[Libvir] [PATCH] Add a default network

Mark McLoughlin markmc at redhat.com
Fri Mar 9 17:00:34 UTC 2007 

On Fri, 2007-03-09 at 14:57 +0000, Daniel P. Berrange wrote:
> On Fri, Mar 09, 2007 at 01:52:31PM +0000, Mark McLoughlin wrote:

> > 	Another way you could imagine would be for the your router to act as an
> > IPv6 router for a delegated prefix, but I'm not sure how the ISP would
> > communicate what that prefix should be to the router. Same with our
> > situation, I'm not sure how a Dom0 acting as an IPv6 router would figure
> > out what prefix has been delegated to it for its guests.
> 
> Yeah I was just reading this doc
> 
> http://arstechnica.com/articles/paedia/IPv6.ars/2
> 
> And the "Stateless autoconfiguration" diagram seems to be exactly what
> I think we'd want. Every guest has a MAC addr so that deals with the
> lower 64-bits of the adress, but how do we choose the upper 64-bits to
> form our 'router advertisment'...  

	Yep, that's how it works but ...

> Perhaps that's the bit that we stick in the libvirt XML as the
> configuration parameter
> 
> <network>
>   <name>default</name>
>   <bridge name="virbr0" />
>   <ipv6 advprefix="2001:db8:31:0:0:0:0:1"/>
> </network>

	Where does the advprefix (or what I was calling a delegated prefix)
come from in either the netgear DSL router or default virtual network
case?

	In the latter case, I'd expect some sort way for a router to advertise
delegated prefixes to other routers either via router advertisement or
DHCPv6, but I don't think that's the way things are expected to work.

	In the former case, I'd expect the same, or perhaps I'd expect the
prefix to be given as part of the IPv6 over PPP extensions, but no.

	So, it seems to me that IPv6 hosts are expected to be able to connect
to an IPv6 router which has been manually configured with a delegated
prefix. Which implies bridging in between the host and the router, even
if NAT is being used by IPv4.

> > 	Oh, yeah - the firewall issue. Your firewall on a DSL router falls
> > naturally out of the fact that it's doing NAT, but it'd need to actual
> > IP filtering as it's bridging your IPv6 traffic for you to have the same
> > firewall rules for IPv6. Uggh.
> 
> Having to duplicate the firewall rules is not entirely surprising, so I
> figure we can deal with that.

	No, the problem is that you have to configure those firewall rules
differently for IPv4 and IPv6. For the former, the default of "reject
all incoming traffic" falls out of the fact you're using NAT, but you'd
actually need an IP filter to have that same rule for IPv6.

	Okay, it's not a big problem, just really weird.

Cheers,
Mark.

More information about the libvir-list mailing list