functionality, e.g. the virtual interfaces cannot reach their parent interface.
> 
> In my tests with MACVLAN (bridge)/IPVLAN (L2) pinging between parent and virtual devices with `ping -I <device> <target ip>` failed for IPv4 and IPV6.
> Pinging from outside MACVLAN worked fine for IPv4 but not IPv6, while IPVLAN failed also for pinging with IPv4 to the virtual interfaces. Pinging to outside only worked from the parent device.
> Unfortunately I could not find any source on the internet that describes how to setup MACVLAN/IPVLAN and their surroundings correctly for a single machine. It seems they are just used for containers and VMs.
> 
> If it is possible to setup MACVLAN/IPVLAN that they can reach and also can be reached from their parent device, other virtual devices and from outside, then please guide me to the right direction or provide links. Would be much appreciated.
> Otherwise I would like to see IP-Aliasing for IPv6.
> 
> Hope to stimulate further thoughts and thanks for reading
> Matthias "Maddes" Bücher
> 
> [1] https://www.kernel.org/doc/html/latest/networking/alias.html
> 
> 

Re: IP-Aliasing for IPv6?

[Matthias May]

On 14/05/2019 20:49, M. Buecher wrote:
> Preamble: I'm just a network hobbyist at home, so please bear with me if
> something in this mail is "stupid" from an expert's point of view.
> 
> According to the documentation [1] "IP-Aliasing" is an obsolete way to
> manage multiple IP[v4]-addresses/masks on an interface.
> For having multiple IP[v4]-addresses on an interface this is absolutely
> true.
> 
> For me "IP-Aliasing" is still a valid, good and easy way to "group" ip
> addresses to run multiple instances of the same service with different
> IPs via virtual interfaces on a single physical NIC.
> 
> Short story:
> I recently added IPv6 to my LAN setup and recognized that IP-Aliasing is
> not support by the kernel.
> Could IP-Aliasing support for IPv6 be added to the kernel?
> 
> Long story:
> I tried to find out how to do virtual network interfaces "The Right Way
> (tm)" nowadays.
> So I came across MACVLAN, IPVLAN and alike on the internet, mostly in
> conjunction with containers or VMs.
> But MACVLAN/IPVLAN do not provide the same usability as "IP-Aliasing",
> e.g. user needs to learn a lot about network infrastructre, sysctl
> settings, forwarding, etc.
> They also do not provide the same functionality, e.g. the virtual
> interfaces cannot reach their parent interface.
> 
> In my tests with MACVLAN (bridge)/IPVLAN (L2) pinging between parent and
> virtual devices with `ping -I <device> <target ip>` failed for IPv4 and
> IPV6.
> Pinging from outside MACVLAN worked fine for IPv4 but not IPv6, while
> IPVLAN failed also for pinging with IPv4 to the virtual interfaces.
> Pinging to outside only worked from the parent device.
> Unfortunately I could not find any source on the internet that describes
> how to setup MACVLAN/IPVLAN and their surroundings correctly for a
> single machine. It seems they are just used for containers and VMs.
> 
> If it is possible to setup MACVLAN/IPVLAN that they can reach and also
> can be reached from their parent device, other virtual devices and from
> outside, then please guide me to the right direction or provide links.
> Would be much appreciated.
> Otherwise I would like to see IP-Aliasing for IPv6.
> 
> Hope to stimulate further thoughts and thanks for reading
> Matthias "Maddes" Bücher
> 
> [1] https://www.kernel.org/doc/html/latest/networking/alias.html
> 

Hi
You might want to take a look at the "label" argument of ip when setting
an IP address.

BR
Matthias

Re: IP-Aliasing for IPv6?

[Michal Kubecek]

On Tue, May 14, 2019 at 08:49:12PM +0200, M. Buecher wrote:
> According to the documentation [1] "IP-Aliasing" is an obsolete way to
> manage multiple IP[v4]-addresses/masks on an interface.
> For having multiple IP[v4]-addresses on an interface this is absolutely
> true.
> 
> For me "IP-Aliasing" is still a valid, good and easy way to "group" ip
> addresses to run multiple instances of the same service with different IPs
> via virtual interfaces on a single physical NIC.
> 
> Short story:
> I recently added IPv6 to my LAN setup and recognized that IP-Aliasing is not
> support by the kernel.
> Could IP-Aliasing support for IPv6 be added to the kernel?

You should probably better explain what is the feature you are using
with IPv4 but you are missing for IPv6. The actual IP aliasing has been
removed in kernel 2.2, i.e. 20 years ago. Since then, there is no IP
aliasing even for IPv4. What exactly works for IPv4 but does not for
IPv6?

> Long story:
> I tried to find out how to do virtual network interfaces "The Right Way
> (tm)" nowadays.
> So I came across MACVLAN, IPVLAN and alike on the internet, mostly in
> conjunction with containers or VMs.
> But MACVLAN/IPVLAN do not provide the same usability as "IP-Aliasing", e.g.
> user needs to learn a lot about network infrastructre, sysctl settings,
> forwarding, etc.
> They also do not provide the same functionality, e.g. the virtual interfaces
> cannot reach their parent interface.
> 
> In my tests with MACVLAN (bridge)/IPVLAN (L2) pinging between parent and
> virtual devices with `ping -I <device> <target ip>` failed for IPv4 and
> IPV6.

This is an interesting observation but also a completely artificial
example. You should probably explain what is the actual goal you want to
achieve.

> Pinging from outside MACVLAN worked fine for IPv4 but not IPv6, while IPVLAN
> failed also for pinging with IPv4 to the virtual interfaces. Pinging to
> outside only worked from the parent device.
> Unfortunately I could not find any source on the internet that describes how
> to setup MACVLAN/IPVLAN and their surroundings correctly for a single
> machine. It seems they are just used for containers and VMs.

That's because containers and VMs are the primary use case (macvlan can
also make sense if you want to use different MAC address for some
reason). Otherwise, it should be sufficient to simply assign multiple
IPv[46] addresses to your interface.

Michal Kubecek

Re: IP-Aliasing for IPv6?

[M. Buecher]

On 2019-05-15 11:26, Michal Kubecek wrote:
> On Tue, May 14, 2019 at 08:49:12PM +0200, M. Buecher wrote:
>> According to the documentation [1] "IP-Aliasing" is an obsolete way to
>> manage multiple IP[v4]-addresses/masks on an interface.
>> For having multiple IP[v4]-addresses on an interface this is 
>> absolutely
>> true.
>> 
>> For me "IP-Aliasing" is still a valid, good and easy way to "group" ip
>> addresses to run multiple instances of the same service with different 
>> IPs
>> via virtual interfaces on a single physical NIC.
>> 
>> Short story:
>> I recently added IPv6 to my LAN setup and recognized that IP-Aliasing 
>> is not
>> support by the kernel.
>> Could IP-Aliasing support for IPv6 be added to the kernel?
> 
> You should probably better explain what is the feature you are using
> with IPv4 but you are missing for IPv6. The actual IP aliasing has been
> removed in kernel 2.2, i.e. 20 years ago. Since then, there is no IP
> aliasing even for IPv4. What exactly works for IPv4 but does not for
> IPv6?

Used feature is the label option of `ip`, which works for IPv4, but not 
with IPv6.

Goal: Use virtual interfaces to run separate instances of a service on 
different IP addresses on the same machine.
For example with dnsmasq I use `-interface ens192` for the normal main 
instance, while using `-interface ens192:0` and `-interfaces ens192:1` 
for special instances only assigned to specific machines via their MAC 
addresses.

What is the correct name when I use the label option of the ip command?
The "IP-Aliasing" doc was the only one I could find on kernel.org that 
fit the way labels are assigned with ip.

I know how to set these labels the following three ways:
a) manual iproute2 commands
ip addr add 192.168.0.1/24 broadcast + dev ens192
ip addr add 192.168.0.90/24 broadcast + label ens192:0 dev ens192
ip addr add 192.168.0.91/24 broadcast + label ens192:1 dev ens192

b) via /etc/network/interfaces
iface ens192 inet static
   address 192.168.0.1/24

iface ens192:0 inet static
   address 192.168.0.90/24

iface ens192:1 inet static
   address 192.168.0.91/24

c) via systemd-networkd
[Address]
Address=192.168.0.1/24

[Address]
Address=192.168.0.90/24
Label=ens192:0

[Address]
Address=192.168.0.91/24
Label=ens192:1

Hope this explains it much better
Matthias

>> Long story:
>> I tried to find out how to do virtual network interfaces "The Right 
>> Way
>> (tm)" nowadays.
>> So I came across MACVLAN, IPVLAN and alike on the internet, mostly in
>> conjunction with containers or VMs.
>> But MACVLAN/IPVLAN do not provide the same usability as "IP-Aliasing", 
>> e.g.
>> user needs to learn a lot about network infrastructre, sysctl 
>> settings,
>> forwarding, etc.
>> They also do not provide the same functionality, e.g. the virtual 
>> interfaces
>> cannot reach their parent interface.
>> 
>> In my tests with MACVLAN (bridge)/IPVLAN (L2) pinging between parent 
>> and
>> virtual devices with `ping -I <device> <target ip>` failed for IPv4 
>> and
>> IPV6.
> 
> This is an interesting observation but also a completely artificial
> example. You should probably explain what is the actual goal you want 
> to
> achieve.
> 
>> Pinging from outside MACVLAN worked fine for IPv4 but not IPv6, while 
>> IPVLAN
>> failed also for pinging with IPv4 to the virtual interfaces. Pinging 
>> to
>> outside only worked from the parent device.
>> Unfortunately I could not find any source on the internet that 
>> describes how
>> to setup MACVLAN/IPVLAN and their surroundings correctly for a single
>> machine. It seems they are just used for containers and VMs.
> 
> That's because containers and VMs are the primary use case (macvlan can
> also make sense if you want to use different MAC address for some
> reason). Otherwise, it should be sufficient to simply assign multiple
> IPv[46] addresses to your interface.
> 
> Michal Kubecek

Re: IP-Aliasing for IPv6?

[Toke Høiland-Jørgensen]

"M. Buecher" <maddes+kernel@maddes.net> writes:

> On 2019-05-15 11:26, Michal Kubecek wrote:
>> On Tue, May 14, 2019 at 08:49:12PM +0200, M. Buecher wrote:
>>> According to the documentation [1] "IP-Aliasing" is an obsolete way to
>>> manage multiple IP[v4]-addresses/masks on an interface.
>>> For having multiple IP[v4]-addresses on an interface this is 
>>> absolutely
>>> true.
>>> 
>>> For me "IP-Aliasing" is still a valid, good and easy way to "group" ip
>>> addresses to run multiple instances of the same service with different 
>>> IPs
>>> via virtual interfaces on a single physical NIC.
>>> 
>>> Short story:
>>> I recently added IPv6 to my LAN setup and recognized that IP-Aliasing 
>>> is not
>>> support by the kernel.
>>> Could IP-Aliasing support for IPv6 be added to the kernel?
>> 
>> You should probably better explain what is the feature you are using
>> with IPv4 but you are missing for IPv6. The actual IP aliasing has been
>> removed in kernel 2.2, i.e. 20 years ago. Since then, there is no IP
>> aliasing even for IPv4. What exactly works for IPv4 but does not for
>> IPv6?
>
> Used feature is the label option of `ip`, which works for IPv4, but not 
> with IPv6.
>
> Goal: Use virtual interfaces to run separate instances of a service on 
> different IP addresses on the same machine.
> For example with dnsmasq I use `-interface ens192` for the normal main 
> instance, while using `-interface ens192:0` and `-interfaces ens192:1` 
> for special instances only assigned to specific machines via their MAC 
> addresses.

You would generally instruct your daemon to listen to an address rather
than an interface. For dnsmasq you can do this with the --listen-address
option instead of the --interface option, AFAIK.

-Toke

Re: IP-Aliasing for IPv6?

[Michal Kubecek]

On Mon, May 20, 2019 at 10:23:03PM +0200, M. Buecher wrote:
> Used feature is the label option of `ip`, which works for IPv4, but not with
> IPv6.

The only reason for having these labels is to allow old tools like
ifconfig to partially work even if the underlying implementation
changed. There is no need for labels with IPv6 as even ifconfig (and the
ioctl interface it uses) does not pretend there are virtual interfaces
and 1:1 mapping between interfaces and addresses and usess add/remove to
add or remove addresses to/from the list.

> Goal: Use virtual interfaces to run separate instances of a service on
> different IP addresses on the same machine.
> For example with dnsmasq I use `-interface ens192` for the normal main
> instance, while using `-interface ens192:0` and `-interfaces ens192:1` for
> special instances only assigned to specific machines via their MAC
> addresses.

Configuration syntax based on "listening on an interface" is in most
cases a historical relic because  this "interface" is just used to get
the address the daemon is to listen on (bind the listening socket to).
Most daemons support also identifying the listening address(es) directly
which should be preferred as then your configuration matches what the
daemon is actually doing. (There are exceptions, e.g. "ping -I eth1"
does something different than "ping -I 1.2.3.4" but these are rather
rare.) Any daemon supporting IPv6 should definitely support setting the
listening address(es) directly.

> What is the correct name when I use the label option of the ip command?
> The "IP-Aliasing" doc was the only one I could find on kernel.org that fit
> the way labels are assigned with ip.

They are just labels. The term "IP aliasing" denotes the older
implementation in 2.0 kernels where there were actual virtual
interfaces, allowing you to assign the extra addresses to them. Since
kernel 2.2, it's no longer the case, there is just the actual interface
and it has a list of IPv4 addresses.

                                                         Michal Kubecek

Re: IP-Aliasing for IPv6? (actually "labels")

[M. Buecher]

On 2019-05-20 22:53, Michal Kubecek wrote:
> On Mon, May 20, 2019 at 10:23:03PM +0200, M. Buecher wrote:
>> Used feature is the label option of `ip`, which works for IPv4, but 
>> not with
>> IPv6.
> 
> The only reason for having these labels is to allow old tools like
> ifconfig to partially work even if the underlying implementation
> changed. There is no need for labels with IPv6 as even ifconfig (and 
> the
> ioctl interface it uses) does not pretend there are virtual interfaces
> and 1:1 mapping between interfaces and addresses and usess add/remove 
> to
> add or remove addresses to/from the list.
> 
>> Goal: Use virtual interfaces to run separate instances of a service on
>> different IP addresses on the same machine.
>> For example with dnsmasq I use `-interface ens192` for the normal main
>> instance, while using `-interface ens192:0` and `-interfaces ens192:1` 
>> for
>> special instances only assigned to specific machines via their MAC
>> addresses.
> 
> Configuration syntax based on "listening on an interface" is in most
> cases a historical relic because  this "interface" is just used to get
> the address the daemon is to listen on (bind the listening socket to).
> Most daemons support also identifying the listening address(es) 
> directly
> which should be preferred as then your configuration matches what the
> daemon is actually doing. (There are exceptions, e.g. "ping -I eth1"
> does something different than "ping -I 1.2.3.4" but these are rather
> rare.) Any daemon supporting IPv6 should definitely support setting the
> listening address(es) directly.

"Listening on an interface" is extremly convenient: configure/change ip 
addresses on the "label", then just reload/signal the services.
No tedious tasks needed to define each and every IP address (v4+v6) for 
each and every service.
Therefore I prefer the "oldschool" way of "listening on an interface".
Especially with the standard multi-homing of IPv6 I still vote for the 
old style and introducing labels also for IPv6.

Otherwise I just have to obey the decisions of the Kernel team and adopt 
my setups.
All explanation have been much appreciated from everybody that answered. 
This helped me to understand the topic much better. Thanks a lot.

Btw today ping doesn't work anymore with "labels", e.g. "-I eth0:0", as 
it incorrectly assumes an IP address due to the colon, although an IPv6 
address has always at least two colons in it (::1, 
2001:0DB8:3:4:1:2:3:4)

>> What is the correct name when I use the label option of the ip 
>> command?
>> The "IP-Aliasing" doc was the only one I could find on kernel.org that 
>> fit
>> the way labels are assigned with ip.
> 
> They are just labels. The term "IP aliasing" denotes the older
> implementation in 2.0 kernels where there were actual virtual
> interfaces, allowing you to assign the extra addresses to them. Since
> kernel 2.2, it's no longer the case, there is just the actual interface
> and it has a list of IPv4 addresses.
> 
>                                                          Michal Kubecek