WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen with 'Routing' scripts

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Xen with 'Routing' scripts
From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
Date: Fri, 15 Apr 2005 14:59:09 +0200
Delivery-date: Fri, 15 Apr 2005 12:58:38 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1113555914.5469.7.camel@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <425F6B48.6080901@xxxxxxxxxxxx> <1113555914.5469.7.camel@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913)
Nils, thanks for the great response.

Some more details: we have a network of dom-0's that will host a number of dom-U's.

We need dynamic addressing, so proxy-arp sounds the simplest for us (simpler than full-on routing, that is).

Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.

We can't use NAT cos we want the dom-U's to be externally addressable.

Something I'm still unclear on - we don't want to reserve dom-U addresses for each dom-0 (it'll be wasteful), so we want dom-U to use DHCP. But then we've got to do DHCP relaying in dom-0, I think, and capture the dom-U IP address, unless there's a better way.

Another thing that's confusing me is that I expect there should be a left-hand (dom-0) and right-hand (dom-U) address for each of the vif's in routing mode, but I see only the one address in the scripts.

I hope this makes sense - as you might have noticed I'm approaching this from first principles. I'm sure I'll get there in the end :(

Regards
Roland


Nils Toedtmann wrote:

Am Freitag, den 15.04.2005, 09:20 +0200 schrieb Roland Paterson-Jones:
Hi

I had a brief look at the routing scripts in /etc/xen/scripts. Essentially the main script turns on ip forwarding in dom-0, and the dom-U vif script seems to configure a 169.254.1.0 address for each vif (auto-configure address, I think), then enable proxy ARP on the vif.

Some questions: How do remote machines pick up routing information for the dom-U's? Do I have to run a routing protocol in dom-0 (maybe with zebra) so that remote machines can 'see' the dom-U's?

Depends on network configuration: If you use bridging or proxy-arp or
NAT that's not necessary. If not, routes can be configured statically
into remote machines or dynamically via routing protocals like RIP or
OSPF.
This is not a Xen-specific question, look around for networking howtos.


Could someone maybe explain the details of the ifconfig <vif> 169.254.1.0 ...

From RFC 3330 <http://www.faqs.org/rfcs/rfc3330.html>:

169.254.0.0/16 - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these
 addresses by auto-configuration, such as when a DHCP server may not
 be found.

You may use random IPs in this range as a poor backup alternative to dhcp. MS Windows and many devices like printers use such IPs if they
cannot find a dhcp server.


and what the proxy ARP stuff does?

It kinda "pseudo-bridging". For example if your domU and your dom0 shall
use ips within the same IP prefix (say 192.168.1.0/24), and another
physical host is acting as default gateway (lets say dom0=192.168.1.2,
domU=192.168.1.3, gw=192.168.1.1), there are (at least) four
alternatives:

* DNAT all domU-services on dom0

   iptables -t nat -A PREROUTING -j DNAT -d 192.168.1.2 \
      --dport 80 --to-destination 192.168.1.3

* hostroutes for domU
   gw#   ip route add 192.168.1.3/32 via 192.168.1.2
   dom0# ip route add 192.168.1.3/32 dev vif1.0

* bridging

* proxy-arp: When gw tries to send an IP packet to domU it thinks domU
 is link-local, so it tries to resolve 192.168.1.3 to a MAC address by
 ARP-request. But that ARP-request can never reach domU (it's not
bridged). Now
   ip route add 192.168.1.3/32 dev vif1.0
   sysctl -w net.ipv4.conf.eth0.proxy_arp=1

 (or has it to be "net.ipv4.conf.vif1.0.proxy_arp"?) tells dom0 to
 reply to that ARP-request with dom0's MAC-address on behalf of domU.

 A better way to do proxyarp are static arp entries:
 <http://www.tldp.org/HOWTO/Proxy-ARP-Subnet/index.html>


So the xen-script 169.254.0.0/16 ips plus proxyarp on vif* is probably
for automagical inter-domU-communication.


/nils.




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>