如何在 Linux 上通过 systemd-networkd 使用 IPv6 互联网地址

到目前为止，我还没有找到像这样的简单示例来参考源代码来理解基础知识。这更像是一个概念的证明，但它花了我一些努力，所以我将逐步与社区分享。

准备工作

我在 KVM（基于内核的虚拟机）上使用三个虚拟机，全部使用 Debian 11（bullseye，此时为测试版本）并使用RFC 2460中的术语：
Node是启用 IPv6 的接口。
路由器是转发未明确寻址的 IPv6 数据包的任何节点。
主机是不是路由器的任何节点。

我们需要一些帮助程序，只要我们在节点上可以访问互联网，就应该在重新配置其网络接口以进行测试之前安装这些帮助程序。在所有节点上安装radvdump并在路由器上安装radvd。一定要radvd禁用，否则会混淆测试。我将使用tcpdump查看网络上发生的情况，因此将其安装在路由器上。在 Debian 上，我通过以下方式完成所有这些操作：

~$ sudo apt install radvdump        # on hosts and router
router ~$ sudo apt install radvd    # only on the router
router ~$ sudo systemctl disable --now radvd.service
router ~$ sudo apt install tcpdump  # only on the router

我使用 IPv6 地址前缀2001:DB8::/32 Reserved for Documentation ( RFC 3849 )，它可用于有效的全球单播地址，但不路由到 Internet。

要手动处理，这里有一些规范：

使用了一些地址类型（RFC 4291）

Unspecified          ::/128
Loopback             ::1/128
default route        ::/0
Multicast            FF00::/8
Unique Local unicast FD00::/8
Global Unicast       (everything else)
Global Anycast       (same as Global Unicast)   not used in this example

多播地址范围 ( RFC 4291 )：

FF00::  reserved
FF01::  Interface-Local scope
FF02::  Link-Local scope
FF03::  reserved
FF04::  Admin-Local scope
FF05::  Site-Local scope
FF06:: to FF07::  (unassigned)
FF08::  Organization-Local scope
FF09:: to FF0D::  (unassigned)
FF0E::  Global scope
FF0F::  reserved

众所周知的 IPv6 多播地址（摘录 - IANA的完整列表）：

ff02::1     all nodes
ff02::2     all routers
ff02::5     all OSPF (Open Shortest Path First) routers
ff02::6     all OSPF DRs (OSPF Designated Routers)
ff02::9     all RIP (Routing Information Protocol) routers
ff02::a     all EIGRP (Enhanced Interior Gateway Routing Protocol) routers
ff02::c     SSDP (Simple Service Discovery Protocol)
ff02::d     all PIM (Protocol Independent Multicast) routers
ff02::f     UPNP (Universal Plug and Play) devices
ff02::11    all homenet nodes
ff02::12    VRRP (Virtual Router Redundancy Protocol)
ff02::16    all MLDv2-capable routers
ff02::1a    all RPL (Routing Protocol for Low-Power and Lossy Networks) routers (used in Internet of Things (IoT) devices)
ff02::fb    multicast DNS IPv6
ff02::101   network time (NTP)
ff02::1:2   all DHCP agents
ff02::1:3   LLMNR (Link-Local Multicast Name Resolution)
ff02:0:0:0:0:1:ff00::/104   solicited node address
ff02:0:0:0:0:1-2:ff00::/104     node information query
ff05::1:3   all DHCP server (site)
ff05::101   all NTP server (site)

通过以下方式启用systemd-networkd

使用 systemd-networkd 进行一般网络的快速步骤一节，然后回到这里。

我将禁用所有内容，以便我们可以看到需要什么并逐步启用它。打开host-a并host-b使用此网络文件：

host-? ~$ sudo -Es   # if not already done
host-? ~# cat > /etc/systemd/network/04-wired.network <<EOF
[Match]
Name=eth0

[Network]
# on host-a uncomment
#Address=2001:db8:0:10::2/64
# on host-b uncomment
#Address=2001:db8:0:20::2/64
IPv6AcceptRA=no
LinkLocalAddressing=no
EOF

在路由器上使用这些：

router ~$ sudo -Es   # if not already done
router ~# cat > /etc/systemd/network/04-eth0.network <<EOF
[Match]
Name=eth0

[Network]
Address=2001:db8:0:10::1/64
IPv6AcceptRA=no
LinkLocalAddressing=no
EOF

router ~# cat > /etc/systemd/network/06-eth1.network <<EOF
[Match]
Name=eth1

[Network]
Address=2001:db8:0:20::1/64
IPv6AcceptRA=no
LinkLocalAddressing=no
EOF

简单的本地链接连接

首先，我将看一下host-a和之间的直接联系router。路由器已启动，我开始host-a。tcpdump在子网 2001:db8:0:10/64 上显示我：

host-a ~$ sudo tcpdump -n --number --interface=eth0 ip6 2>/dev/null
    1  23:25:28.211331 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
    2  23:25:28.227326 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
    3  23:25:28.671386 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
    4  23:25:28.735354 IP6 :: > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2001:db8:0:10::2, length 32

• 使用包 1-3host-a作为多播组的侦听器加入ff02::16- 所有支持 MLDv2 的路由器。路由器现在知道它想要接收路由消息。
• 对于包 4，它询问是否有另一个 IP 地址为 2001:db8:0:10::2 的节点。不是因为没有回复。host-a可以使用地址。

ping 到router作品：

host-a ~$ ping6 -n 2001:db8:0:10::1
PING 2001:db8:0:10::1(2001:db8:0:10::1) 56 data bytes
64 bytes from 2001:db8:0:10::1: icmp_seq=1 ttl=64 time=0.829 ms
64 bytes from 2001:db8:0:10::1: icmp_seq=2 ttl=64 time=0.863 ms
64 bytes from 2001:db8:0:10::1: icmp_seq=3 ttl=64 time=0.858 ms
--- snip ---

链路本地单播地址

在下一步中，我想连接到eth1上的第二个接口router。为此，我们需要一个静态路由：

host-a ~$ sudo ip -6 route add 2001:db8:0:20::/64 via 2001:db8:0:10::1

但ping6 -n 2001:db8:0:20::1工作不稳定：

host-a ~$ ping6 -n 2001:db8:0:20::1
PING 2001:db8:0:20::1(2001:db8:0:20::1) 56 data bytes
64 bytes from 2001:db8:0:20::1: icmp_seq=1 ttl=64 time=0.881 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=2 ttl=64 time=0.784 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=3 ttl=64 time=0.898 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=4 ttl=64 time=0.799 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=5 ttl=64 time=0.805 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=6 ttl=64 time=1.13 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=7 ttl=64 time=0.795 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=8 ttl=64 time=0.790 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=9 ttl=64 time=0.793 ms
                                ^^^^^^^^^^
64 bytes from 2001:db8:0:20::1: icmp_seq=55 ttl=64 time=1025 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=56 ttl=64 time=3.26 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=57 ttl=64 time=0.793 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=58 ttl=64 time=0.792 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=59 ttl=64 time=0.789 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=60 ttl=64 time=0.776 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=61 ttl=64 time=0.803 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=62 ttl=64 time=0.801 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=63 ttl=64 time=0.774 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=64 ttl=64 time=0.802 ms
                                ^^^^^^^^^^^
64 bytes from 2001:db8:0:20::1: icmp_seq=110 ttl=64 time=2049 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=111 ttl=64 time=1025 ms
--- snip ---
^C
--- 2001:db8:0:20::1 ping statistics ---
170 packets transmitted, 35 received, 79.4118% packet loss, time 172432ms
rtt min/avg/max/mdev = 0.774/205.826/2048.843/536.218 ms, pipe 3

如果你按照这个seq数字，你会看到 ping 延迟为 1 秒，它在大约 10 秒后被中断，并在大约 45 秒后重复，丢包率约为 80%。这不能称为稳定。我不太了解它，但在寻找故障排除时了解这种行为是件好事。无论如何，它不符合规范，因为对于链接（2001:db8:0:10:2 到 2001:db8:0:10:1）上的连接，必须使用RFC 4291 - Link-Local中指定的链接本地地址IPv6 单播地址：

链路本地地址设计用于在单个链路上寻址，用于自动地址配置、邻居发现或不存在路由器时。

检查接口上的链路本地地址。那里没人：

host-a ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:10::2/64

我通过在所有节点上LinkLocalAddressing=ipv6的所有文件中进行设置、重新启动、检查和 ping 来启用它：/etc/systemd/network/*.network

host-a ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:10::2/64 fe80::5054:ff:febc:adbe/64

router ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:10::1/64 fe80::5054:ff:fe0f:194e/64
eth1             UP             2001:db8:0:20::1/64 fe80::5054:ff:fe0f:194e/64

host-b ~$ ip -6 -br addr
lo               UNKNOWN        ::1/128
eth0             UP             2001:db8:0:20::2/64 fe80::5054:ff:fe9b:34b9/64

host-a ~$ sudo ip -6 route add 2001:db8:0:20::/64 via 2001:db8:0:10::1
host-a ~$ ping6 -n 2001:db8:0:20::1
PING 2001:db8:0:20::1(2001:db8:0:20::1) 56 data bytes
64 bytes from 2001:db8:0:20::1: icmp_seq=9 ttl=64 time=2.08 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=10 ttl=64 time=0.780 ms
64 bytes from 2001:db8:0:20::1: icmp_seq=11 ttl=64 time=0.783 ms
--- snip ---

作品。

静态路由

如果我尝试从连接host-a到host-b然后ping6 -n 2001:db8:0:20::2失败。那是因为router它不会在其接口之间转发包。我们必须启用它。只需附加IPForward=ipv6到*.network文件。我们还需要一个静态路由，host-b以便它知道将回复发送到哪里host-a。我们现在会坚持下去。所以你会得到以下.network文件：

主机-a

host-a ~$ cat /etc/systemd/network/04-wired.network
[Match]
Name=eth0

[Network]
Address=2001:db8:0:10::2/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6

[Route]
Destination=2001:db8:0:20::/64
Gateway=2001:db8:0:10::1

路由器

router ~$ cat /etc/systemd/network/04-eth0.network
[Match]
Name=eth0

[Network]
Address=2001:0DB8:0:10::1/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6
IPForward=ipv6

router ~$ cat /etc/systemd/network/06-eth1.network
[Match]
Name=eth1

[Network]
Address=2001:0DB8:0:20::1/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6
IPForward=ipv6

主机-b

host-b ~$ cat /etc/systemd/network/04-wired.network
[Match]
Name=eth0

[Network]
Address=2001:db8:0:20::2/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6

[Route]
Destination=2001:db8:0:10::/64
Gateway=2001:db8:0:20::1

路由器广告

静态路由不是很舒服。这通常是自动完成的。主机可以向路由器询问其配置。要支持它，您必须IPv6AcceptRA=yes在其/etc/systemd/*.network文件中启用。如果你这样做，你会tcpdump在启动主机时发现：

host-a ~$ sudo tcpdump -n --number --interface=eth0 ip6 2>/dev/null
 1  18:06:20.965014 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
 2  18:06:20.976965 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
 4  18:06:21.701148 IP6 :: > ff02::1:ffbc:adbe: ICMP6, neighbor solicitation, who has fe80::5054:ff:febc:adbe, length 32
 5  18:06:21.861153 IP6 :: > ff02::1:ff00:2: ICMP6, neighbor solicitation, who has 2001:db8:0:10::2, length 32
 7  18:06:22.725190 IP6 fe80::5054:ff:febc:adbe > ff02::16: HBH ICMP6, multicast listener report v2, 3 group record(s), length 68
 9  18:06:24.225649 IP6 fe80::5054:ff:febc:adbe > ff02::2: ICMP6, router solicitation, length 16
10  18:06:27.851217 IP6 fe80::5054:ff:febc:adbe > ff02::2: ICMP6, router solicitation, length 16
11  18:06:35.087287 IP6 fe80::5054:ff:febc:adbe > ff02::2: ICMP6, router solicitation, length 16
--- snip ---

除了已知的包multicast listener report v2，neighbor solicitation我们还发现了router solicitation包。通过此消息，主机向路由器请求接口配置。但是router没有回应，所以主持人继续询问。在 Linux 上，IPv6 路由器不会立即回复路由器请求。它需要额外的服务radvd来管理它。我们已经安装了它但禁用了它。使用来自 Debian 的简单示例，/usr/share/doc/radvd/examples/simple-radvd.conf我们现在配置并启用它：

router ~$ sudo -Es   # if not already done
router ~# cat > /etc/radvd.conf <<EOF
interface eth0
{
   AdvSendAdvert on;
   prefix 2001:db8:0:10::/64
   {
   };
};

interface eth1
{
   AdvSendAdvert on;
   prefix 2001:db8:0:20::/64
   {
   };
};
EOF

~# systemctl enable radvd.service

因为我们希望主机现在从路由器获取配置，所以我们必须从其.network文件中删除手动设置。它们应该如下所示：

主机-a和主机-b：

host-? ~$ cat /etc/systemd/network/04-eth0.network
[Match]
Name=eth0

[Network]
IPv6AcceptRA=yes
LinkLocalAddressing=ipv6

路由器：

router ~$ cat /etc/systemd/network/04-eth0.network
[Match]
Name=eth0

[Network]
Address=2001:db8:0:10::1/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6
IPForward=ipv6

router ~$ cat /etc/systemd/network/06-eth1.network
[Match]
Name=eth1

[Network]
Address=2001:db8:0:20::1/64
IPv6AcceptRA=no
LinkLocalAddressing=ipv6
IPForward=ipv6

Reboot all nodes and you should have an autoconfigured running simple network.

Simplifications

To show what's needed I explicitly wrote the options into the network configuration files. But most of them are default settings, so we can just omit them.

host-a and host-b:

host-? ~$ cat /etc/systemd/network/04-eth0.network
[Match]
Name=eth0

router:

router ~$ cat /etc/systemd/network/04-eth0.network
[Match]
Name=eth0
[Network]
Address=2001:db8:0:10::1/64
IPForward=ipv6

router ~$ cat /etc/systemd/network/06-eth1.network
[Match]
Name=eth1
[Network]
Address=2001:db8:0:20::1/64
IPForward=ipv6

Debug

You may need to check if the host gets the correct settings from the router, or there is a router, for example from you internet provider, from that you must know what exactly settings it sends. Then you can start radvdump to view the received Router Advertisement. If you start it, just wait a little bit until a Router Advertisement is received. This is it with the default settings from router:

host-a ~$ sudo radvdump
#
# radvd configuration generated by radvdump 2.18
# based on Router Advertisement from fe80::5054:ff:fe0f:194e
# received by interface eth0
#

interface eth0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag off;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;

        prefix 2001:db8:0:10::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition

}; # End of interface definition

Name Resolution

Name resolution over the complete network is only possible with a DNS server. Its setup is a new question and out of scope here. Not having a DNS server available on this simple network is also the reason why we always use ping6 with option -n which suppresses querying a DNS server to translate the ip address. Without -n, ping6 tries to connect to a DNS server for each request with a timeout. This slows down pinging drastically and isn't usable.

For the local link it is no problem to enable multicast DNS (mDNS) so you have name resolution for the direct connected nodes. Just add option

MulticastDNS=yes

to the [Network] section on every nodes /etc/systemd/network/*.network file. Then you should be able to

host-a ~$ ping6 -n router.local
PING router.local(fe80::5054:ff:fe0f:194e%eth0) 56 data bytes
64 bytes from fe80::5054:ff:fe0f:194e%eth0: icmp_seq=1 ttl=64 time=2.37 ms
64 bytes from fe80::5054:ff:fe0f:194e%eth0: icmp_seq=2 ttl=64 time=0.799 ms
64 bytes from fe80::5054:ff:fe0f:194e%eth0: icmp_seq=3 ttl=64 time=0.823 ms
--- snip ---

But ping6 -n host-b.local will not work from host-a because mDNS is not routable.

References:

• RfC 4291 - IP Version 6 Addressing Architecture
• RfC 4193 - Unique Local IPv6 Unicast Addresses (ULA)
• RfC 3849 - IPv6 Address Prefix Reserved for Documentation
• RfC 3810 - Multicast Listener Discovery Version 2 (MLDv2) for IPv6
• RfC 4862 - IPv6 Stateless Address Autoconfiguration
• RfC 4864 - Local Network Protection for IPv6 (no NAT needed)
• IANA - IPv6 Multicast Address Space Registry
• Linux IPv6 HOWTO
• IPv6 - Address Types & Formats