WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

from [Jonathan Tripathy] [Permanent Link][Original]
To: "Felix Kuperjans" <felix@xxxxxxxxxxxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Tue, 7 Dec 2010 11:44:02 -0000
Cc:
Delivery-date: Tue, 07 Dec 2010 03:45:22 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AANLkTikJsOP7_679y1aReZCMWcGpmCgmr8x4wgg09Zz8@xxxxxxxxxxxxxx> <4CFD1220.1090205@xxxxxxxxxxx> <p0624085ac9231d5b0bc0@xxxxxxxxxxxxxxxxxxxxxx> <4CFD7A94.2040900@xxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcuVovpkoRzT3EcATeeqqJq/p4WoDgAX4fUT
Thread-topic: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Thanks for this :)
 
Looks like I need to do a lot of reading on how IPv6 works regarding NDP.
 
Not sure if static ARP is the way to go for me, as I have many customer DomUs on the same subnet, which are being added on a daily basis. Once a new DomU goes live, all other DomUs' static ARP tables would need updating which would be impossible.
 
AFAIK, ebtables (which I use currently for my IPv4 setup) cannot filter the content of NDP messages. Since I don't think I can use static ARP, I still need to use NDP - just need the actual content of the NDP packets filtered.
 
As for the NAT issue, indeed a really do love NAT. I find it a huge culture shock and unsettling that in an IPv6 world, all internal machines will have public routable IP addresses. Does this mean that the traditional "Edge Firewalls/NAT routers" would become filtering bridges? As surly the world couldn't depend solely on host-bases firewalls... (could we?!)
 
I guess if each "internal" network in the world had it's own IPv6 subnet, then we could just use a standard firewall-router (in no-NAT mode). However it just seems like extra trouble to go and obtain an IPv6 block from the responsible body. For example, I spin up many test internal networks on a daily basis just to play around with them - I don't really want to "register" these networks.
 
It would be nice if routers could nativly route between IPv6 and IPv4, however I understand that this is just not possible. Application specific dual-stack proxy servers are required.
 
Cheers
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Felix Kuperjans
Sent: Tue 07/12/2010 00:06
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

Well arptables is officially deprecated anyway. I don't know whether its
successor, ebtables, supports filtering of the content of NDP messages,
but you can filter NDP messages themselves with iptables just as any
other icmpv6 message - for example, denying them at all. Or you add
static neighbor entries, which cannot be overwritten by neighbor
solicitations.
In addition, the neighbor proxy serves as a replacement for the arp
proxy in routed scenarios.
A good point to start is using static ARP + neighbor entries for all
domUs and the gateway at eth0. This will effectively prohibit most
working ARP / NDP attacks.

What I'm personally missing is NAT. I know it has been dropped for good
reasons, but NAT has some cool advantages like hiding a webserver domU
and a mailserver domU behind a single IP address - which will obfuscate
your virtual server structure.

We use an own private internal network within our server, which is dual
stack with IPv4 + IPv6, using a routed setup with static ARP + neighbor
entries, but however, I do not yet route external IPv6 addresses to the
domUs (not for an explicit reason, rather because of too less time /
interest). I think XEN as a software is ready for IPv6, although the
default vif-scripts do not really do much about that. But bridges and
routing works finde with both of them, it's just a question of the setup.

Am 07.12.2010 00:11, schrieb Simon Hobson:
> Jonathan Tripathy wrote:
>
>> A problem with using IPv6 at the minute is that netfilter doesn't
>> have as-advanced filtering capabilities as it does with IPv4. This is
>> important when your DomUs are for customers on an unmanaged basis.
>>
>> The main issue is that IPv6 doesn't use ARP anymore, so all MAC
>> address detection is done in the IP layer and AFAIK, netfilter
>> doesn't have the proper filtering for IPv6 to prevent MAC spoofing.
>> What we really need is an IPv6 equivalent to arptables.
>
> Since you clearly know quite a bit more than I do about IPv6 - can you
> recommend a good guide/primer for getting going ? At the moment I know
> a little bit - but mostly what I know is that it's quite a bit
> different from IPv4 and it's not a case of "the same but more bits".
>
> It's really about time I started looking at this for work.
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] How to change the bash into the hvc0, Xavier Delcour
Next by Date:  Re: [Xen-users] HVM-guest doesn't boot from virtual disk, Alexander Wendland
Previous by Thread:  Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?, Felix Kuperjans
Next by Thread:  RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?, Simon Hobson
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy