Re: [libvirt] IPV6 and routing
On 10/06/2012 05:29 PM, R P Herrold wrote:
On Sat, 6 Oct 2012, Gene Czarcinski wrote:
> OK, what am I missing? What don't I understand?
>
> If IPv6 is going to be useful in virtualization, then there must be
> some "easy" way to have other systems understand that the
> virtualization host is acting as a router for the virtual IPv6
> networks it runs. While being able to go between the virtualization
> hosts and the virtual guests is very useful, I do not consider this
> sufficient.
We programatically, on a per VM basis, set up our ebtables and
iptables rules at pmman.com (thus my 'ROADMAP' question earlier this
week). Under RHEL 6's (and thus CentOS') KVM and libvirtd stock setup,
there was a built-in filter as provided by libvirtd install -- as I
recall: a 'clean-traffic' filter -- that we had to amend out, compared
to prior xen setups under the earlier RHEL variant
Have you dumped and examined the running rules affecting IPv6 traffic?
-- Russ herrold
The ip6tables rules look fine. The problem is not that the packets are
not sent to the target .... they are .. I ran wireshark on the target's
NIC. The problem is getting the response back to the virtualization host.
Shortly after I wrote my message I "discovered" something called
"neighbor discovery proxy" and two attempts at implementing it: npd6 and
ndppd. This is the RFC: http://tools.ietf.org/html/rfc4389
and here is a short description from npd6:
If you have a Linux gateway router terminating your ISP feed
supporting IPv6, this may be just what you need. To summarise the
problem it solves: your ISP has given you an /64 (or some other size)
IPv6 prefix, with the last 64 bits (or whatever) entirely for your own
use on a private-side of the network. The IPv6 addresses in use by
your own devices may well not even be known to you – it’s possible
that you use DHCP6 to statically pre-allocate them (yuck!) or more
likely you are using /radvd/ on the gateway to advertise the
ISP-supplied IPv6 prefix and let the devices themselves choose what
they wish to tag on to that. It may be vaguely predictable (based upon
the device’s Ethernet MAC address) or totally unpredictable (as per
the Windows 7 box I looked at the other day!)
...
And to do this today you need to /statically pre-configure/ that full
address into the Linux system. And if it changes, you need to change
it. And if a new one appears, you need to ad it. And so on. Oh, and to
add insult to injury, you cannot even display a list of which ones you
have already configured in the system!!
And thus I offer npd6 as a solution: it runs on the gateway, and
requires little configuration. You tell it your prefix and which is
the ISP’s interface. There are a few optional knobs and levers. Then
it runs and automatically responds to /any/ Neighbor Solicitation
received from the ISP for a device with your prefix.
This "sounds" like it may be a solution and I have started some testing
to see if and how they work.
Gene