On Wed, 2007-03-07 at 18:15 +0000, Daniel P. Berrange wrote: > On Tue, Mar 06, 2007 at 09:37:46AM +0000, Mark McLoughlin wrote: > > However, with IPv6, the combination of link-local addresses, address > > auto-configuration and network renumbering should largely eliminate > > these problems. > > > > The conclusion then is that you mostly do want bridging with IPv6 - > > i.e. you want to bridge all guests onto your physical network whereby > > they will auto-configure using router advertisements on the physical > > link. > > I must admit to not understaning IPv6 all that much. My understanding is fairly limited, newly acquired and all pretty theoretical, so beware :-) > Do link-local addreses > let the guest communicate with outside world, or is only enablling the > VM-to-VM and VM-to-Host communications ? link-local addresses are only valid on the local link, so e.g. a router won't forward such packets. So, my point is that link-local addresses gives you offline support, since domains can reach one another. How useful in practice that is, I don't know. You don't go typing in IPv6 addresses, so I guess it's only really useful if you can look up the guest's address in DNS or mDNS even when offline. > > The question, though, is how to make IPv6 available to guests which are > > connected to a virtual network out of a need for e.g. offline support. > > You still want NAT etc. for IPv4, but what to do about IPv6? > > > > The analogy, I think, is what would happen if your DSL provider > > statically allocated an IPv6 prefix to you while still also dynamically > > allocating an IPv4 address to you. You want to NAT IPv4 traffic using > > the IPv4 address, but you want your IPv6 traffic to be bridged to the > > IPv6 over PPP link in order to e.g. get router advertisements from the > > ISP end. > > I don;t know of any DSL providers or DSL routers which do IPv6, but I'd > expect that all my machines on my LAN magically get an IPv6 address and > that they can access the outside world. I'd still expect incoming traffic > to be restricted by the DSL router firewalling as per IPv4 incoming. It's not clear to me how e.g. netgear would implement that in their routers. The obvious, but lame way to do it would be for your machines to only have link-local addresses and outgoing traffic gets NATed. That would suck, and you can't even do NAT with IPv6 apparently. Another way you could imagine would be for the your router to act as an IPv6 router for a delegated prefix, but I'm not sure how the ISP would communicate what that prefix should be to the router. Same with our situation, I'm not sure how a Dom0 acting as an IPv6 router would figure out what prefix has been delegated to it for its guests. The final way is that the DSL router just blindly bridges all IPv6 traffic onto the PPP link and, so, machines on your network are talking directly to an IPv6 router on the ISP's side which knows what prefix you have been delegated. Looking at rfc2472, IPv6 over PPP, I think that's the way it's supposed to work. That's fine, except it's really funky when you consider that your DSL router is still NAT-ing your IPv4 traffic. So, it's acting as a IP level router for your IPv4 traffic and a link-level bridge for your IPv6 traffic. That's doable, but it sounds bizarre to me. I guess it's no more bizarre than the fact that iptables works on a linux bridge, though. Oh, yeah - the firewall issue. Your firewall on a DSL router falls naturally out of the fact that it's doing NAT, but it'd need to actual IP filtering as it's bridging your IPv6 traffic for you to have the same firewall rules for IPv6. Uggh. Cheers, Mark.