Re: [Libvir] [PATCH] Add a default network
On Fri, Mar 09, 2007 at 01:52:31PM +0000, Mark McLoughlin wrote:
On Wed, 2007-03-07 at 18:15 +0000, Daniel P. Berrange wrote:
> Do link-local addreses
> let the guest communicate with outside world, or is only enablling the
> VM-to-VM and VM-to-Host communications ?
link-local addresses are only valid on the local link, so e.g. a router
won't forward such packets.
So, my point is that link-local addresses gives you offline support,
since domains can reach one another.
How useful in practice that is, I don't know. You don't go typing in
IPv6 addresses, so I guess it's only really useful if you can look up
the guest's address in DNS or mDNS even when offline.
Well even if you don't have formal DNS names for each guest, it would
at least let funky zero-conf Avahi enabled apps do their magic discovery,
so worthwhile from that POV.
> > The question, though, is how to make IPv6 available to
guests which are
> > connected to a virtual network out of a need for e.g. offline support.
> > You still want NAT etc. for IPv4, but what to do about IPv6?
> >
> > The analogy, I think, is what would happen if your DSL provider
> > statically allocated an IPv6 prefix to you while still also dynamically
> > allocating an IPv4 address to you. You want to NAT IPv4 traffic using
> > the IPv4 address, but you want your IPv6 traffic to be bridged to the
> > IPv6 over PPP link in order to e.g. get router advertisements from the
> > ISP end.
>
> I don;t know of any DSL providers or DSL routers which do IPv6, but I'd
> expect that all my machines on my LAN magically get an IPv6 address and
> that they can access the outside world. I'd still expect incoming traffic
> to be restricted by the DSL router firewalling as per IPv4 incoming.
It's not clear to me how e.g. netgear would implement that in their
routers.
The obvious, but lame way to do it would be for your machines to only
have link-local addresses and outgoing traffic gets NATed. That would
suck, and you can't even do NAT with IPv6 apparently.
Yeah, sounds like this is rather frowned up in IPv6 world
Another way you could imagine would be for the your router to act as
an
IPv6 router for a delegated prefix, but I'm not sure how the ISP would
communicate what that prefix should be to the router. Same with our
situation, I'm not sure how a Dom0 acting as an IPv6 router would figure
out what prefix has been delegated to it for its guests.
Yeah I was just reading this doc
http://arstechnica.com/articles/paedia/IPv6.ars/2
And the "Stateless autoconfiguration" diagram seems to be exactly what
I think we'd want. Every guest has a MAC addr so that deals with the
lower 64-bits of the adress, but how do we choose the upper 64-bits to
form our 'router advertisment'... Perhaps that's the bit that we stick
in the libvirt XML as the configuration parameter
<network>
<name>default</name>
<bridge name="virbr0" />
<ipv6 advprefix="2001:db8:31:0:0:0:0:1"/>
</network>
Oh, yeah - the firewall issue. Your firewall on a DSL router falls
naturally out of the fact that it's doing NAT, but it'd need to actual
IP filtering as it's bridging your IPv6 traffic for you to have the same
firewall rules for IPv6. Uggh.
Having to duplicate the firewall rules is not entirely surprising, so I
figure we can deal with that.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|