1 |
On Thursday 19 July 2007 18:00, Mike Williams wrote: |
2 |
|
3 |
> fe80::214:f600:b67e:b4db is the link local address of the upstream |
4 |
> router, which is also configured as dead:beef:2::1/48. |
5 |
|
6 |
Strictly speaking, if it's taken from the same block, it should be at |
7 |
least /49; otherwise, they would uncorrectly believe that the single |
8 |
(giant) dead:beef:2::/48 subnet is attached *directly* to the interface |
9 |
between you and them, and try to map ipv6 addresses to link-layer |
10 |
addresses accordingly. |
11 |
|
12 |
In practice, if reachability of the transit network is needed, most |
13 |
providers give you a /64 or longer (even /126 in some cases), taken from |
14 |
a dedicated pool reserved for point-to-point and transit networks. |
15 |
|
16 |
In many cases then, the use of global addresses can be avoided altogether |
17 |
(see my other reply). |
18 |
|
19 |
> It is required that all hosts are access via, and get access though, |
20 |
> the firewall we control. The upstream router can have changes made to |
21 |
> it if required, but it's not good to keep bothering the ISP. |
22 |
|
23 |
Of course, but configuring their end of the link correctly is something |
24 |
that should be done by them, and /if/ they got it wrong, they should |
25 |
correct it (imho). |
26 |
|
27 |
> Now I think I understand what's wrong. The upstream router needs a |
28 |
> route to dead:beef:2:1::/49 (or similar to cover any and all of our |
29 |
> "internal" networks) via dead:beef:2::11, and be configured as |
30 |
> dead:beef:2::1/64 instead of /48. Then it would route packets for |
31 |
> dead:beef:2:136:204:23ff:fed7:e86a to dead:beef:2::11, rather than |
32 |
> soliciting a link-local address for it. Have I got that right? |
33 |
|
34 |
Almost (see what I wrote above). With ipv6, using link-local addresses |
35 |
for routing is not in any way wrong, and in fact is usually the |
36 |
preferred way of doing things (this is different from ipv4, if nothing |
37 |
else because ipv4 does not have the notion of link-local address!). |
38 |
|
39 |
So, to summarize: |
40 |
|
41 |
- you can use only link-local addresses, and manually configure static |
42 |
routes pointing to the correct local interfaces and to the other end's |
43 |
link-local address; your static route is a default one (::/0), and their |
44 |
static route is for the dead:beef:2::/48 block. If you have a single |
45 |
link to the provider and don't do dynamic routing, this is usually the |
46 |
easiest setup; |
47 |
|
48 |
- optionally, you can also agree on assigning global addresses to the |
49 |
link; in this case, you must make sure that the subnet address assigned |
50 |
to the link is more specific (ie, has a longer prefix) than the block |
51 |
assigned to you, or is taken from a different pool. |
52 |
|
53 |
When things are set up correctly, packets arriving at the ISP and |
54 |
addressed to dead:beef:2::/48 would be routed out their interface to |
55 |
you. To find the next hop, they would perform a neighbor discovery on |
56 |
your end's ipv6 link-local address (which they know) and, once they get |
57 |
your end's link-layer (MAC) address, they would send the traffic to your |
58 |
firewall's Internet interface. From there, your firewall has specific |
59 |
routes for the internal networks, and can delivery the packets to the |
60 |
intended recipients. |
61 |
If the physical layer betwwen you and the ISP is not ethernet, things are |
62 |
similar (there are well defined procedures for discovering the |
63 |
link-layer next-hop on almost every kind of media); the important thing |
64 |
is that each end knows the other end's link-local address. |
65 |
-- |
66 |
gentoo-user@g.o mailing list |