[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[6bone] Network Address translation question



Hi,



On Thu, 23 Jun 2005, Iljitsch van Beijnum wrote:

> On 22-jun-2005, at 14:51, Mohacsi Janos wrote:
>
>>>>> The trouble is that there is no clear way to force the use of internal
>>>>> addresses for internal stuff and external addresses for external stuff.
>
>>>> This is easier, if you setup RFC3484 style address selection. You 
give
>>>> higher priority to your local addresses.
>
> I'm not sure how you envision this. My understanding was that the address 
> with the longest matching prefix would be used. So when I connect to my 
> server which has both a 2001:: and a 3ffe:: address (sequoia.muada.com for 
> those of you who want to try) my system at home with a 2001:: address would 
> use the 2001:: address. However, that's not what happens.
>
> MacOS 10.4:
>
> % telnet sequoia
> Trying 3ffe:2500:310:2::1...
>
> FreeBSD 4.9:
>
> # telnet sequoia
> Trying 3ffe:2500:310:2::1...
>
> Red Hat 9 Linux:
>
> # telnet sequoia
> Trying 3ffe:2500:310:2::1...
>
> (Well, acutally they pick an address non-deterministically.)
>
> Windows XP was the only one that used the 2001:: address each time. (But this 
> could be because of DNS caching, no way to tell except for rebooting more 
> times than I care to do right now.)
>
> But that's not the real problem. The real problem is that always choosing the 
> same address is a bad thing: that way, applications that don't cycle the 
> address list themselves can easily get stuck retrying a non-working address 
> and ignoring a working alternative.
>
> (And this would also require two-faced DNS all over the place as you'd try to 
> connect to other people's unique site locals otherwise.)
>
> The bottom line is that there is no way to do the right thing with only a 
> priori information. You need at least _some_ measurement info to make 
> reasonable decisions.

You are mixing things. The DNS is remaining in place. If a host has 
more then one DNS entry the DNS query will return all of them. RFC 3484 
just do some kind of sorting on the entries. You can select locally your 
preferences.

Here is sample transcript what you can do with RFC3484:

1. Setting up IPv6 preference:

[email protected]> sudo ./prefer6
Prefix                          Prec Label      Use
::1/128                           50     0        0
::/0                              40     1        0
2002::/16                         30     2        0
::/96                             20     3        0
::ffff:0.0.0.0/96                 10     4        0
[email protected]> telnet sequoia.muada.com 
Trying 2001:1af8:2:5::2...
^C


2. Setting up IPv4 preference:

[email protected]> sudo ./prefer4 
Prefix                          Prec Label      Use
::ffff:0.0.0.0/96                 50     0        0
::1/128                           40     1        0
::/0                              30     2        0
2002::/16                         20     3        0
::/96                             10     4        0
[email protected]>telnet sequoia.muada.com 
Trying 83.149.65.1...
telnet: connect to address 83.149.65.1: Connection refused
Trying 2001:1af8:2:5::2...
^C

IPv4 address tried first (probably refused by firewall, switching right to 
IPv6....

3. Prefer 3ffe:: addresses

[email protected]> sudo ./prefer63 
Prefix                          Prec Label      Use
::1/128                           50     0        0
3ffe::/16                         45     5        0
::/0                              40     1        0
2002::/16                         30     2        0
::/96                             20     3        0
::ffff:0.0.0.0/96                 10     4        0
[email protected]> telnet sequoia.muada.com 
Trying 3ffe:2500:310:2::1...
^C

3ffe:2500:310:2::1 tried first

4. Prefer 2001:: style addresses


[email protected]> sudo ./prefer62 
Prefix                          Prec Label      Use
::1/128                           50     0        0
2001::/16                         45     5        0
::/0                              40     1        0
2002::/16                         30     2        0
::/96                             20     3        0
::ffff:0.0.0.0/96                 10     4        0
[email protected]> telnet sequoia.muada.com 
Trying 2001:1af8:2:5::2...
^C 
[email protected]>

So you RFC3484 is very powerful You can prefer IPv4 address or prefer 
2001:: address if you want. You can prefer ULA address if you want. But to 
be consistent in a site, you should implement a site wide policy some 
other methods e.g. DHCPv6.




>
>> I think pretty large number of hosts potentially can support RFC3484.
>> Windows XP/2003 fully supports it. All *BSD systems also fully supports it.
>
> So how do I install a policy?

Sample scripts I used on FreeBSD attached (You need FreeBSD 5.2 or 
later )

For Windows XP/2003 the syntax are very similar to ip6addrctl.

Adding policy rule:

FreeBSD:
ip6addrctl add <prefix> <precedence> <label>

Windows XP
netsh interface ipv6 set prefixpolicy  <prefix> <precedence> <label>

Showing policy rules:
FreeBSD:
ip6addrctl show
Windows XP
netsh interface ipv6 show prefixpolicy


Clearing the policy table

FreeBSD:
ip6addrctl flush
Windows XP:
netsh interface ipv6 delete prefixpolicy

Regards,
 	Janos Mohacsi


-------------- next part --------------
#!/bin/sh
#prefer 3ffe::
ip6addrctl flush >/dev/null 2>&1
ip6addrctl add ::1/128		50	0
ip6addrctl add 3ffe::/16	45	5
ip6addrctl add ::/0		40	1
ip6addrctl add 2002::/16	30	2
ip6addrctl add ::/96		20	3
ip6addrctl add ::ffff:0:0/96	10	4
ip6addrctl show
-------------- next part --------------
#!/bin/sh
#prefer 2001::
ip6addrctl flush >/dev/null 2>&1
ip6addrctl add ::1/128		50	0
ip6addrctl add 2001::/16	45	5
ip6addrctl add ::/0		40	1
ip6addrctl add 2002::/16	30	2
ip6addrctl add ::/96		20	3
ip6addrctl add ::ffff:0:0/96	10	4
ip6addrctl show
-------------- next part --------------
#!/bin/sh
#prefer ipv6
ip6addrctl flush >/dev/null 2>&1
ip6addrctl add ::1/128		50	0
ip6addrctl add ::/0		40	1
ip6addrctl add 2002::/16	30	2
ip6addrctl add ::/96		20	3
ip6addrctl add ::ffff:0:0/96	10	4
ip6addrctl show
-------------- next part --------------
#!/bin/sh
#prefer ipv4
ip6addrctl flush
ip6addrctl add ::ffff:0:0/96	50	0
ip6addrctl add ::1/128		40	1
ip6addrctl add ::/0		30	2
ip6addrctl add 2002::/16	20	3
ip6addrctl add ::/96		10	4
ip6addrctl show