On Fri, Mar 09, 2007 at 01:52:31PM +0000, Mark McLoughlin wrote: > On Wed, 2007-03-07 at 18:15 +0000, Daniel P. Berrange wrote: > > Do link-local addreses > > let the guest communicate with outside world, or is only enablling the > > VM-to-VM and VM-to-Host communications ? > > link-local addresses are only valid on the local link, so e.g. a router > won't forward such packets. > > So, my point is that link-local addresses gives you offline support, > since domains can reach one another. > > How useful in practice that is, I don't know. You don't go typing in > IPv6 addresses, so I guess it's only really useful if you can look up > the guest's address in DNS or mDNS even when offline. Well even if you don't have formal DNS names for each guest, it would at least let funky zero-conf Avahi enabled apps do their magic discovery, so worthwhile from that POV. > > > The question, though, is how to make IPv6 available to guests which are > > > connected to a virtual network out of a need for e.g. offline support. > > > You still want NAT etc. for IPv4, but what to do about IPv6? > > > > > > The analogy, I think, is what would happen if your DSL provider > > > statically allocated an IPv6 prefix to you while still also dynamically > > > allocating an IPv4 address to you. You want to NAT IPv4 traffic using > > > the IPv4 address, but you want your IPv6 traffic to be bridged to the > > > IPv6 over PPP link in order to e.g. get router advertisements from the > > > ISP end. > > > > I don;t know of any DSL providers or DSL routers which do IPv6, but I'd > > expect that all my machines on my LAN magically get an IPv6 address and > > that they can access the outside world. I'd still expect incoming traffic > > to be restricted by the DSL router firewalling as per IPv4 incoming. > > It's not clear to me how e.g. netgear would implement that in their > routers. > > The obvious, but lame way to do it would be for your machines to only > have link-local addresses and outgoing traffic gets NATed. That would > suck, and you can't even do NAT with IPv6 apparently. Yeah, sounds like this is rather frowned up in IPv6 world > Another way you could imagine would be for the your router to act as an > IPv6 router for a delegated prefix, but I'm not sure how the ISP would > communicate what that prefix should be to the router. Same with our > situation, I'm not sure how a Dom0 acting as an IPv6 router would figure > out what prefix has been delegated to it for its guests. Yeah I was just reading this doc http://arstechnica.com/articles/paedia/IPv6.ars/2 And the "Stateless autoconfiguration" diagram seems to be exactly what I think we'd want. Every guest has a MAC addr so that deals with the lower 64-bits of the adress, but how do we choose the upper 64-bits to form our 'router advertisment'... Perhaps that's the bit that we stick in the libvirt XML as the configuration parameter <network> <name>default</name> <bridge name="virbr0" /> <ipv6 advprefix="2001:db8:31:0:0:0:0:1"/> </network> > Oh, yeah - the firewall issue. Your firewall on a DSL router falls > naturally out of the fact that it's doing NAT, but it'd need to actual > IP filtering as it's bridging your IPv6 traffic for you to have the same > firewall rules for IPv6. Uggh. Having to duplicate the firewall rules is not entirely surprising, so I figure we can deal with that. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|