Rudi Ahlers
2010-Dec-05 11:50 UTC
[Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Seeing as IPV4 is near it''s end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), I''m curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it? -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532 _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
chris
2010-Dec-05 16:00 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
I''ve been hearing this for about 10 years and during that 10 years have never had a single issue getting ipv4 addresses. While I agree that it will run out at some point and that ipv6 probably has advantages over ipv4 I think there is just the appearance of a shortage due to the allocation of large blocks of ips very early on which are very under utilized. I don''t think its really anything to worry about especially with ipv6inipv4 working just fine. you see this story posted on various "tech" sites every year for a long time On Sun, Dec 5, 2010 at 6:50 AM, Rudi Ahlers <Rudi@softdux.com> wrote:> Seeing as IPV4 is near it''s end of life > (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), > I''m curios as who know whether everyone is ready for the changeover to > IPV6? > > Is anyone using it in production already, and what are your experiences with it? > > -- > Kind Regards > Rudi Ahlers > SoftDux > > Website: http://www.SoftDux.com > Technical Blog: http://Blog.SoftDux.com > Office: 087 805 9573 > Cell: 082 554 7532 > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Nathan Eisenberg
2010-Dec-05 23:09 UTC
RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
> I''ve been hearing this for about 10 years and during that 10 years > have never had a single issue getting ipv4 addresses. While I agree > that it will run out at some point and that ipv6 probably has > advantages over ipv4 I think there is just the appearance of a > shortage due to the allocation of large blocks of ips very early on > which are very under utilized. I don''t think its really anything to > worry about especially with ipv6inipv4 working just fine. > > you see this story posted on various "tech" sites every year for a long > timeThis is a fallacy. The fact that the depletion rate has been common knowledge for quite some time doesn''t mean, as you would have us believe, that there is no issue. IANA depletion day is in 2 months and 5 days. The first RIR depletion is 335 days out. Provider depletions will happen very quickly afterwards. You seem to be under the impression that people have been crying wolf. You''re wrong. The wolf is at a known distance, and travels at a known (and increasing) rate of speed. Just because you can''t see the wolf doesn''t mean everyone has been wrong this whole time. And no, there aren''t ''large blocks of IPs which are very underutilized''. There are /8''s that can''t be broken up for practical reasons, but we''re burning through those in 30-40 days now, so it doesn''t matter if they were returned to the pool. This is a very real problem. Please stop spreading FUD. Nathan _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
chris
2010-Dec-05 23:13 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
My point wasn''t that its not a problem, simply that it wasn''t as serious of a problem 10 years ago as it is becoming now. HE has a neat tool that tracks it: http://ipv6.he.net/statistics/ On Sun, Dec 5, 2010 at 6:09 PM, Nathan Eisenberg <nathan@atlasnetworks.us> wrote:>> I''ve been hearing this for about 10 years and during that 10 years >> have never had a single issue getting ipv4 addresses. While I agree >> that it will run out at some point and that ipv6 probably has >> advantages over ipv4 I think there is just the appearance of a >> shortage due to the allocation of large blocks of ips very early on >> which are very under utilized. I don''t think its really anything to >> worry about especially with ipv6inipv4 working just fine. >> >> you see this story posted on various "tech" sites every year for a long >> time > > This is a fallacy. The fact that the depletion rate has been common knowledge for quite some time doesn''t mean, as you would have us believe, that there is no issue. > > IANA depletion day is in 2 months and 5 days. The first RIR depletion is 335 days out. Provider depletions will happen very quickly afterwards. You seem to be under the impression that people have been crying wolf. You''re wrong. The wolf is at a known distance, and travels at a known (and increasing) rate of speed. Just because you can''t see the wolf doesn''t mean everyone has been wrong this whole time. > > And no, there aren''t ''large blocks of IPs which are very underutilized''. There are /8''s that can''t be broken up for practical reasons, but we''re burning through those in 30-40 days now, so it doesn''t matter if they were returned to the pool. > > This is a very real problem. Please stop spreading FUD. > > Nathan > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
James Harper
2010-Dec-05 23:16 UTC
RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
> > > I''ve been hearing this for about 10 years and during that 10 years > > have never had a single issue getting ipv4 addresses. While I agree > > that it will run out at some point and that ipv6 probably has > > advantages over ipv4 I think there is just the appearance of a > > shortage due to the allocation of large blocks of ips very early on > > which are very under utilized. I don''t think its really anything to > > worry about especially with ipv6inipv4 working just fine. > > > > you see this story posted on various "tech" sites every year for along> > time > > This is a fallacy. The fact that the depletion rate has been commonknowledge> for quite some time doesn''t mean, as you would have us believe, thatthere is> no issue. > > IANA depletion day is in 2 months and 5 days. The first RIR depletionis 335> days out. Provider depletions will happen very quickly afterwards.You seem> to be under the impression that people have been crying wolf. You''rewrong.> The wolf is at a known distance, and travels at a known (andincreasing) rate> of speed. Just because you can''t see the wolf doesn''t mean everyonehas been> wrong this whole time. > > And no, there aren''t ''large blocks of IPs which are veryunderutilized''.> There are /8''s that can''t be broken up for practical reasons, butwe''re> burning through those in 30-40 days now, so it doesn''t matter if theywere> returned to the pool. > > This is a very real problem. Please stop spreading FUD. >To bring this somewhat on topic, are there any known issues with Xen under IPv6? Do all the scripts and other management stuff support it correctly or is there still work to be done? The Xen hypervisor itself doesn''t have a network stack obviously, but some of the setup and management tools use it. James _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Melody Bliss
2010-Dec-06 05:13 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
I don''t now about other flavors of Xen, but the one that comes natively with CentOS 5.4 does not have IPv6 functionality because vif-route doesn''t support it. That said, I''ve successfully been able to use BenV''s vif-route patch to enable IPv6 http://notes.benv.junerules.com/all/software/xen-and-routed-ipv6/ Since I distribute IPv6 via DHCP, I''ve been able to successfully get IPv6 running in my DomUs (CentOS also) by just using that patch. I did not need to specify the IPv6 address. Mel On Sun, Dec 5, 2010 at 3:16 PM, James Harper <james.harper@bendigoit.com.au> wrote:>> >> > I''ve been hearing this for about 10 years and during that 10 years >> > have never had a single issue getting ipv4 addresses. While I agree >> > that it will run out at some point and that ipv6 probably has >> > advantages over ipv4 I think there is just the appearance of a >> > shortage due to the allocation of large blocks of ips very early on >> > which are very under utilized. I don''t think its really anything to >> > worry about especially with ipv6inipv4 working just fine. >> > >> > you see this story posted on various "tech" sites every year for a > long >> > time >> >> This is a fallacy. The fact that the depletion rate has been common > knowledge >> for quite some time doesn''t mean, as you would have us believe, that > there is >> no issue. >> >> IANA depletion day is in 2 months and 5 days. The first RIR depletion > is 335 >> days out. Provider depletions will happen very quickly afterwards. > You seem >> to be under the impression that people have been crying wolf. You''re > wrong. >> The wolf is at a known distance, and travels at a known (and > increasing) rate >> of speed. Just because you can''t see the wolf doesn''t mean everyone > has been >> wrong this whole time. >> >> And no, there aren''t ''large blocks of IPs which are very > underutilized''. >> There are /8''s that can''t be broken up for practical reasons, but > we''re >> burning through those in 30-40 days now, so it doesn''t matter if they > were >> returned to the pool. >> >> This is a very real problem. Please stop spreading FUD. >> > > To bring this somewhat on topic, are there any known issues with Xen > under IPv6? Do all the scripts and other management stuff support it > correctly or is there still work to be done? > > The Xen hypervisor itself doesn''t have a network stack obviously, but > some of the setup and management tools use it. > > James > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- Melody Bliss Usenix, SAGE and LOPSA Charter Member Patron Member of the NRA _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2010-Dec-06 07:42 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Melody Bliss wrote:>I don''t now about other flavors of Xen, but the one that comes >natively with CentOS 5.4 does not have IPv6 functionality because >vif-route doesn''t support it. > >That said, I''ve successfully been able to use BenV''s vif-route patch >to enable IPv6 > >http://notes.benv.junerules.com/all/software/xen-and-routed-ipv6/Presumably running in bridge mode it''ll "just work" since that is supposed to be transparent to the content of packets beyond source and destination MACs ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Maarten Vanraes
2010-Dec-06 10:15 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Op maandag 06 december 2010 08:42:05 schreef Simon Hobson:> Melody Bliss wrote: > >I don''t now about other flavors of Xen, but the one that comes > >natively with CentOS 5.4 does not have IPv6 functionality because > >vif-route doesn''t support it. > > > >That said, I''ve successfully been able to use BenV''s vif-route patch > >to enable IPv6 > > > >http://notes.benv.junerules.com/all/software/xen-and-routed-ipv6/ > > Presumably running in bridge mode it''ll "just work" since that is > supposed to be transparent to the content of packets beyond source > and destination MACs ?has anyone tested this? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thomas Ronner
2010-Dec-06 10:17 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
On 12/6/10 11:15 AM, Maarten Vanraes wrote:>> Presumably running in bridge mode it''ll "just work" since that is >> supposed to be transparent to the content of packets beyond source >> and destination MACs ? > has anyone tested this?I''m using IPv6 over bridged interfaces using Debian lenny (xen 3.2.1). It works flawlessly. Thomas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy
2010-Dec-06 16:41 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
On 05/12/10 11:50, Rudi Ahlers wrote:> Seeing as IPV4 is near it''s end of life > (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), > I''m curios as who know whether everyone is ready for the changeover to > IPV6? > > Is anyone using it in production already, and what are your experiences with it? >A problem with using IPv6 at the minute is that netfilter doesn''t have as-advanced filtering capabilities as it does with IPv4. This is important when your DomUs are for customers on an unmanaged basis. The main issue is that IPv6 doesn''t use ARP anymore, so all MAC address detection is done in the IP layer and AFAIK, netfilter doesn''t have the proper filtering for IPv6 to prevent MAC spoofing. What we really need is an IPv6 equivalent to arptables. Cheers _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2010-Dec-06 23:11 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Jonathan Tripathy wrote:>A problem with using IPv6 at the minute is that netfilter doesn''t >have as-advanced filtering capabilities as it does with IPv4. This >is important when your DomUs are for customers on an unmanaged basis. > >The main issue is that IPv6 doesn''t use ARP anymore, so all MAC >address detection is done in the IP layer and AFAIK, netfilter >doesn''t have the proper filtering for IPv6 to prevent MAC spoofing. >What we really need is an IPv6 equivalent to arptables.Since you clearly know quite a bit more than I do about IPv6 - can you recommend a good guide/primer for getting going ? At the moment I know a little bit - but mostly what I know is that it''s quite a bit different from IPv4 and it''s not a case of "the same but more bits". It''s really about time I started looking at this for work. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Felix Kuperjans
2010-Dec-07 00:06 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Well arptables is officially deprecated anyway. I don''t know whether its successor, ebtables, supports filtering of the content of NDP messages, but you can filter NDP messages themselves with iptables just as any other icmpv6 message - for example, denying them at all. Or you add static neighbor entries, which cannot be overwritten by neighbor solicitations. In addition, the neighbor proxy serves as a replacement for the arp proxy in routed scenarios. A good point to start is using static ARP + neighbor entries for all domUs and the gateway at eth0. This will effectively prohibit most working ARP / NDP attacks. What I''m personally missing is NAT. I know it has been dropped for good reasons, but NAT has some cool advantages like hiding a webserver domU and a mailserver domU behind a single IP address - which will obfuscate your virtual server structure. We use an own private internal network within our server, which is dual stack with IPv4 + IPv6, using a routed setup with static ARP + neighbor entries, but however, I do not yet route external IPv6 addresses to the domUs (not for an explicit reason, rather because of too less time / interest). I think XEN as a software is ready for IPv6, although the default vif-scripts do not really do much about that. But bridges and routing works finde with both of them, it''s just a question of the setup. Am 07.12.2010 00:11, schrieb Simon Hobson:> Jonathan Tripathy wrote: > >> A problem with using IPv6 at the minute is that netfilter doesn''t >> have as-advanced filtering capabilities as it does with IPv4. This is >> important when your DomUs are for customers on an unmanaged basis. >> >> The main issue is that IPv6 doesn''t use ARP anymore, so all MAC >> address detection is done in the IP layer and AFAIK, netfilter >> doesn''t have the proper filtering for IPv6 to prevent MAC spoofing. >> What we really need is an IPv6 equivalent to arptables. > > Since you clearly know quite a bit more than I do about IPv6 - can you > recommend a good guide/primer for getting going ? At the moment I know > a little bit - but mostly what I know is that it''s quite a bit > different from IPv4 and it''s not a case of "the same but more bits". > > It''s really about time I started looking at this for work. >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jonathan Tripathy
2010-Dec-07 11:44 UTC
RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Thanks for this :) Looks like I need to do a lot of reading on how IPv6 works regarding NDP. Not sure if static ARP is the way to go for me, as I have many customer DomUs on the same subnet, which are being added on a daily basis. Once a new DomU goes live, all other DomUs'' static ARP tables would need updating which would be impossible. AFAIK, ebtables (which I use currently for my IPv4 setup) cannot filter the content of NDP messages. Since I don''t think I can use static ARP, I still need to use NDP - just need the actual content of the NDP packets filtered. As for the NAT issue, indeed a really do love NAT. I find it a huge culture shock and unsettling that in an IPv6 world, all internal machines will have public routable IP addresses. Does this mean that the traditional "Edge Firewalls/NAT routers" would become filtering bridges? As surly the world couldn''t depend solely on host-bases firewalls... (could we?!) I guess if each "internal" network in the world had it''s own IPv6 subnet, then we could just use a standard firewall-router (in no-NAT mode). However it just seems like extra trouble to go and obtain an IPv6 block from the responsible body. For example, I spin up many test internal networks on a daily basis just to play around with them - I don''t really want to "register" these networks. It would be nice if routers could nativly route between IPv6 and IPv4, however I understand that this is just not possible. Application specific dual-stack proxy servers are required. Cheers ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Felix Kuperjans Sent: Tue 07/12/2010 00:06 To: xen-users@lists.xensource.com Subject: Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6? Well arptables is officially deprecated anyway. I don''t know whether its successor, ebtables, supports filtering of the content of NDP messages, but you can filter NDP messages themselves with iptables just as any other icmpv6 message - for example, denying them at all. Or you add static neighbor entries, which cannot be overwritten by neighbor solicitations. In addition, the neighbor proxy serves as a replacement for the arp proxy in routed scenarios. A good point to start is using static ARP + neighbor entries for all domUs and the gateway at eth0. This will effectively prohibit most working ARP / NDP attacks. What I''m personally missing is NAT. I know it has been dropped for good reasons, but NAT has some cool advantages like hiding a webserver domU and a mailserver domU behind a single IP address - which will obfuscate your virtual server structure. We use an own private internal network within our server, which is dual stack with IPv4 + IPv6, using a routed setup with static ARP + neighbor entries, but however, I do not yet route external IPv6 addresses to the domUs (not for an explicit reason, rather because of too less time / interest). I think XEN as a software is ready for IPv6, although the default vif-scripts do not really do much about that. But bridges and routing works finde with both of them, it''s just a question of the setup. Am 07.12.2010 00:11, schrieb Simon Hobson:> Jonathan Tripathy wrote: > >> A problem with using IPv6 at the minute is that netfilter doesn''t >> have as-advanced filtering capabilities as it does with IPv4. This is >> important when your DomUs are for customers on an unmanaged basis. >> >> The main issue is that IPv6 doesn''t use ARP anymore, so all MAC >> address detection is done in the IP layer and AFAIK, netfilter >> doesn''t have the proper filtering for IPv6 to prevent MAC spoofing. >> What we really need is an IPv6 equivalent to arptables. > > Since you clearly know quite a bit more than I do about IPv6 - can you > recommend a good guide/primer for getting going ? At the moment I know > a little bit - but mostly what I know is that it''s quite a bit > different from IPv4 and it''s not a case of "the same but more bits". > > It''s really about time I started looking at this for work. >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2010-Dec-07 12:53 UTC
RE: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Jonathan Tripathy wrote:>As for the NAT issue, indeed a really do love NAT. I find it a huge >culture shock and unsettling that in an IPv6 world, all internal >machines will have public routable IP addresses. Does this mean that >the traditional "Edge Firewalls/NAT routers" would become filtering >bridges? As surly the world couldn''t depend solely on host-bases >firewalls... (could we?!)Err, traditionally all hosts once had public routable addresses. NAT is a new fangled abomination that really does cause lots of problems for lots of traffic - I''m involved with VoIP at work, anyone who''se dealt with that and NAT will know what I mean. In practice I think your edge (NAT) router/firewall will become an edge router/firewall with your own IPv6 subnet on the inside of it.>I guess if each "internal" network in the world had it''s own IPv6 >subnet, then we could just use a standard firewall-router (in no-NAT >mode). However it just seems like extra trouble to go and obtain an >IPv6 block from the responsible body. For example, I spin up many >test internal networks on a daily basis just to play around with >them - I don''t really want to "register" these networks.You can use link-local addresses for such testing, and I believe there is also a "private" range set aside for use within an organisation - ie it''s routable, but only between sites internal to an organisation. As for public addresses, AIUI, unless you are really big then you will never get your own subnet allocation - this being one of the problems with IPv4. If any of the below is wrong, then I''d be more than happy to be corrected ! Apart from address exhaustion, one of the problems with IPv4 is the size of the global routing table which needs to track the location (in network terms) of every allocated and active block. So if you go to <your local registry> and get an address block allocated to yourself, then you or your ISP will need to advertise that block via BGP4 and the route will propagate around the world. I don''t think it takes too much imagination to realise the number of such allocations. If you just use a sub-allocation from your ISPs larger block then that isn''t an issue - the ISP will only advertise a larger amalgamated route for the entire block. BUT you then are tied to that ISP. AIUI, in IPv6 you have to be really, really big to get a direct allocation. Everyone else gets a delegated chunk from their upstream provider and in principal, all traffic routes upwards to a small set of supernodes. Thus the global routing table stays small. I guess ISPs will get together at exchanges and privately exchange routes, but this won''t add to the global route table. At each level, bodies will get a chunk delegated from above, and if you take a connection from two ISPs for redundancy/aggregation then you will get two different delegated blocks. You cannot go and get your own block and have it routed via the two ISPs. In practical terms, all hosts will expect to be multihomed, and all this (including changes of address when you change ISP) will be hidden in the DNS. From what little I know of DNS with IPv6 this isn''t as bad as it might seem. AUIU, AAAA records are heirarchical unlike IPv4 A records which simply specify "an address". An AAAA record specifies addresses relative to a prefix - so in theory you could change everything by just changing the single record that specifies the prefix. I think DNS will become FAR more important with IPv6 - for the simple reason that few people are going to be able to remember real IPv6 addresses ! I think this is a good thing, one of the things that irks me are sites I have to work at where the DNS is broken and no-one cares (or probably even realises) since it''s so easy to just use 192.168.1.xxx. In the case of someone changing ISP - their prefix will change, and so they''ll have to update that element in their DNS. But once they''ve done that, they will still be able to access stuff by the same DNS name (eg main-server.ho.somecompanyname.com). As long as us Techies have got it all right, the end users should neither see any difference nor have any need to care. That''s what I know of the theory, now all I need to learn is how to put it into practice. Oh yes, and one upside I can see is that HTTPS will be easier to use. At present, you either need an (expensive) multi-host certificate or a separate address for each host. Given the shortage of addresses, few providers will give you your own address on a shared server without an extra charge - but that shouldn''t be an issue when we all have so many addresses. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Felix Kuperjans
2010-Dec-07 18:26 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
See the answers within the quote: Am 07.12.2010 12:44, schrieb Jonathan Tripathy:> Thanks for this :) > > Looks like I need to do a lot of reading on how IPv6 works regarding NDP. > > Not sure if static ARP is the way to go for me, as I have many > customer DomUs on the same subnet, which are being added on a daily > basis. Once a new DomU goes live, all other DomUs'' static ARP tables > would need updating which would be impossible.It is sufficient if the Dom0 holds all static ARP/NDP entries for its own DomUs. They can be added by the vif-script easily. The propagation to other hosts can be one of the following: - All other hosts use the dom0 as a gateway even for connections to other domUs - You can use arp-proxy or ndp-proxy, your dom0 will start to propagate its static ARP/NDP entries in behalf of the domUs which in turn don''t send any ARP answers. - static ARP entries are not disabling the dom0 from answering ARP packages or from resending them on a bridge. So you could use static ARP entries in addition to a bridge that does not filter arp. This will be less secure as the arp tables of other domUs can be spoofed, but the dom0 itself will be protected (This should be rather seen as a part of the ARP security concept). Which method is best heavily depends on how far you can force domUs to do (little) advanced network setup. For example, the safest way would be if all clients have a static /32 route to the dom0 and a static ARP entry for dom0 (this is usually with MAC address fe:ff:ff:ff:ff:ff) and route all network traffic - no matter whether it''s local or to the internet via the Dom0 (it will pass the dom0 anyway so this doesn''t really change the path of any packets). Afterwards, the domU can disable ARP completely if the Dom0 has a static arp entry for the domU. Of course there are ways where domUs need less configuration, but they usually come with some tradeoffs... There is no unique solution for all XEN servers that fits all situation. (All those things apply to NDP equally)> > AFAIK, ebtables (which I use currently for my IPv4 setup) cannot > filter the content of NDP messages. Since I don''t think I can use > static ARP, I still need to use NDP - just need the actual content of > the NDP packets filtered.Don''t know how to filter NDP message *content*, the messages themselves are lots easier...> > As for the NAT issue, indeed a really do love NAT. I find it a huge > culture shock and unsettling that in an IPv6 world, all internal > machines will have public routable IP addresses. Does this mean that > the traditional "Edge Firewalls/NAT routers" would become filtering > bridges? As surly the world couldn''t depend solely on host-bases > firewalls... (could we?!)Well NAT for UDP (see VoIP or some appliances like that) is really dirty... But indeed, routers will become filtering gateways - not really bridges, because they will still do routing, but they won''t change any source or destination addresses for IPv6. This will mean that each machine is directly accessible through the Internet, as long as the router or local firewall does not interfere.> > I guess if each "internal" network in the world had it''s own IPv6 > subnet, then we could just use a standard firewall-router (in no-NAT > mode). However it just seems like extra trouble to go and obtain an > IPv6 block from the responsible body. For example, I spin up many test > internal networks on a daily basis just to play around with them - I > don''t really want to "register" these networks. > > It would be nice if routers could nativly route between IPv6 and IPv4, > however I understand that this is just not possible. Application > specific dual-stack proxy servers are required.Well I think many IPv6 issues already have been fixed - the biggest problem is, that too few servers are supporting it... just imagine private customers being forced to use IPv6 only right now... They would be blocked out of most parts of the Internet. I would not like a solution that keeps us on IPv4 forever, because many problems of IPv4 or unofficial extensions are now solved / fully integrated into IPv6 - the protocol is cleaner and (without any filtering) more secure than IPv4.> > Cheers > ------------------------------------------------------------------------ > *From:* xen-users-bounces@lists.xensource.com on behalf of Felix Kuperjans > *Sent:* Tue 07/12/2010 00:06 > *To:* xen-users@lists.xensource.com > *Subject:* Re: [Xen-users] IPV4 is nearly depleted, are you ready for > IPV6? > > Well arptables is officially deprecated anyway. I don''t know whether its > successor, ebtables, supports filtering of the content of NDP messages, > but you can filter NDP messages themselves with iptables just as any > other icmpv6 message - for example, denying them at all. Or you add > static neighbor entries, which cannot be overwritten by neighbor > solicitations. > In addition, the neighbor proxy serves as a replacement for the arp > proxy in routed scenarios. > A good point to start is using static ARP + neighbor entries for all > domUs and the gateway at eth0. This will effectively prohibit most > working ARP / NDP attacks. > > What I''m personally missing is NAT. I know it has been dropped for good > reasons, but NAT has some cool advantages like hiding a webserver domU > and a mailserver domU behind a single IP address - which will obfuscate > your virtual server structure. > > We use an own private internal network within our server, which is dual > stack with IPv4 + IPv6, using a routed setup with static ARP + neighbor > entries, but however, I do not yet route external IPv6 addresses to the > domUs (not for an explicit reason, rather because of too less time / > interest). I think XEN as a software is ready for IPv6, although the > default vif-scripts do not really do much about that. But bridges and > routing works finde with both of them, it''s just a question of the setup. > > Am 07.12.2010 00:11, schrieb Simon Hobson: > > Jonathan Tripathy wrote: > > > >> A problem with using IPv6 at the minute is that netfilter doesn''t > >> have as-advanced filtering capabilities as it does with IPv4. This is > >> important when your DomUs are for customers on an unmanaged basis. > >> > >> The main issue is that IPv6 doesn''t use ARP anymore, so all MAC > >> address detection is done in the IP layer and AFAIK, netfilter > >> doesn''t have the proper filtering for IPv6 to prevent MAC spoofing. > >> What we really need is an IPv6 equivalent to arptables. > > > > Since you clearly know quite a bit more than I do about IPv6 - can you > > recommend a good guide/primer for getting going ? At the moment I know > > a little bit - but mostly what I know is that it''s quite a bit > > different from IPv4 and it''s not a case of "the same but more bits". > > > > It''s really about time I started looking at this for work. > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Felix Kuperjans
2010-Dec-07 18:35 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
For testing, I use a random subnet of feff::, they are only *site*-local (link-local = only on the same physical network like ethernet, etc. not routed at all; site-local = only local to your company/network/LAN/whatever, but those packages can be routed but will not be forwarded to the Internet) and perfect for testing. Link-local is not good for testing, because site-local addresses are depended on the network device; if you want to ping another host link-local, you have to add the device like: ping6 fe80::xxxx:xxff:fexx:xxxx%dev (the x is the mac address, dev the device in ip link / ifconfig) This is not really handy and those networks don''t behave like real IPv6. Site-local is like IPv6 on the Internet; only reserved for local / testing use. NAT has its problems, but with IPv6 nobody is forced to use NAT - but I think denying it completely will destroy some little areas where NAT can be really cool... Am 07.12.2010 13:53, schrieb Simon Hobson:> Jonathan Tripathy wrote: > >> As for the NAT issue, indeed a really do love NAT. I find it a huge >> culture shock and unsettling that in an IPv6 world, all internal >> machines will have public routable IP addresses. Does this mean that >> the traditional "Edge Firewalls/NAT routers" would become filtering >> bridges? As surly the world couldn''t depend solely on host-bases >> firewalls... (could we?!) > > Err, traditionally all hosts once had public routable addresses. NAT > is a new fangled abomination that really does cause lots of problems > for lots of traffic - I''m involved with VoIP at work, anyone who''se > dealt with that and NAT will know what I mean. > > In practice I think your edge (NAT) router/firewall will become an > edge router/firewall with your own IPv6 subnet on the inside of it. > >> I guess if each "internal" network in the world had it''s own IPv6 >> subnet, then we could just use a standard firewall-router (in no-NAT >> mode). However it just seems like extra trouble to go and obtain an >> IPv6 block from the responsible body. For example, I spin up many >> test internal networks on a daily basis just to play around with them >> - I don''t really want to "register" these networks. > > You can use link-local addresses for such testing, and I believe there > is also a "private" range set aside for use within an organisation - > ie it''s routable, but only between sites internal to an organisation. > > As for public addresses, AIUI, unless you are really big then you will > never get your own subnet allocation - this being one of the problems > with IPv4. > > > > If any of the below is wrong, then I''d be more than happy to be > corrected ! > > > Apart from address exhaustion, one of the problems with IPv4 is the > size of the global routing table which needs to track the location (in > network terms) of every allocated and active block. So if you go to > <your local registry> and get an address block allocated to yourself, > then you or your ISP will need to advertise that block via BGP4 and > the route will propagate around the world. I don''t think it takes too > much imagination to realise the number of such allocations. > > If you just use a sub-allocation from your ISPs larger block then that > isn''t an issue - the ISP will only advertise a larger amalgamated > route for the entire block. BUT you then are tied to that ISP. > > AIUI, in IPv6 you have to be really, really big to get a direct > allocation. Everyone else gets a delegated chunk from their upstream > provider and in principal, all traffic routes upwards to a small set > of supernodes. Thus the global routing table stays small. I guess ISPs > will get together at exchanges and privately exchange routes, but this > won''t add to the global route table. > > At each level, bodies will get a chunk delegated from above, and if > you take a connection from two ISPs for redundancy/aggregation then > you will get two different delegated blocks. You cannot go and get > your own block and have it routed via the two ISPs. > > In practical terms, all hosts will expect to be multihomed, and all > this (including changes of address when you change ISP) will be hidden > in the DNS. > > From what little I know of DNS with IPv6 this isn''t as bad as it might > seem. AUIU, AAAA records are heirarchical unlike IPv4 A records which > simply specify "an address". An AAAA record specifies addresses > relative to a prefix - so in theory you could change everything by > just changing the single record that specifies the prefix. > > I think DNS will become FAR more important with IPv6 - for the simple > reason that few people are going to be able to remember real IPv6 > addresses ! I think this is a good thing, one of the things that irks > me are sites I have to work at where the DNS is broken and no-one > cares (or probably even realises) since it''s so easy to just use > 192.168.1.xxx. > > In the case of someone changing ISP - their prefix will change, and so > they''ll have to update that element in their DNS. But once they''ve > done that, they will still be able to access stuff by the same DNS > name (eg main-server.ho.somecompanyname.com). As long as us Techies > have got it all right, the end users should neither see any difference > nor have any need to care. > > > That''s what I know of the theory, now all I need to learn is how to > put it into practice. > > > Oh yes, and one upside I can see is that HTTPS will be easier to use. > At present, you either need an (expensive) multi-host certificate or a > separate address for each host. Given the shortage of addresses, few > providers will give you your own address on a shared server without an > extra charge - but that shouldn''t be an issue when we all have so many > addresses. >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Simon Hobson
2010-Dec-07 19:13 UTC
Re: [Xen-users] IPV4 is nearly depleted, are you ready for IPV6?
Felix Kuperjans wrote:>Well I think many IPv6 issues already have been fixed - the biggest >problem is, that too few servers are supporting it... just imagine >private customers being forced to use IPv6 only right now... They >would be blocked out of most parts of the Internet. >I would not like a solution that keeps us on IPv4 forever, because >many problems of IPv4 or unofficial extensions are now solved / >fully integrated into IPv6 - the protocol is cleaner and (without >any filtering) more secure than IPv4.I think it will come - eventually. The problem we have at the moment is that some many key players, specifically large consumer ISPs, just aren''t supporting it. So we are still at the chicken or egg situation. The majority of consumers can''t use it because there isn''t "plug and pray" support from either their ISP or the budget router vendor. We can''t expect the masses to get down and dirty to setup 6in4 tunnels to IPv6 brokers in order to get access to something that for most of them doesn''t offer anything compelling. At the same time, the large ISPs and consumer router manufacturers see no demand and thus don''t want to spend the money on something that "no-one wants". And a big part of the problem is NAT. Too many people think that NAT is a) a good idea, and b) a solution. It''s ''solved'' the IPv4 address shortage problem in so many eyes, and for so long, that it''s taken away a lot of the impetus to get IPv6 widely deployed. The answer I had from my ISP last time I asked was that they had no plans and it would be a hugely expensive project. Well duh, it will be if you don''t start now. Getting the core network IPv6 enabled would be a good start - and then start making NEW stuff IPv6 enabled would be a good second step. Done that way, the cost and risk could be both reduced and spread - and one day people would suddenly realise that IPv6 is here ! At which point I remember I still haven''t done anything about using my end of a 6in4 tunnel from HE :-/ -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users