| 1 |
On Thursday 19 July 2007 18:00, Mike Williams wrote: |
| 2 |
|
| 3 |
> fe80::214:f600:b67e:b4db is the link local address of the upstream |
| 4 |
> router, which is also configured as dead:beef:2::1/48. |
| 5 |
|
| 6 |
Strictly speaking, if it's taken from the same block, it should be at |
| 7 |
least /49; otherwise, they would uncorrectly believe that the single |
| 8 |
(giant) dead:beef:2::/48 subnet is attached *directly* to the interface |
| 9 |
between you and them, and try to map ipv6 addresses to link-layer |
| 10 |
addresses accordingly. |
| 11 |
|
| 12 |
In practice, if reachability of the transit network is needed, most |
| 13 |
providers give you a /64 or longer (even /126 in some cases), taken from |
| 14 |
a dedicated pool reserved for point-to-point and transit networks. |
| 15 |
|
| 16 |
In many cases then, the use of global addresses can be avoided altogether |
| 17 |
(see my other reply). |
| 18 |
|
| 19 |
> It is required that all hosts are access via, and get access though, |
| 20 |
> the firewall we control. The upstream router can have changes made to |
| 21 |
> it if required, but it's not good to keep bothering the ISP. |
| 22 |
|
| 23 |
Of course, but configuring their end of the link correctly is something |
| 24 |
that should be done by them, and /if/ they got it wrong, they should |
| 25 |
correct it (imho). |
| 26 |
|
| 27 |
> Now I think I understand what's wrong. The upstream router needs a |
| 28 |
> route to dead:beef:2:1::/49 (or similar to cover any and all of our |
| 29 |
> "internal" networks) via dead:beef:2::11, and be configured as |
| 30 |
> dead:beef:2::1/64 instead of /48. Then it would route packets for |
| 31 |
> dead:beef:2:136:204:23ff:fed7:e86a to dead:beef:2::11, rather than |
| 32 |
> soliciting a link-local address for it. Have I got that right? |
| 33 |
|
| 34 |
Almost (see what I wrote above). With ipv6, using link-local addresses |
| 35 |
for routing is not in any way wrong, and in fact is usually the |
| 36 |
preferred way of doing things (this is different from ipv4, if nothing |
| 37 |
else because ipv4 does not have the notion of link-local address!). |
| 38 |
|
| 39 |
So, to summarize: |
| 40 |
|
| 41 |
- you can use only link-local addresses, and manually configure static |
| 42 |
routes pointing to the correct local interfaces and to the other end's |
| 43 |
link-local address; your static route is a default one (::/0), and their |
| 44 |
static route is for the dead:beef:2::/48 block. If you have a single |
| 45 |
link to the provider and don't do dynamic routing, this is usually the |
| 46 |
easiest setup; |
| 47 |
|
| 48 |
- optionally, you can also agree on assigning global addresses to the |
| 49 |
link; in this case, you must make sure that the subnet address assigned |
| 50 |
to the link is more specific (ie, has a longer prefix) than the block |
| 51 |
assigned to you, or is taken from a different pool. |
| 52 |
|
| 53 |
When things are set up correctly, packets arriving at the ISP and |
| 54 |
addressed to dead:beef:2::/48 would be routed out their interface to |
| 55 |
you. To find the next hop, they would perform a neighbor discovery on |
| 56 |
your end's ipv6 link-local address (which they know) and, once they get |
| 57 |
your end's link-layer (MAC) address, they would send the traffic to your |
| 58 |
firewall's Internet interface. From there, your firewall has specific |
| 59 |
routes for the internal networks, and can delivery the packets to the |
| 60 |
intended recipients. |
| 61 |
If the physical layer betwwen you and the ISP is not ethernet, things are |
| 62 |
similar (there are well defined procedures for discovering the |
| 63 |
link-layer next-hop on almost every kind of media); the important thing |
| 64 |
is that each end knows the other end's link-local address. |
| 65 |
-- |
| 66 |
gentoo-user@g.o mailing list |
Archives