0

I am building a virtualisation host, and I want my virtual machines to be available via both v4 and v6 IP address.

The host I have (Xen 4.1.3 with Debian Wheezy in dom0) has one physical eth0 interface:

10.0.0.2/30 dev eth0
default via 10.0.0.1
2000:1111:1111:11111::2/64 dev eth0
default via 2000:1111:1111:11111::1 (aka fe80::1)

My ISP has assigned me a 10.100.0.0/28 IPv4 range, statically routed via 10.0.0.2.

On the host, I have built xenbr0 virtual bridge interface:

10.100.0.1/28 dev xenbr0

On each guest VM, I set any of unused addresses from 10.100.0.0/28, i.e:

10.100.0.2/28 dev eth0
default via 10.100.0.1

As expected (since host acts like a classic router), VM's are able to talk to the v4 internet without a hitch.

That's where my lack of experience with IPv6 kick in. From my understanding v6 addresses are routed pretty much the same like their v4 counterparts, which means that what I want to accomplish is impossible with only one /64 range (at least while eth0 & v6 gw are configured the way they are).

Is it possible to make use of a single IPv6 /64 range, so that VMs can have static IPv6 addresses, without having to go and ask my ISP for another /64 range that (I guess) would have to be statically routed via 2000:1111:1111:11111::2?

I tried to "split" this /64 network in two /65 networks, then reconfigure xenbr0 like this:

2000:1111:1111:11111:8000:2/65 dev xenbr0

Also, eth0 was reconfigured (only network size has changed from 64 to 65):

2000:1111:1111:11111::2/65 dev eth0
default via 2000:1111:1111:11111::1

Host did not loose IPv6 connectivity. However, guest VMs were unable to contact anything outside of host when configured like this:

2000:1111:1111:11111:8000::2/65 dev eth0
default via 2000:1111:1111:11111:8000::1

Any ideas on how to proceed?

mr.b
  • 583
  • 10
  • 25
  • Don't split a /64. Just don't. You're opening yourself to a world of hurt by breaking a wide variety of IPv6 features. – Michael Hampton Jan 23 '14 at 17:42
  • @MichaelHampton yeah, that's what became clear to me soon after I started meddling with IPv6, and that's why I am reluctant to find a workaround based on splitting /64. – mr.b Jan 23 '14 at 17:59

1 Answers1

3

Getting a bigger block of addresses from your provider is the correct solution. It is very normal with IPv6 to give a customer a /56 or a /48, which corresponds to 256 or 65536 subnets. That is the great thing about IPv6: always plenty of addresses! :-)

There are still plenty of people running IPv6 networks with an IPv4 mentality though, and they try to give as little as possible to their customers, thinking "A /64 contains so many addresses, it will be more than enough for then". And then you run into problems when you want multiple subnets... Network operators and service providers will have to change their mindset and always give bigger blocks (big ones like /56 or /48, you don't want to ask them for each and every extra subnet) to customers that want to use them.

Running IPv6 networks can be so easy once people start to use the enormous amount of address space that it provides. No more planning, requesting extra addresses etc. Just:

  • Give every (yes, even residential) customer at least a /56, and a /48 should be default for business customers.
  • Use a /64 for every subnet. It will be more than you'll ever need, and that is the way it is supposed to be.
  • Even for each point-to-point links reserve a /64, although you could configure a /127 to avoid ND cache issues.
  • Give a host as many addresses as it wants. No problem putting each website on a separate address if you want to. It might be useful if you want to move things around, want to simplify billing or make it easier to detect and fight (D)DOS attacks.

All of this makes your planning and operations much simpler, once you get used to the big numbers that are suddenly available :)

Sander Steffann
  • 7,712
  • 19
  • 29
  • Oh, and to really answer your question: you'll have to bridge at layer-2 if you want to use a single `/64` for your host as well as for your virtual machines. – Sander Steffann Jan 23 '14 at 16:01
  • +1 While ISPs aren't supposed to hand out anything smaller than a /64, and you should have no issues getting a /56 from them, Colos like to hand out smaller blocks. My colo hands out /124s (16 IPs). IPv6 stacks should work with everything up to a /127 as you mentioned (I've not run across any that don't). – Chris S Jan 23 '14 at 16:11
  • My ISP gives /64 blocks by default, so I guess they are sensible enough and probably did some research prior to implementing IPv6. – mr.b Jan 23 '14 at 18:00
  • @mr.b They only gave you _one_ /64? In that case they didn't read [RFC 6177](http://tools.ietf.org/html/rfc6177)! The bare _minimum_ I would accept for a _home_ connection would be /60, and that only if I really couldn't get /56. – Michael Hampton Jan 23 '14 at 19:01
  • @mr.b: If they just gave you one /64 then they are not sensible at all... I have implemented (or consulted for ISPs that were implementing) IPv6 many times, and nowhere was a /64 a good choice. It's a sure way to cause issues for customers. – Sander Steffann Jan 23 '14 at 19:35