[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
- To: "Felix Kuperjans" <felix@xxxxxxxxxxxxxxxxxx>, <Xen-users@xxxxxxxxxxxxxxxxxxx>
- From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
- Date: Tue, 7 Dec 2010 11:44:02 -0000
- Cc:
- Delivery-date: Tue, 07 Dec 2010 03:45:22 -0800
- List-id: Xen user discussion <xen-users.lists.xensource.com>
- Thread-index: AcuVovpkoRzT3EcATeeqqJq/p4WoDgAX4fUT
- Thread-topic: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Thanks for this :)
Looks like I need to do a lot of reading on how IPv6 works
regarding NDP.
Not sure if static ARP is the way to go for me, as I have many
customer DomUs on the same subnet, which are being added on a daily basis. Once
a new DomU goes live, all other DomUs' static ARP tables would need updating
which would be impossible.
AFAIK, ebtables (which I use currently for my IPv4 setup) cannot
filter the content of NDP messages. Since I don't think I can use static ARP, I
still need to use NDP - just need the actual content of the NDP packets
filtered.
As for the NAT issue, indeed a really do love NAT. I find it a huge
culture shock and unsettling that in an IPv6 world, all internal machines will
have public routable IP addresses. Does this mean that the traditional "Edge
Firewalls/NAT routers" would become filtering bridges? As surly the world
couldn't depend solely on host-bases firewalls... (could we?!)
I guess if each "internal" network in the world had it's own IPv6
subnet, then we could just use a standard firewall-router (in no-NAT mode).
However it just seems like extra trouble to go and obtain an IPv6 block from the
responsible body. For example, I spin up many test internal networks on a daily
basis just to play around with them - I don't really want to "register" these
networks.
It would be nice if routers could nativly route between IPv6 and
IPv4, however I understand that this is just not possible. Application specific
dual-stack proxy servers are required.
Cheers
From:
xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Felix
Kuperjans Sent: Tue 07/12/2010 00:06 To:
xen-users@xxxxxxxxxxxxxxxxxxx Subject: Re: [Xen-users] IPV4 is nearly
depleted, are you ready for IPV6?
Well arptables is officially deprecated anyway. I don't know
whether its successor, ebtables, supports filtering of the content of NDP
messages, but you can filter NDP messages themselves with iptables just as
any other icmpv6 message - for example, denying them at all. Or you
add static neighbor entries, which cannot be overwritten by
neighbor solicitations. In addition, the neighbor proxy serves as a
replacement for the arp proxy in routed scenarios. A good point to start
is using static ARP + neighbor entries for all domUs and the gateway at eth0.
This will effectively prohibit most working ARP / NDP attacks.
What
I'm personally missing is NAT. I know it has been dropped for good reasons,
but NAT has some cool advantages like hiding a webserver domU and a
mailserver domU behind a single IP address - which will obfuscate your
virtual server structure.
We use an own private internal network within
our server, which is dual stack with IPv4 + IPv6, using a routed setup with
static ARP + neighbor entries, but however, I do not yet route external IPv6
addresses to the domUs (not for an explicit reason, rather because of too
less time / interest). I think XEN as a software is ready for IPv6, although
the default vif-scripts do not really do much about that. But bridges
and routing works finde with both of them, it's just a question of the
setup.
Am 07.12.2010 00:11, schrieb Simon Hobson: > Jonathan
Tripathy wrote: > >> A problem with using IPv6 at the minute is
that netfilter doesn't >> have as-advanced filtering capabilities as it
does with IPv4. This is >> important when your DomUs are for customers
on an unmanaged basis. >> >> The main issue is that IPv6
doesn't use ARP anymore, so all MAC >> address detection is done in the
IP layer and AFAIK, netfilter >> doesn't have the proper filtering for
IPv6 to prevent MAC spoofing. >> What we really need is an IPv6
equivalent to arptables. > > Since you clearly know quite a bit more
than I do about IPv6 - can you > recommend a good guide/primer for getting
going ? At the moment I know > a little bit - but mostly what I know is
that it's quite a bit > different from IPv4 and it's not a case of "the
same but more bits". > > It's really about time I started looking at
this for
work. >
_______________________________________________ Xen-users
mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|