[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Long and unabbreviatable IPv6 addresses with random overloaded bits, vs. tunnelbroker

On Nov 18, 2012, at 4:53 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Sun, 18 Nov 2012, Bryan Fields wrote:
>> On 11/18/12 5:53 PM, Constantine A. Murenin wrote:
>>> edis.at gives you an IPv4 address of, for example, 158.255.21x.xxx,
>>> and the IPv6 /112 that you get is 2a03:f80:ed15:158:255:21x:xxx:0/112
>>> (really a /48), with 2a03:0f80:ed15::1 as the gateway.
> By "KVM", I assume he's talking about cloud or VPS, i.e. a KVM based virtual machine.  With cloud in particular, I've been trying to decide how to dole out IPv6 space.  Because we're doing bridged networking for the VMs, we've been giving out IPv4 /32s to each VM and all VMs are in the same VLAN.
> It seems insane to try to setup a proper IPv6 subnet and unique gateway for each VM, so I've been thinking something similar to what the host being complained about here has done is the only way to go.  Not down to the detail of making the IPv6 ip based on the IPv4 IP, but giving out "very small" v6 blocks, (i.e. maybe /120 or /124), out of a /48 with the prefix::1/48 IP as everyone's gateway.  Sure, IPv6 is big enough that we could give out /64s from that /48 and not run out of numbers, but I'm concerned about what happens when an abusive customer turns up 2^64 addresses and overloads the neighbor discovery cache on our gear.  What's anyone really going to do with more than a few IP addresses on a VPS anyway?  Just as we do with additional v4 IPs, if someone really has a need for additional v6 subnets, those could be provided, likely for a fee.

Setting up a proper IPv6 subnet and unique gateway for each VM is probably insane, but, potentially less insane than some other alternatives. Setting one up for each customer's collection of VMs, OTOH, might not be so insane. Remember, you can have multiple IPv6 subnets on the same link without much penalty. Since you probably want the ability to have VPS portable across physical servers, you probably don't want to set up a subnet per physical server with all the VPS on a given PS sharing that subnet which is the numerically simplest approach.

I'd have to review your actual architecture (physical and overlaid virtual) to really know what would be best for your particular circumstance. Contact me off-list if you're interested in something like that.