This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

Jonathan Tripathy wrote:

As for the NAT issue, indeed a really do love NAT. I find it a huge culture shock and unsettling that in an IPv6 world, all internal machines will have public routable IP addresses. Does this mean that the traditional "Edge Firewalls/NAT routers" would become filtering bridges? As surly the world couldn't depend solely on host-bases firewalls... (could we?!)

Err, traditionally all hosts once had public routable addresses. NAT is a new fangled abomination that really does cause lots of problems for lots of traffic - I'm involved with VoIP at work, anyone who'se dealt with that and NAT will know what I mean.

In practice I think your edge (NAT) router/firewall will become an edge router/firewall with your own IPv6 subnet on the inside of it.

I guess if each "internal" network in the world had it's own IPv6 subnet, then we could just use a standard firewall-router (in no-NAT mode). However it just seems like extra trouble to go and obtain an IPv6 block from the responsible body. For example, I spin up many test internal networks on a daily basis just to play around with them - I don't really want to "register" these networks.

You can use link-local addresses for such testing, and I believe there is also a "private" range set aside for use within an organisation - ie it's routable, but only between sites internal to an organisation.

As for public addresses, AIUI, unless you are really big then you will never get your own subnet allocation - this being one of the problems with IPv4.

If any of the below is wrong, then I'd be more than happy to be corrected !

Apart from address exhaustion, one of the problems with IPv4 is the size of the global routing table which needs to track the location (in network terms) of every allocated and active block. So if you go to <your local registry> and get an address block allocated to yourself, then you or your ISP will need to advertise that block via BGP4 and the route will propagate around the world. I don't think it takes too much imagination to realise the number of such allocations.

If you just use a sub-allocation from your ISPs larger block then that isn't an issue - the ISP will only advertise a larger amalgamated route for the entire block. BUT you then are tied to that ISP.

AIUI, in IPv6 you have to be really, really big to get a direct allocation. Everyone else gets a delegated chunk from their upstream provider and in principal, all traffic routes upwards to a small set of supernodes. Thus the global routing table stays small. I guess ISPs will get together at exchanges and privately exchange routes, but this won't add to the global route table.

At each level, bodies will get a chunk delegated from above, and if you take a connection from two ISPs for redundancy/aggregation then you will get two different delegated blocks. You cannot go and get your own block and have it routed via the two ISPs.

In practical terms, all hosts will expect to be multihomed, and all this (including changes of address when you change ISP) will be hidden in the DNS.

From what little I know of DNS with IPv6 this isn't as bad as it might seem. AUIU, AAAA records are heirarchical unlike IPv4 A records which simply specify "an address". An AAAA record specifies addresses relative to a prefix - so in theory you could change everything by just changing the single record that specifies the prefix.

I think DNS will become FAR more important with IPv6 - for the simple reason that few people are going to be able to remember real IPv6 addresses ! I think this is a good thing, one of the things that irks me are sites I have to work at where the DNS is broken and no-one cares (or probably even realises) since it's so easy to just use 192.168.1.xxx.

In the case of someone changing ISP - their prefix will change, and so they'll have to update that element in their DNS. But once they've done that, they will still be able to access stuff by the same DNS name (eg main-server.ho.somecompanyname.com). As long as us Techies have got it all right, the end users should neither see any difference nor have any need to care.

That's what I know of the theory, now all I need to learn is how to put it into practice.

Oh yes, and one upside I can see is that HTTPS will be easier to use. At present, you either need an (expensive) multi-host certificate or a separate address for each host. Given the shortage of addresses, few providers will give you your own address on a shared server without an extra charge - but that shouldn't be an issue when we all have so many addresses.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

Xen-users mailing list