[avahi] General Avahi usage questions

[Linus Lüssing]

On Wed, Feb 17, 2010 at 01:42:44AM +0100, Lennart Poettering wrote:
> On Sat, 13.02.10 03:54, Linus Lüssing (linus.luessing at web.de) wrote:
> 
> > > > first question: I think I remember having the avahi-daemon running
> > > > which assigned an ipv4 address on a new alias interface. when does
> > > > this happen, when not?
> > > 
> > > avahi-autoipd is usually used as a fallback for dhcp.
> 
> > I see. In the beginning I more had the impression that avahi would
> > utilise dedicated subnets only. But sounds plausible as at least for
> > IPv4 IP collisions are a lot less when using dhcp. Hmm, but
> > also... if I intend to use a network without a dhcp server and all
> > clients rely on just using the link local ones, then one host that
> > left its dhcp server on by mistake could cause quite a lot of
> > trouble couldn't it? Or even if there were two dhcp serves on by
> > mistake with two different subnets... hell, that would split
> > everything in two to three clouds! I couldn't find an option to
> > enforce link-local addresses for avahi anywhere, is there something
> > like this?
> 
> You may, --force-bind is may be used for that.
> 
> That said this isn't really a problem if your distribution is properly
> set up and follows the recommendations pointed out here:
> 
> http://avahi.org/wiki/AvahiAutoipd#Routes
> 
> If you distribution does not follow this, then please contact them and
> ask them to fix that.
> 
> > > 
> > > > I also found this avahi-ipauto thingy, but it does not seem to be
> > > > running for this avahi-ip4ll stuff to assign a 169.254.0.0/16
> > > > adress
> > > > -169.254.0.0/24 and 169.254.254.0/24 (if I remember right)
> > > 
> > > uh? avahi-autoipd will assign one of those addresses if no other
> > > address is configured via dhcp or so.
> > Ah, okay. I had to play a little with dhcp client and avahi to
> > see when and how avahi-autoipd is actually determening this state.
> > On my Debian system it also looks like, that additionally I have
> > to set the according interface to static, dhcp or NetworkManager
> > in /etc/network/interfaces, right? (according to
> > /etc/avahi/avahi-autoipd.action)
> 
> IIRC Debian sets everything up right out of the box so that dhcpcd's
> action script will call avahi-autoipd if it cannot find an IP
> address. 
> 
> But I am not not a Debian guy, so you better ask the Debian folks
> about this.
Seems to work now as expected, thanks. In the beginning I was just a
little confused about when and how the link-local addresses might be
assigned.
> 
> > 
> > > > 2nd question: how can I look up the ip addresses that are assigned
> > > > to mylaptop.local (mylaptop should just be the local host name in
> > > > /etc/hosts on 127.0.1.1 on a debian system, right?)
> > > 
> > > getent hosts mylaptop.local
> > Hmm, that did not seem to work, I'm just getting the local ip
> > addresses specified in /etc/hosts. But hey, the mdns-scan did at
> > least find the other machine in my network.
> > > 
> > > (you need nss-mdns installed for that)
> > Ehm, and there's only the libnss-mdns available in Debian
> > unstable (and it is installed here).
> 
> That's presumably the right package.
> 
> You might want to use wireshark or suchlike to check whether the query
> packets are properly generated.
I got this thing working now as well with the help of this wiki
entry: http://avahi.org/wiki/AvahiAndUnicastDotLocal
So it was just the configuration of the nsswitch.conf missing :)
(yeah, I know, rftm :P).
> 
> > > Avahi will always announce the "best" address it can find on each
> > > interface. Meaning that global addresses are generally preferred over
> > > link-local ones.
> > So like global -> organisation -> site -> link -> host? (Is the
> > ipv6 multicast scopes list the one that can be used as a
> > reference? Or is there something more complete?)
> 
> Most of the scope stuff does not exist anymore these days. Global and
> Link are the only two scopes recognized these days iirc, and Avahi
> looks for them.
Ah, okay, those two ones, good to keep in mind.
> 
> > Another question that comes in my mind here: What happens, if two
> > computers have two different subnets configured which can't reach
> > each other over this one but could reach each other over their
> > ipv6 link local address as being on the same ethernet link.
> > Shouldn't avahi announce this link local address as well so that
> > those two hosts could communicate with each other anyway?
> > Is there a reason why avahi is not announcing all ip addresses
> > available on an interface (with adding its prefered priorities so
> > that the another host could choose the interface with the highest
> > priority stated and reachable as well)?
> 
> We want to minimize the traffic generated and hence pick only one
> address per iface to announce, and that's the one that is probably the
> most usefil one, i.e. a routable address. Anf if the routes mentioned
> above are set up properly then things should be quire robust.
Ah, that's a good point, yes. Makes sense to not announce all the
ip-addresses then. Is there a way to not announce an IPv4 (or
Ipv6) address on an interface to save some more traffic? I found
those use-ipv4/6 options in the config, but they seem to be for
the protocol being used fot the announcments, not the ip addresses
being announced (unless I did something wrong here which might
have led me to a wrong conclusion).
> 
> > And I guess, avahi is announcing both the "best" ipv6 and ipv4
> > address letting the other hosts decide which type they are
> > capable connecting to, right?
> 
> Not sure I follow.
> 
> Avahi will pick the best address per interface and per protocol and
> announce those. On a host with one network interface and both IPv6 and
> IPv4 it will hence announce exactly two addresses.
Or let me ask it differently. The other host is getting an
annoucement of both an ipv4 and ipv6 address. Which one of those
should the application then choose? Should it try the IPv6 one
first and try again the Ipv4 address after a timeout? When getting
the announcement over IPv4 (or IPv6) only, but with both an IPv4
and IPv6 address in it, should the application then try to connect to
the announced IPv4 (or IPv6) address first as that was the
protocol over which it got the announcement and is having the more
likely chances to succeed in connecting?
Or should an application always try to use the IPv6 one first, as
the connections should be a lot more stable because there are a lot less
address collisions in IPv6 compared to IPv4 and therefore a lot
less reassignments (if any) of IP addresses?
> 
> > Should applications only allow connections from other hosts that
> > had previously announced themselves via avahi or should they accept
> > any connection (which might be a security issue?). But the first
> > thing could cause some trouble if the kernel would decide to use
> > source address differing from the one announced by avahi...
> > And again for IPv6, generally an application should try connecting
> > to the host's announced IPv6 address first and retry the IPv4 one
> > after a timeout?
> 
> Avahi is not a security tool. It tries its best to make sure it
> doesn't pass on data from non-local networks or to non-local networks,
> but don't use it for authentication.
> 
> Lennart
>
Cheers, Linus