On Wed, 2007-03-07 at 18:15 +0000, Daniel P. Berrange wrote:
On Tue, Mar 06, 2007 at 09:37:46AM +0000, Mark McLoughlin wrote:
> However, with IPv6, the combination of link-local addresses,
address
> auto-configuration and network renumbering should largely eliminate
> these problems.
>
> The conclusion then is that you mostly do want bridging with IPv6 -
> i.e. you want to bridge all guests onto your physical network whereby
> they will auto-configure using router advertisements on the physical
> link.
I must admit to not understaning IPv6 all that much.
My understanding is fairly limited, newly acquired and all pretty
theoretical, so beware :-)
Do link-local addreses
let the guest communicate with outside world, or is only enablling the
VM-to-VM and VM-to-Host communications ?
link-local addresses are only valid on the local link, so e.g. a router
won't forward such packets.
So, my point is that link-local addresses gives you offline support,
since domains can reach one another.
How useful in practice that is, I don't know. You don't go typing in
IPv6 addresses, so I guess it's only really useful if you can look up
the guest's address in DNS or mDNS even when offline.
> The question, though, is how to make IPv6 available to guests
which are
> connected to a virtual network out of a need for e.g. offline support.
> You still want NAT etc. for IPv4, but what to do about IPv6?
>
> The analogy, I think, is what would happen if your DSL provider
> statically allocated an IPv6 prefix to you while still also dynamically
> allocating an IPv4 address to you. You want to NAT IPv4 traffic using
> the IPv4 address, but you want your IPv6 traffic to be bridged to the
> IPv6 over PPP link in order to e.g. get router advertisements from the
> ISP end.
I don;t know of any DSL providers or DSL routers which do IPv6, but I'd
expect that all my machines on my LAN magically get an IPv6 address and
that they can access the outside world. I'd still expect incoming traffic
to be restricted by the DSL router firewalling as per IPv4 incoming.
It's not clear to me how e.g. netgear would implement that in their
routers.
The obvious, but lame way to do it would be for your machines to only
have link-local addresses and outgoing traffic gets NATed. That would
suck, and you can't even do NAT with IPv6 apparently.
Another way you could imagine would be for the your router to act as an
IPv6 router for a delegated prefix, but I'm not sure how the ISP would
communicate what that prefix should be to the router. Same with our
situation, I'm not sure how a Dom0 acting as an IPv6 router would figure
out what prefix has been delegated to it for its guests.
The final way is that the DSL router just blindly bridges all IPv6
traffic onto the PPP link and, so, machines on your network are talking
directly to an IPv6 router on the ISP's side which knows what prefix you
have been delegated. Looking at rfc2472, IPv6 over PPP, I think that's
the way it's supposed to work.
That's fine, except it's really funky when you consider that your DSL
router is still NAT-ing your IPv4 traffic. So, it's acting as a IP level
router for your IPv4 traffic and a link-level bridge for your IPv6
traffic. That's doable, but it sounds bizarre to me. I guess it's no
more bizarre than the fact that iptables works on a linux bridge,
though.
Oh, yeah - the firewall issue. Your firewall on a DSL router falls
naturally out of the fact that it's doing NAT, but it'd need to actual
IP filtering as it's bridging your IPv6 traffic for you to have the same
firewall rules for IPv6. Uggh.
Cheers,
Mark.