[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?


  • To: "Felix Kuperjans" <felix@xxxxxxxxxxxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
  • Date: Tue, 7 Dec 2010 11:44:02 -0000
  • Cc:
  • Delivery-date: Tue, 07 Dec 2010 03:45:22 -0800
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: AcuVovpkoRzT3EcATeeqqJq/p4WoDgAX4fUT
  • Thread-topic: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

Thanks for this :)
 
Looks like I need to do a lot of reading on how IPv6 works regarding NDP.
 
Not sure if static ARP is the way to go for me, as I have many customer DomUs on the same subnet, which are being added on a daily basis. Once a new DomU goes live, all other DomUs' static ARP tables would need updating which would be impossible.
 
AFAIK, ebtables (which I use currently for my IPv4 setup) cannot filter the content of NDP messages. Since I don't think I can use static ARP, I still need to use NDP - just need the actual content of the NDP packets filtered.
 
As for the NAT issue, indeed a really do love NAT. I find it a huge culture shock and unsettling that in an IPv6 world, all internal machines will have public routable IP addresses. Does this mean that the traditional "Edge Firewalls/NAT routers" would become filtering bridges? As surly the world couldn't depend solely on host-bases firewalls... (could we?!)
 
I guess if each "internal" network in the world had it's own IPv6 subnet, then we could just use a standard firewall-router (in no-NAT mode). However it just seems like extra trouble to go and obtain an IPv6 block from the responsible body. For example, I spin up many test internal networks on a daily basis just to play around with them - I don't really want to "register" these networks.
 
It would be nice if routers could nativly route between IPv6 and IPv4, however I understand that this is just not possible. Application specific dual-stack proxy servers are required.
 
Cheers

From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Felix Kuperjans
Sent: Tue 07/12/2010 00:06
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?

Well arptables is officially deprecated anyway. I don't know whether its
successor, ebtables, supports filtering of the content of NDP messages,
but you can filter NDP messages themselves with iptables just as any
other icmpv6 message - for example, denying them at all. Or you add
static neighbor entries, which cannot be overwritten by neighbor
solicitations.
In addition, the neighbor proxy serves as a replacement for the arp
proxy in routed scenarios.
A good point to start is using static ARP + neighbor entries for all
domUs and the gateway at eth0. This will effectively prohibit most
working ARP / NDP attacks.

What I'm personally missing is NAT. I know it has been dropped for good
reasons, but NAT has some cool advantages like hiding a webserver domU
and a mailserver domU behind a single IP address - which will obfuscate
your virtual server structure.

We use an own private internal network within our server, which is dual
stack with IPv4 + IPv6, using a routed setup with static ARP + neighbor
entries, but however, I do not yet route external IPv6 addresses to the
domUs (not for an explicit reason, rather because of too less time /
interest). I think XEN as a software is ready for IPv6, although the
default vif-scripts do not really do much about that. But bridges and
routing works finde with both of them, it's just a question of the setup.

Am 07.12.2010 00:11, schrieb Simon Hobson:
> Jonathan Tripathy wrote:
>
>> A problem with using IPv6 at the minute is that netfilter doesn't
>> have as-advanced filtering capabilities as it does with IPv4. This is
>> important when your DomUs are for customers on an unmanaged basis.
>>
>> The main issue is that IPv6 doesn't use ARP anymore, so all MAC
>> address detection is done in the IP layer and AFAIK, netfilter
>> doesn't have the proper filtering for IPv6 to prevent MAC spoofing.
>> What we really need is an IPv6 equivalent to arptables.
>
> Since you clearly know quite a bit more than I do about IPv6 - can you
> recommend a good guide/primer for getting going ? At the moment I know
> a little bit - but mostly what I know is that it's quite a bit
> different from IPv4 and it's not a case of "the same but more bits".
>
> It's really about time I started looking at this for work.
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.