[Libvir] [PATCH] Add a default network

Daniel P. Berrange berrange at redhat.com
Fri Mar 9 14:57:50 UTC 2007 

On Fri, Mar 09, 2007 at 01:52:31PM +0000, Mark McLoughlin wrote:
> On Wed, 2007-03-07 at 18:15 +0000, Daniel P. Berrange wrote:
> > Do link-local addreses
> > let the guest communicate with outside world, or is only enablling the
> > VM-to-VM and VM-to-Host communications ?
> 
> 	link-local addresses are only valid on the local link, so e.g. a router
> won't forward such packets.
> 
> 	So, my point is that link-local addresses gives you offline support,
> since domains can reach one another.
> 
> 	How useful in practice that is, I don't know. You don't go typing in
> IPv6 addresses, so I guess it's only really useful if you can look up
> the guest's address in DNS or mDNS even when offline.

Well even if you don't have formal DNS names for each guest, it would
at least let funky zero-conf Avahi enabled apps do their magic discovery,
so worthwhile from that POV.

> > > 	The question, though, is how to make IPv6 available to guests which are
> > > connected to a virtual network out of a need for e.g. offline support.
> > > You still want NAT etc. for IPv4, but what to do about IPv6?
> > > 
> > > 	The analogy, I think, is what would happen if your DSL provider
> > > statically allocated an IPv6 prefix to you while still also dynamically
> > > allocating an IPv4 address to you. You want to NAT IPv4 traffic using
> > > the IPv4 address, but you want your IPv6 traffic to be bridged to the
> > > IPv6 over PPP link in order to e.g. get router advertisements from the
> > > ISP end.
> > 
> > I don;t know of any DSL providers or DSL routers which do IPv6, but I'd
> > expect that all my machines on my LAN magically get an IPv6 address and
> > that they can access the outside world. I'd still expect incoming traffic
> > to be restricted by the DSL router firewalling as per IPv4 incoming.
> 
> 	It's not clear to me how e.g. netgear would implement that in their
> routers.
> 
> 	The obvious, but lame way to do it would be for your machines to only
> have link-local addresses and outgoing traffic gets NATed. That would
> suck, and you can't even do NAT with IPv6 apparently.

Yeah, sounds like this is rather frowned up in IPv6 world

> 	Another way you could imagine would be for the your router to act as an
> IPv6 router for a delegated prefix, but I'm not sure how the ISP would
> communicate what that prefix should be to the router. Same with our
> situation, I'm not sure how a Dom0 acting as an IPv6 router would figure
> out what prefix has been delegated to it for its guests.

Yeah I was just reading this doc

http://arstechnica.com/articles/paedia/IPv6.ars/2

And the "Stateless autoconfiguration" diagram seems to be exactly what
I think we'd want. Every guest has a MAC addr so that deals with the
lower 64-bits of the adress, but how do we choose the upper 64-bits to
form our 'router advertisment'...  Perhaps that's the bit that we stick
in the libvirt XML as the configuration parameter

<network>
  <name>default</name>
  <bridge name="virbr0" />
  <ipv6 advprefix="2001:db8:31:0:0:0:0:1"/>
</network>


> 	Oh, yeah - the firewall issue. Your firewall on a DSL router falls
> naturally out of the fact that it's doing NAT, but it'd need to actual
> IP filtering as it's bridging your IPv6 traffic for you to have the same
> firewall rules for IPv6. Uggh.

Having to duplicate the firewall rules is not entirely surprising, so I
figure we can deal with that.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|

More information about the libvir-list mailing list