While this takes the form of a rant, I have been rather slowly building up a set of ip6tables,<br>iptables, and ip rules that almost, sort of, kind of, handle the exterior gateway and interior<br>gateway problems that ipv6 introduces, and it really isn't<br>
<br>My open questions are:<br><br>Is there a routing protocol that does source and dest based routing?<br><br>Has anyone built up a set of ipv6 filters/rules already that can handle at <br>least some of the cases listed below?<br>
<br><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Dave Taht</b> <span dir="ltr"><<a href="mailto:dave.taht@gmail.com">dave.taht@gmail.com</a>></span><br>
Date: Sun, Feb 5, 2012 at 4:22 AM<br>Subject: Re: [Babel-users] policy routing<br>To: Juliusz Chroboczek <<a href="mailto:jch@pps.jussieu.fr">jch@pps.jussieu.fr</a>><br>Cc: <a href="mailto:babel-users@lists.alioth.debian.org">babel-users@lists.alioth.debian.org</a><br>
<br><br><br><br><div class="gmail_quote"><div class="im">On Sun, Feb 5, 2012 at 1:55 AM, Juliusz Chroboczek <span dir="ltr"><<a href="mailto:jch@pps.jussieu.fr" target="_blank">jch@pps.jussieu.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>>> However the problem of dealing with ipv6's various forms of addressing has<br>
>> O(n) complexity, it seems, so multiples of tables seem needed.<br>
<br>
</div>Dave, you're confused, as usual. </blockquote></div><div><br>I enjoy being loudly confused, and roundly, and even sometimes loudly, enlightened.<br><br>And I note this discussion is forking off my original question, which was basically <br>
involving sane ways to come up with means of correctly routing or not<br>routing various forms of non-single provider ipv6 connectivity.<br> <br></div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
There's no "problem" with the multiple<br>
forms of addressing in IPv6.<br></blockquote></div><div><br> let's see:<br><br>ULA - this is the rough equivalent of rfc1918 address space in the ipv4 world. It's also the only ipv6 address space you can sanely use if you open the box on a new router, and want to run ipv6 on it and your network rather than or in addition to ipv4, and haven't plugged into a provider yet. It's also a useful address space for private mesh networks as well... but it's not routable to the internet...<br>
<br>ULA /48 addresses are randomly generated, which introduces a level 3 dns problem, unless there is some magical way for an address like fd03:024d:32ac::/48 to make it from being internally generated to the users' eyeballs, perhaps via baudot code from the blinkenlights on the front...<br>
<br>Native, static: Hoo-ray! this is what we thought the world would get! One static ip address range for all eternity. Until we realized that people move, that offices have multiple locations, and that providers go under, and that BGP route tables got kind of big and can be easily fat fingered...<br>
<br>Native, PD. PD appears to be the way the world is going at the moment, meaning that people will continue to 'rent' their addresses, and they may go away or change at any time. Worse, at least in the initial roll-outs I'm aware of, the address space may be as small as a single /64, and rarely as large as a /56...<br>
<br>Native, PI - Let me know when I can get me some of those, and from whom.<br><br>6to4, 6RD, 6in4 - despite multiple attempts to deprecate these, they are the only ways to get /48 connectivity and also where they work, are actually deployed, and work fairly well....<br>
<br>6to4 and 6RD have the same dynamic assignment and removal problems that PD does, and 6in4 requires tunnels often to far-off-lands... <br><br>Teredo - on by default on windows...<br><br>Multicast... wouldn't it be great if multicast worked? Wouldn't it be great if we knew how to make it just work? Wouldn't it be great if world peace was also achieved?<br>
<br>NAT. Yes, there are patches going around for ipv6. It seems inevitable...<br><br>VPNs. I'd like to connect 3 offices together, and have their separate routing tables do the right thing...<br><br>Mobile IPv6... let's not talk about that...<br>
<br>HIP. Have I added enough complexity yet?<br><br>So what aspect of the 'ipv6 has no addressing problems' question did I not express properly?<br><br>The specific case I was merely trying to cope with was in refusing to route default routes<br>
from the wrong place(s) and also try to ensure that that information got pushed closer to <br>each interior gateway.<br><br><br></div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
The problem is with the ingress filtering policies of your upstream<br>
ISPs. </blockquote></div><div><br>*A* problem <br> </div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> The clean solution is to use a single upstream ISP</blockquote>
</div><div><br>So you are suggesting that everyone you might want to mesh with to use a monopoly ISP?<div class="im"><br><div> </div>>, or to use PI<br>
space and make sure your upstreams accept packets sourced with your<br>
address.<br><br></div>So you want to convince multiple providers to allow multihoming? <br> <br></div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
If you cannot do that, put a full mesh of GRE tunnels between your<br>
Internet gateways</blockquote></div><div><br>Losing useful metrics and introducing n complexity, as well as tunneling overhead.<br> <br></div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
, and put a bunch of source policy rules to make sure<br>
each packet gets routed through the right gateway for its source<br>
address. Assuming the case of n upstreams, that's n gateways, and n-1<br>
tunnels originating on each gateway. Since there's no reason to have<br>
more than two upstreams (the cheap one and the reliable one), that's<br>
very reasonable.<br></blockquote></div><div><br>Consider an apartment building. You play games regularly with your downstairs neighbor,<br>he exchanges files with the gal across the hall, she has a wireless link beaming down<br>
to her favorite coffee shop, the coffee shop has links to the vpn back to costa rica,<br>the costa-rican office has ties to several dozen more coffee shops, the government,<br>and the local military...<br></div><div><br>
and each gets their service from a different ISP...<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
> I was trying to come up with a sane set of filters using the filter<br>
> rules, and failed.<br>
<br>
</div>Please try again.<br></blockquote></div><div><br>I am learning more about the ip rule database system, and babel's filters, <br>and missing functionality in ipv6tables than I ever wanted to know.<br>than I ever wanted to know...<br>
<br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span><font color="#888888"><br>
-- Juliusz<br>
</font></span></blockquote></div><div class="HOEnZb"><div class="h5"><br><br clear="all"><br>-- <br>Dave Täht<br>SKYPE: davetaht<br>US Tel: <a href="tel:1-239-829-5608" value="+12398295608" target="_blank">1-239-829-5608</a><br>
FR Tel: 0638645374<br><a href="http://www.bufferbloat.net" target="_blank">http://www.bufferbloat.net</a><br>
</div></div></div><br><br clear="all"><br>-- <br>Dave Täht<br>SKYPE: davetaht<br>US Tel: 1-239-829-5608<br>FR Tel: 0638645374<br><a href="http://www.bufferbloat.net" target="_blank">http://www.bufferbloat.net</a><br>