Questions about Qubes OS's internal networking

[qubist]

Hi,

I have a few questions about the IP address ranges Qubes uses:

1. Why was 10.137.x.x and 10.138.x.x subnet chosen? (and not e.g
10.222.x.x)

2. What is the CIDR for the IPv6 address ranges?

3. Where are 1 and 2 defined?

[Neil du Preez]

Hi,

For (2) and partially (3), on one of my VMs using IPv6 both a ULA and link-local address have been allocated.

Unique local addresses use prefix fc00::/7. The first bit following the prefix indicates, if set, that the address is locally assigned. This splits the address block in two equally sized halves, fc00::/8 and fd00::/8. [1]

In the Internet Protocol Version 6 (IPv6), the address block fe80::/10 has been reserved for link-local unicast addressing. [2]

[1] https://en.wikipedia.org/wiki/Unique_local_address
[2] https://en.wikipedia.org/wiki/Link-local_address

> --
> You received this message because you are subscribed to the Google
> Groups "qubes-devel" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-devel...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-devel/20240328173600.111a4e3a%40localhost.

[qubist]

Thanks. I am trying to figure Qubes specific stuff.

Re. (3), I found this:

https://forum.qubes-os.org/t/default-ip-ranges-for-sys-firewall-appvms-etc/3870/3

The source file is seen in dom0:

/usr/lib/python3.11/site-packages/qubes/vm/mix/net.py

Even with this info, I can't quite figure (2) - I don't see a8a or a89
in the output of 'ip a' in any qube. Additionally, the mentioned
"Qubes-specific site-local prefix" has been deprecated:

https://datatracker.ietf.org/doc/html/rfc4291#section-2.5.7

So, I am quite lost in my research.

[Skyler Ferris]

On 3/28/24 10:36, qubist wrote:
> 1. Why was 10.137.x.x and 10.138.x.x subnet chosen? (and not e.g
> 10.222.x.x)

Speaking as a QubesOS user with some networking experience (though
little professional networking experience), I doubt that there was a lot
of thought put into the exact numbers here. They needed to be in the
10.0.0.0/8 namespace so that they are a private namespace (they could
have used 192.168.0.0/16 or 172.16.0.0/12, but these are smaller
namespaces and /12 is an uncomfortable netmask to work with) but beyond
that the numbers don't have special meaning. They just needed to decide
on some number to use consistently. Or at least they did when the
netmask was /16 for both, meaning that 10.137.0.0 and 10.138.0.0 were
two separate networks. But now the netmask is /24 meaning that each host
is on its own network (where the network only supports a single host).
It would hypothetically be better to randomize across the entire
10.0.0.0 namespace since everything is on a separate network anyway, but
it's not clear to me how much practical benefit that would have and I'm
not sure if the network domains (sys-firewall, sys-net, etc) would need
to change to account for this (they might use 137/138 as magic numbers
when making decisions, but they might not).

The above is all about ipv4. My ISP doesn't give me an ipv6 address so I
don't have any experience with it.

[qubist]

I think I found the answer to (3):

In dom0:

/usr/lib/python3.11/site-packages/qubes/config.py

#: site-local prefix for all VMs
qubes_ipv6_prefix = 'fd09:24ef:4179:0000'

Then, this is used in /usr/lib/python3.11/site-packages/qubes/vm/mix/net.py

So, qubes get addresses like these:
fd09:24ef:4179::a89:*/128
fd09:24ef:4179::a8a:*/128

My conclusion:

The IPv6 CIDR for Qubes internal network are:

fd09:24ef:4179::a89:0/112
fd09:24ef:4179::a8a:0/112

It is still a mystery where all those prefixes come from.