[libvirt] IPV6 and routing

Gene Czarcinski gene at czarc.net
Sun Oct 7 10:28:11 UTC 2012 

On 10/06/2012 05:29 PM, R P Herrold wrote:
> On Sat, 6 Oct 2012, Gene Czarcinski wrote:
>
>> OK, what am I missing? What don't I understand?
>>
>> If IPv6 is going to be useful in virtualization, then there must be 
>> some "easy" way to have other systems understand that the 
>> virtualization host is acting as a router for the virtual IPv6 
>> networks it runs. While being able to go between the virtualization 
>> hosts and the virtual guests is very useful, I do not consider this 
>> sufficient.
>
> We programatically, on a per VM basis, set up our ebtables and 
> iptables rules at pmman.com (thus my 'ROADMAP' question earlier this 
> week). Under RHEL 6's (and thus CentOS') KVM and libvirtd stock setup, 
> there was a built-in filter as provided by libvirtd install -- as I 
> recall: a 'clean-traffic' filter -- that we had to amend out, compared 
> to prior xen setups under the earlier RHEL variant
>
> Have you dumped and examined the running rules affecting IPv6 traffic?
>
> -- Russ herrold
>
>
The ip6tables rules look fine. The problem is not that the packets are 
not sent to the target .... they are .. I ran wireshark on the target's 
NIC. The problem is getting the response back to the virtualization host.

Shortly after I wrote my message I "discovered" something called 
"neighbor discovery proxy" and two attempts at implementing it: npd6 and 
ndppd. This is the RFC: http://tools.ietf.org/html/rfc4389
and here is a short description from npd6:
> If you have a Linux gateway router terminating your ISP feed 
> supporting IPv6, this may be just what you need. To summarise the 
> problem it solves: your ISP has given you an /64 (or some other size) 
> IPv6 prefix, with the last 64 bits (or whatever) entirely for your own 
> use on a private-side of the network. The IPv6 addresses in use by 
> your own devices may well not even be known to you – it’s possible 
> that you use DHCP6 to statically pre-allocate them (yuck!) or more 
> likely you are using /radvd/ on the gateway to advertise the 
> ISP-supplied IPv6 prefix and let the devices themselves choose what 
> they wish to tag on to that. It may be vaguely predictable (based upon 
> the device’s Ethernet MAC address) or totally unpredictable (as per 
> the Windows 7 box I looked at the other day!)
...
>
> And to do this today you need to /statically pre-configure/ that full 
> address into the Linux system. And if it changes, you need to change 
> it. And if a new one appears, you need to ad it. And so on. Oh, and to 
> add insult to injury, you cannot even display a list of which ones you 
> have already configured in the system!!
>
> And thus I offer npd6 as a solution: it runs on the gateway, and 
> requires little configuration. You tell it your prefix and which is 
> the ISP’s interface. There are a few optional knobs and levers. Then 
> it runs and automatically responds to /any/ Neighbor Solicitation 
> received from the ISP for a device with your prefix.
>

This "sounds" like it may be a solution and I have started some testing 
to see if and how they work.

Gene

More information about the libvir-list mailing list