[Libvir] [PATCH] Add a default network
Daniel P. Berrange
berrange at redhat.com
Fri Mar 9 14:57:50 UTC 2007
On Fri, Mar 09, 2007 at 01:52:31PM +0000, Mark McLoughlin wrote:
> On Wed, 2007-03-07 at 18:15 +0000, Daniel P. Berrange wrote:
> > Do link-local addreses
> > let the guest communicate with outside world, or is only enablling the
> > VM-to-VM and VM-to-Host communications ?
>
> link-local addresses are only valid on the local link, so e.g. a router
> won't forward such packets.
>
> So, my point is that link-local addresses gives you offline support,
> since domains can reach one another.
>
> How useful in practice that is, I don't know. You don't go typing in
> IPv6 addresses, so I guess it's only really useful if you can look up
> the guest's address in DNS or mDNS even when offline.
Well even if you don't have formal DNS names for each guest, it would
at least let funky zero-conf Avahi enabled apps do their magic discovery,
so worthwhile from that POV.
> > > The question, though, is how to make IPv6 available to guests which are
> > > connected to a virtual network out of a need for e.g. offline support.
> > > You still want NAT etc. for IPv4, but what to do about IPv6?
> > >
> > > The analogy, I think, is what would happen if your DSL provider
> > > statically allocated an IPv6 prefix to you while still also dynamically
> > > allocating an IPv4 address to you. You want to NAT IPv4 traffic using
> > > the IPv4 address, but you want your IPv6 traffic to be bridged to the
> > > IPv6 over PPP link in order to e.g. get router advertisements from the
> > > ISP end.
> >
> > I don;t know of any DSL providers or DSL routers which do IPv6, but I'd
> > expect that all my machines on my LAN magically get an IPv6 address and
> > that they can access the outside world. I'd still expect incoming traffic
> > to be restricted by the DSL router firewalling as per IPv4 incoming.
>
> It's not clear to me how e.g. netgear would implement that in their
> routers.
>
> The obvious, but lame way to do it would be for your machines to only
> have link-local addresses and outgoing traffic gets NATed. That would
> suck, and you can't even do NAT with IPv6 apparently.
Yeah, sounds like this is rather frowned up in IPv6 world
> Another way you could imagine would be for the your router to act as an
> IPv6 router for a delegated prefix, but I'm not sure how the ISP would
> communicate what that prefix should be to the router. Same with our
> situation, I'm not sure how a Dom0 acting as an IPv6 router would figure
> out what prefix has been delegated to it for its guests.
Yeah I was just reading this doc
http://arstechnica.com/articles/paedia/IPv6.ars/2
And the "Stateless autoconfiguration" diagram seems to be exactly what
I think we'd want. Every guest has a MAC addr so that deals with the
lower 64-bits of the adress, but how do we choose the upper 64-bits to
form our 'router advertisment'... Perhaps that's the bit that we stick
in the libvirt XML as the configuration parameter
<network>
<name>default</name>
<bridge name="virbr0" />
<ipv6 advprefix="2001:db8:31:0:0:0:0:1"/>
</network>
> Oh, yeah - the firewall issue. Your firewall on a DSL router falls
> naturally out of the fact that it's doing NAT, but it'd need to actual
> IP filtering as it's bridging your IPv6 traffic for you to have the same
> firewall rules for IPv6. Uggh.
Having to duplicate the firewall rules is not entirely surprising, so I
figure we can deal with that.
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
More information about the libvir-list
mailing list