This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

For testing, I use a random subnet of feff::, they are only *site*-local
(link-local = only on the same physical network like ethernet, etc. not
routed at all; site-local = only local to your
company/network/LAN/whatever, but those packages can be routed but will
not be forwarded to the Internet) and perfect for testing. Link-local is
not good for testing, because site-local addresses are depended on the
network device; if you want to ping another host link-local, you have to
add the device like:

ping6 fe80::xxxx:xxff:fexx:xxxx%dev  (the x is the mac address, dev the
device in ip link / ifconfig)

This is not really handy and those networks don't behave like real IPv6.
Site-local is like IPv6 on the Internet; only reserved for local /
testing use.

NAT has its problems, but with IPv6 nobody is forced to use NAT - but I
think denying it completely will destroy some little areas where NAT can
be really cool...

Am 07.12.2010 13:53, schrieb Simon Hobson:
> Jonathan Tripathy wrote:
>> As for the NAT issue, indeed a really do love NAT. I find it a huge
>> culture shock and unsettling that in an IPv6 world, all internal
>> machines will have public routable IP addresses. Does this mean that
>> the traditional "Edge Firewalls/NAT routers" would become filtering
>> bridges? As surly the world couldn't depend solely on host-bases
>> firewalls... (could we?!)
> Err, traditionally all hosts once had public routable addresses. NAT
> is a new fangled abomination that really does cause lots of problems
> for lots of traffic - I'm involved with VoIP at work, anyone who'se
> dealt with that and NAT will know what I mean.
> In practice I think your edge (NAT) router/firewall will become an
> edge router/firewall with your own IPv6 subnet on the inside of it.
>> I guess if each "internal" network in the world had it's own IPv6
>> subnet, then we could just use a standard firewall-router (in no-NAT
>> mode). However it just seems like extra trouble to go and obtain an
>> IPv6 block from the responsible body. For example, I spin up many
>> test internal networks on a daily basis just to play around with them
>> - I don't really want to "register" these networks.
> You can use link-local addresses for such testing, and I believe there
> is also a "private" range set aside for use within an organisation -
> ie it's routable, but only between sites internal to an organisation.
> As for public addresses, AIUI, unless you are really big then you will
> never get your own subnet allocation - this being one of the problems
> with IPv4.
> If any of the below is wrong, then I'd be more than happy to be
> corrected !
> Apart from address exhaustion, one of the problems with IPv4 is the
> size of the global routing table which needs to track the location (in
> network terms) of every allocated and active block. So if you go to
> <your local registry> and get an address block allocated to yourself,
> then you or your ISP will need to advertise that block via BGP4 and
> the route will propagate around the world. I don't think it takes too
> much imagination to realise the number of such allocations.
> If you just use a sub-allocation from your ISPs larger block then that
> isn't an issue - the ISP will only advertise a larger amalgamated
> route for the entire block. BUT you then are tied to that ISP.
> AIUI, in IPv6 you have to be really, really big to get a direct
> allocation. Everyone else gets a delegated chunk from their upstream
> provider and in principal, all traffic routes upwards to a small set
> of supernodes. Thus the global routing table stays small. I guess ISPs
> will get together at exchanges and privately exchange routes, but this
> won't add to the global route table.
> At each level, bodies will get a chunk delegated from above, and if
> you take a connection from two ISPs for redundancy/aggregation then
> you will get two different delegated blocks. You cannot go and get
> your own block and have it routed via the two ISPs.
> In practical terms, all hosts will expect to be multihomed, and all
> this (including changes of address when you change ISP) will be hidden
> in the DNS.
> From what little I know of DNS with IPv6 this isn't as bad as it might
> seem. AUIU, AAAA records are heirarchical unlike IPv4 A records which
> simply specify "an address". An AAAA record specifies addresses
> relative to a prefix - so in theory you could change everything by
> just changing the single record that specifies the prefix.
> I think DNS will become FAR more important with IPv6 - for the simple
> reason that few people are going to be able to remember real IPv6
> addresses ! I think this is a good thing, one of the things that irks
> me are sites I have to work at where the DNS is broken and no-one
> cares (or probably even realises) since it's so easy to just use
> 192.168.1.xxx.
> In the case of someone changing ISP - their prefix will change, and so
> they'll have to update that element in their DNS. But once they've
> done that, they will still be able to access stuff by the same DNS
> name (eg main-server.ho.somecompanyname.com). As long as us Techies
> have got it all right, the end users should neither see any difference
> nor have any need to care.
> That's what I know of the theory, now all I need to learn is how to
> put it into practice.
> Oh yes, and one upside I can see is that HTTPS will be easier to use.
> At present, you either need an (expensive) multi-host certificate or a
> separate address for each host. Given the shortage of addresses, few
> providers will give you your own address on a shared server without an
> extra charge - but that shouldn't be an issue when we all have so many
> addresses.

Xen-users mailing list