Re: [libvirt] IPV6 and routing

On 10/06/2012 05:29 PM, R P Herrold wrote: > On Sat, 6 Oct 2012, Gene Czarcinski wrote: > >> OK, what am I missing? What don't I understand? >> >> If IPv6 is going to be useful in virtualization, then there must be >> some "easy" way to have other systems understand that the >> virtualization host is acting as a router for the virtual IPv6 >> networks it runs. While being able to go between the virtualization >> hosts and the virtual guests is very useful, I do not consider this >> sufficient. > > We programatically, on a per VM basis, set up our ebtables and > iptables rules at pmman.com (thus my 'ROADMAP' question earlier this > week). Under RHEL 6's (and thus CentOS') KVM and libvirtd stock > setup, there was a built-in filter as provided by libvirtd install -- > as I recall: a 'clean-traffic' filter -- that we had to amend out, > compared to prior xen setups under the earlier RHEL variant > > Have you dumped and examined the running rules affecting IPv6 traffic? > > -- Russ herrold > > The ip6tables rules look fine. The problem is not that the packets are not sent to the target .... they are .. I ran wireshark on the target's NIC. The problem is getting the response back to the virtualization host. Shortly after I wrote my message I "discovered" something called "neighbor discovery proxy" and two attempts at implementing it: npd6 and ndppd. This is the RFC: http://tools.ietf.org/html/rfc4389 and here is a short description from npd6: > If you have a Linux gateway router terminating your ISP feed > supporting IPv6, this may be just what you need. To summarise the > problem it solves: your ISP has given you an /64 (or some other size) > IPv6 prefix, with the last 64 bits (or whatever) entirely for your > own use on a private-side of the network. The IPv6 addresses in use > by your own devices may well not even be known to you – it’s possible > that you use DHCP6 to statically pre-allocate them (yuck!) or more > likely you are using /radvd/ on the gateway to advertise the > ISP-supplied IPv6 prefix and let the devices themselves choose what > they wish to tag on to that. It may be vaguely predictable (based > upon the device’s Ethernet MAC address) or totally unpredictable (as > per the Windows 7 box I looked at the other day!) ... > > And to do this today you need to /statically pre-configure/ that full > address into the Linux system. And if it changes, you need to change > it. And if a new one appears, you need to ad it. And so on. Oh, and > to add insult to injury, you cannot even display a list of which ones > you have already configured in the system!! > > And thus I offer npd6 as a solution: it runs on the gateway, and > requires little configuration. You tell it your prefix and which is > the ISP’s interface. There are a few optional knobs and levers. Then > it runs and automatically responds to /any/ Neighbor Solicitation > received from the ISP for a device with your prefix. > This "sounds" like it may be a solution and I have started some testing to see if and how they work.