Notice: IPv6 breaking issues tentatively considered blocker for F17

Adam Williamson awilliam at redhat.com
Mon Mar 12 19:16:56 UTC 2012 

On Sat, 2012-03-10 at 15:31 +0100, Tore Anderson wrote:
> * Adam Williamson
> 
> > At the meeting, we made the call that IPv6-only networks are becoming
> > a configuration sufficiently important that a serious breach of the 
> > criteria in the context of an IPv6-only network is significant enough
> > to be considered a release blocker, and we accepted the bug as a
> > blocker.
> 
> Thank you! This is very welcome news. It is about time Fedora joins rank
> with the likes of Apple Mac OS X and Microsoft Windows in supporting
> IPv6-only networks out of the box, especially given Fedora's «First»
> core value.
> 
> Getting the IPv6 migration moving is getting increasingly urgent, with
> one part of the world (East Asia-Pacific) already out of available IPv4
> addresses and another (EMEA) set to deplete in a few months, the
> dual-stack transition plan originally envisioned by the IETF is simply
> not going to work, there are simply not enough IPv4 addresses to last us
> through the entire transition period. IPv6-only networks are therefore
> inevitable, and it is important that from the end users' point of view,
> they work just as smoothly and in a "plug&play" fashion as any other
> dual-stacked or IPv4-only network.
> 
> > Obviously this is a pretty significant call that would set a
> > precedent for future releases and proposed blockers, so we wanted to
> > flag it up for wider discussion in case anyone thinks it was the
> > wrong way to go.
> 
> For a long time, there have been bugs open and patches made available,
> yet the issue has remained unresolved for several releases straight. For
> that reason, I believe a more forceful incentive is essential if we are
> get the patches applied and the bugs closed before yet another release
> goes out the door without proper IPv6 support. I therefore strongly
> support the use of the release blocker mechanism.
> 
> > 18:41:26 <buggbot> Bug 591630: high, urgent, ---, twoerner,
> > ASSIGNED, DHCPv6 responses are not allowed by default ip6tables
> > ruleset
> 
> Regarding this bug in particular, I'll just note that it there is
> already a precedent. In a default Fedora installation, traffic to the
> DHCPv4 client (which is the same binary as the DHCPv6 client) is allowed
> from the entire internet. From a security standpoint, blocking only one
> of the two does not make much sense. At least not to me, and there has
> been no attempt at an explanation for any other viewpoint that I'm aware of.
> 
> There are also a few other problems that prevent IPv6-only from working
> out of the box. I have also nominated those as release blockers:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=538499#c65
> https://bugzilla.redhat.com/show_bug.cgi?id=798697#c3
> 
> Also, I also understand that the "ip6tables" service might be replaced
> with "firewalld" in F17 (cf. https://fedorahosted.org/fesco/ticket/805).
> If so, that would probably make #591630 irrelevant, however firewalld
> has IPv6 problems all on its own (even more so than just breaking
> DHCPv6, *all* IPv6 connectivity is broken by default), see:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=801182
> 
> I did not nominate this one as a blocker yet though, as I don't know if
> firewalld will indeed be made the default solution for F17. However, if
> it does, #801182 needs to be a release blocker as well.

Thanks for this very informative post, Tore. I'll review the other bugs
you mentioned and the ones you've nominated as blockers.

It occurs to me that there's rather a lot of 'moving parts' here, and
the next blocker review meeting isn't till Friday. I think if we just
leave things to the normal blocker handling process here we may wind up
struggling for time. So I'm thinking of trying to convene an impromptu
'IPv6 working group', and trying to get the relevant developers -
NetworkManager, iptables, firewalld, possibly initscripts for non-NM
configurations? - and those users/testers who seem very clued up about
IPv6 'together' to try and expedite the process of making this stuff
work. I'll probably do this today just by sending out a mass-CCed email
to everyone who seems to have skin in the game.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list