[6bone] Network Address translation question
Mohacsi Janos
mohacsi at niif.hu
Thu Jun 23 07:15:35 PDT 2005
Hi,
On Thu, 23 Jun 2005, Iljitsch van Beijnum wrote:
> On 22-jun-2005, at 14:51, Mohacsi Janos wrote:
>
>>>>> The trouble is that there is no clear way to force the use of internal
>>>>> addresses for internal stuff and external addresses for external stuff.
>
>>>> This is easier, if you setup RFC3484 style address selection. You
give
>>>> higher priority to your local addresses.
>
> I'm not sure how you envision this. My understanding was that the address
> with the longest matching prefix would be used. So when I connect to my
> server which has both a 2001:: and a 3ffe:: address (sequoia.muada.com for
> those of you who want to try) my system at home with a 2001:: address would
> use the 2001:: address. However, that's not what happens.
>
> MacOS 10.4:
>
> % telnet sequoia
> Trying 3ffe:2500:310:2::1...
>
> FreeBSD 4.9:
>
> # telnet sequoia
> Trying 3ffe:2500:310:2::1...
>
> Red Hat 9 Linux:
>
> # telnet sequoia
> Trying 3ffe:2500:310:2::1...
>
> (Well, acutally they pick an address non-deterministically.)
>
> Windows XP was the only one that used the 2001:: address each time. (But this
> could be because of DNS caching, no way to tell except for rebooting more
> times than I care to do right now.)
>
> But that's not the real problem. The real problem is that always choosing the
> same address is a bad thing: that way, applications that don't cycle the
> address list themselves can easily get stuck retrying a non-working address
> and ignoring a working alternative.
>
> (And this would also require two-faced DNS all over the place as you'd try to
> connect to other people's unique site locals otherwise.)
>
> The bottom line is that there is no way to do the right thing with only a
> priori information. You need at least _some_ measurement info to make
> reasonable decisions.
You are mixing things. The DNS is remaining in place. If a host has
more then one DNS entry the DNS query will return all of them. RFC 3484
just do some kind of sorting on the entries. You can select locally your
preferences.
Here is sample transcript what you can do with RFC3484:
1. Setting up IPv6 preference:
mohacsi at scone> sudo ./prefer6
Prefix Prec Label Use
::1/128 50 0 0
::/0 40 1 0
2002::/16 30 2 0
::/96 20 3 0
::ffff:0.0.0.0/96 10 4 0
mohacsi at scone> telnet sequoia.muada.com
Trying 2001:1af8:2:5::2...
^C
2. Setting up IPv4 preference:
mohacsi at scone> sudo ./prefer4
Prefix Prec Label Use
::ffff:0.0.0.0/96 50 0 0
::1/128 40 1 0
::/0 30 2 0
2002::/16 20 3 0
::/96 10 4 0
mohacsi at scone>telnet sequoia.muada.com
Trying 83.149.65.1...
telnet: connect to address 83.149.65.1: Connection refused
Trying 2001:1af8:2:5::2...
^C
IPv4 address tried first (probably refused by firewall, switching right to
IPv6....
3. Prefer 3ffe:: addresses
mohacsi at scone> sudo ./prefer63
Prefix Prec Label Use
::1/128 50 0 0
3ffe::/16 45 5 0
::/0 40 1 0
2002::/16 30 2 0
::/96 20 3 0
::ffff:0.0.0.0/96 10 4 0
mohacsi at scone> telnet sequoia.muada.com
Trying 3ffe:2500:310:2::1...
^C
3ffe:2500:310:2::1 tried first
4. Prefer 2001:: style addresses
mohacsi at scone> sudo ./prefer62
Prefix Prec Label Use
::1/128 50 0 0
2001::/16 45 5 0
::/0 40 1 0
2002::/16 30 2 0
::/96 20 3 0
::ffff:0.0.0.0/96 10 4 0
mohacsi at scone> telnet sequoia.muada.com
Trying 2001:1af8:2:5::2...
^C
mohacsi at scone>
So you RFC3484 is very powerful You can prefer IPv4 address or prefer
2001:: address if you want. You can prefer ULA address if you want. But to
be consistent in a site, you should implement a site wide policy some
other methods e.g. DHCPv6.
>
>> I think pretty large number of hosts potentially can support RFC3484.
>> Windows XP/2003 fully supports it. All *BSD systems also fully supports it.
>
> So how do I install a policy?
Sample scripts I used on FreeBSD attached (You need FreeBSD 5.2 or
later )
For Windows XP/2003 the syntax are very similar to ip6addrctl.
Adding policy rule:
FreeBSD:
ip6addrctl add <prefix> <precedence> <label>
Windows XP
netsh interface ipv6 set prefixpolicy <prefix> <precedence> <label>
Showing policy rules:
FreeBSD:
ip6addrctl show
Windows XP
netsh interface ipv6 show prefixpolicy
Clearing the policy table
FreeBSD:
ip6addrctl flush
Windows XP:
netsh interface ipv6 delete prefixpolicy
Regards,
Janos Mohacsi
-------------- next part --------------
#!/bin/sh
#prefer 3ffe::
ip6addrctl flush >/dev/null 2>&1
ip6addrctl add ::1/128 50 0
ip6addrctl add 3ffe::/16 45 5
ip6addrctl add ::/0 40 1
ip6addrctl add 2002::/16 30 2
ip6addrctl add ::/96 20 3
ip6addrctl add ::ffff:0:0/96 10 4
ip6addrctl show
-------------- next part --------------
#!/bin/sh
#prefer 2001::
ip6addrctl flush >/dev/null 2>&1
ip6addrctl add ::1/128 50 0
ip6addrctl add 2001::/16 45 5
ip6addrctl add ::/0 40 1
ip6addrctl add 2002::/16 30 2
ip6addrctl add ::/96 20 3
ip6addrctl add ::ffff:0:0/96 10 4
ip6addrctl show
-------------- next part --------------
#!/bin/sh
#prefer ipv6
ip6addrctl flush >/dev/null 2>&1
ip6addrctl add ::1/128 50 0
ip6addrctl add ::/0 40 1
ip6addrctl add 2002::/16 30 2
ip6addrctl add ::/96 20 3
ip6addrctl add ::ffff:0:0/96 10 4
ip6addrctl show
-------------- next part --------------
#!/bin/sh
#prefer ipv4
ip6addrctl flush
ip6addrctl add ::ffff:0:0/96 50 0
ip6addrctl add ::1/128 40 1
ip6addrctl add ::/0 30 2
ip6addrctl add 2002::/16 20 3
ip6addrctl add ::/96 10 4
ip6addrctl show
More information about the 6bone
mailing list