Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

[Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>]

For testing, I use a random subnet of feff::, they are only *site*-local
(link-local = only on the same physical network like ethernet, etc. not
routed at all; site-local = only local to your
company/network/LAN/whatever, but those packages can be routed but will
not be forwarded to the Internet) and perfect for testing. Link-local is
not good for testing, because site-local addresses are depended on the
network device; if you want to ping another host link-local, you have to
add the device like:

ping6 fe80::xxxx:xxff:fexx:xxxx%dev  (the x is the mac address, dev the
device in ip link / ifconfig)

This is not really handy and those networks don't behave like real IPv6.
Site-local is like IPv6 on the Internet; only reserved for local /
testing use.

NAT has its problems, but with IPv6 nobody is forced to use NAT - but I
think denying it completely will destroy some little areas where NAT can
be really cool...

Am 07.12.2010 13:53, schrieb Simon Hobson:
> Jonathan Tripathy wrote:
>
>> As for the NAT issue, indeed a really do love NAT. I find it a huge
>> culture shock and unsettling that in an IPv6 world, all internal
>> machines will have public routable IP addresses. Does this mean that
>> the traditional "Edge Firewalls/NAT routers" would become filtering
>> bridges? As surly the world couldn't depend solely on host-bases
>> firewalls... (could we?!)
>
> Err, traditionally all hosts once had public routable addresses. NAT
> is a new fangled abomination that really does cause lots of problems
> for lots of traffic - I'm involved with VoIP at work, anyone who'se
> dealt with that and NAT will know what I mean.
>
> In practice I think your edge (NAT) router/firewall will become an
> edge router/firewall with your own IPv6 subnet on the inside of it.
>
>> I guess if each "internal" network in the world had it's own IPv6
>> subnet, then we could just use a standard firewall-router (in no-NAT
>> mode). However it just seems like extra trouble to go and obtain an
>> IPv6 block from the responsible body. For example, I spin up many
>> test internal networks on a daily basis just to play around with them
>> - I don't really want to "register" these networks.
>
> You can use link-local addresses for such testing, and I believe there
> is also a "private" range set aside for use within an organisation -
> ie it's routable, but only between sites internal to an organisation.
>
> As for public addresses, AIUI, unless you are really big then you will
> never get your own subnet allocation - this being one of the problems
> with IPv4.
>
>
>
> If any of the below is wrong, then I'd be more than happy to be
> corrected !
>
>
> Apart from address exhaustion, one of the problems with IPv4 is the
> size of the global routing table which needs to track the location (in
> network terms) of every allocated and active block. So if you go to
> <your local registry> and get an address block allocated to yourself,
> then you or your ISP will need to advertise that block via BGP4 and
> the route will propagate around the world. I don't think it takes too
> much imagination to realise the number of such allocations.
>
> If you just use a sub-allocation from your ISPs larger block then that
> isn't an issue - the ISP will only advertise a larger amalgamated
> route for the entire block. BUT you then are tied to that ISP.
>
> AIUI, in IPv6 you have to be really, really big to get a direct
> allocation. Everyone else gets a delegated chunk from their upstream
> provider and in principal, all traffic routes upwards to a small set
> of supernodes. Thus the global routing table stays small. I guess ISPs
> will get together at exchanges and privately exchange routes, but this
> won't add to the global route table.
>
> At each level, bodies will get a chunk delegated from above, and if
> you take a connection from two ISPs for redundancy/aggregation then
> you will get two different delegated blocks. You cannot go and get
> your own block and have it routed via the two ISPs.
>
> In practical terms, all hosts will expect to be multihomed, and all
> this (including changes of address when you change ISP) will be hidden
> in the DNS.
>
> From what little I know of DNS with IPv6 this isn't as bad as it might
> seem. AUIU, AAAA records are heirarchical unlike IPv4 A records which
> simply specify "an address". An AAAA record specifies addresses
> relative to a prefix - so in theory you could change everything by
> just changing the single record that specifies the prefix.
>
> I think DNS will become FAR more important with IPv6 - for the simple
> reason that few people are going to be able to remember real IPv6
> addresses ! I think this is a good thing, one of the things that irks
> me are sites I have to work at where the DNS is broken and no-one
> cares (or probably even realises) since it's so easy to just use
> 192.168.1.xxx.
>
> In the case of someone changing ISP - their prefix will change, and so
> they'll have to update that element in their DNS. But once they've
> done that, they will still be able to access stuff by the same DNS
> name (eg main-server.ho.somecompanyname.com). As long as us Techies
> have got it all right, the end users should neither see any difference
> nor have any need to care.
>
>
> That's what I know of the theory, now all I need to learn is how to
> put it into practice.
>
>
> Oh yes, and one upside I can see is that HTTPS will be easier to use.
> At present, you either need an (expensive) multi-host certificate or a
> separate address for each host. Given the shortage of addresses, few
> providers will give you your own address on a shared server without an
> extra charge - but that shouldn't be an issue when we all have so many
> addresses.
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users