Re: OpenBSD as IPv4+6 gateway
On Fri, 22 Jun 2012 17:34:39 -0500, Paul de Weerd wrote: "It makes renumbering easier" is a very poor argument. Renumbering is just as easy wether you use /64s or /126s. Simply replace the first 64 bits and .. tadaa.wav .. you've renumbered. I can't seem to grasp why anyone is worried about renumbering at all. The only time we'd ever have to do that is if someone picked up all their equipment and took it to another physical hosting location. Our allocation is ours and we can advertise it out any providers we want for eternity.
Re: OpenBSD as IPv4+6 gateway
On 2012-06-22, Mark Felder wrote: > Now /127s would of course be equal do using /31s in IPv4 which I find > interesting but dangerous (compatibility is sketchy outside Cisco from > what I've seen, IPv4 /31's work nicely in OpenBSD since 5.0, by the way. I'm using them for point-to-point links with ospfd.
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21, Mark Felder wrote: > On Thu, 21 Jun 2012 16:34:51 -0500, Ryan Kirk wrote: > >> In my limited experience with ipv6, this has been the case. The >> provider has you on a /64 of their own (not part of your /48), so your >> WAN interface would have one of their IP's on it, and they should tell >> you exactly what it should be. Just as it's done in IPv4. Your own >> personal /48 is then routed through that IP. You can assign more IP's >> from your /48 to your WAN interface, of course, by dedicating a /64 to >> it. But you will always need to have at least the one ISP IP on it. > > The provider shouldn't be using a /64 for the link net. That means your > router is getting the broadcasts from everyone else on that link net. They can lay out their network how they like, but it is certainly not uncommon to use /64 link nets with just the two hosts on. > The > provider should be setting aside something like a /64 for link nets and > actually be giving you /126s. Opinions differ. Suggestions include at least /127 (as recommended by RFC 6164), /126, /112 (for ease of reverse dns delegation), /64...
Re: OpenBSD as IPv4+6 gateway
On Fri, Jun 22, 2012 at 02:42:24PM +1000, Rod Whitworth wrote: | On Thu, 21 Jun 2012 18:52:18 -0500, Mark Felder wrote: | | >On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth | >wrote: | > | >> It is not a "school of thought" - it is how it is. I have seen one /126 | >> out in the wild but it is very lonely. | > | >I work at an ISP/datacenter. We use /126s for the link net. Handing out | >/64's "because you can" is stupid in my worthless opinion :-) | > | | It's not because you can, it's because it's best practice, it makes | renumbering easier and most of all when you use /64s your subnet | addresses are so easily readable. "It makes renumbering easier" is a very poor argument. Renumbering is just as easy wether you use /64s or /126s. Simply replace the first 64 bits and .. tadaa.wav .. you've renumbered. It's not best practice at all. It's common practice. Doesn't make it best. The fact that (older) RFCs told you not to do it is irrelevant, there are now also RFCs that want to prohibit NAT for IPv6 - I'm not sure what is more ridiculous. | What do you have? | /24 ? | /32 ? | /48 ? | /56 ? | All of the above have xx00:0:0:0:0:0 as the last part of the address | and when you slice off /64s they all have 0:0:0:0 as the last four | words so documenting is easy for any of your subnets. You can also say: "This /64 is for point-to-point links" and then document each and everyone in there by the remaining 64 bits. Further class 'em up into customer-id (16, 32 or 48 bits) and line-id (48, 32 or 16 bits). Or split up even further. Either way will result in a pretty sparse usage of subnets for point-to-point connections. Or, use a /64 per customer, if that makes sense for you. Do what makes sense, not what you read on the internet (unless the two match, of course, which is often (but not always) the case). | But I guess that being ultra-frugal with sunbnet prefixlen is really | important for operators who have more clients than there are grains of | sand on the face of the earth. | That's roughly a /57's worth. This remains a weird argument at best. If you get a /32 from your RIR and every subnet *MUST BE* a /64, you can have "only" 4B subnets. Now that seems like a lot, but what if you want to have some sensible numbering in there, identifying customers, identifying VLANs, identifying whatever. How many bits will you use for that ? What makes sense ? Can you guarantee it's always going to fit in every situation ? You can have sensible, easy to understand and to explain numbering schemes with v6. I have my doubts this is true for every environment if you strictly adhere to the /64-per-configured-interface rule. Oh, earlier in this thread you also made the link-local argument. Funny. Note how that is *always the same* /64. There's deeper reasons for link-local being a /64 than "because a network is a /64". (Note that I'm not saying these reasons are good, Claudio!) Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: OpenBSD as IPv4+6 gateway
On Fri, 22 Jun 2012 08:38:04 -0500, Simon Perreault wrote: This is ridiculous. You should be allocating all your PtP links out of a single prefix protected by an ACL at your border. All packets to the PtP prefix need to be dropped. You should be doing this no matter the size of your PtP links. The attack is impossible with good operational practices. If I was building from the ground up I might be inclined to agree, but if you're adding IPv6 to an existing infrastructure it isn't always that feasible. We have many physical locations and many borders. Not every border consists of equipment that could properly ACL this, and an ISP can't just throw firewalls on the edges of their network.
Re: OpenBSD as IPv4+6 gateway
On 2012-06-22 09:13, Mark Felder wrote: All someone out on the 'net needs to do is scan up through your address space on the link as quickly as possible, sending single packets at all the non-existent addresses on the link, and watch as your router CPU starts to churn keeping track of all the neighbor discovery messages, state table updates, and incomplete age-outs. With the link configured as a /126, there's a very small limit to the number of neighbor discovery messages, and the amount of state table that needs to be maintained and updated for each PtP link. Yeah, I think we'll stick with our /126s. This is ridiculous. You should be allocating all your PtP links out of a single prefix protected by an ACL at your border. All packets to the PtP prefix need to be dropped. You should be doing this no matter the size of your PtP links. The attack is impossible with good operational practices. Simon
Re: OpenBSD as IPv4+6 gateway
>On 6/21/12 7:52 PM, Mark Felder wrote: >> On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth >> wrote: >> >>> It is not a "school of thought" - it is how it is. I have seen one /126 >>> out in the wild but it is very lonely. >> >> I work at an ISP/datacenter. We use /126s for the link net. Handing out >> /64's "because you can" is stupid in my worthless opinion :-) >> > >They don't do it because they like you or are acting responsibly now, >but because they need to find a different way to lock you in. > >(snip) > >But look at the real reason why /126, or /96, or /120 are given in >Europe a lots specially by France Telecom for example it's not because >they are so brilliant, but that's their way to lock you in with them and >not make it easy for you to renumber and if you ever had to do this for >many computers and multiple subnet, and all, you know what I am talking >about. No one is looking forward to that and in many cases, company do >not change ISP because of that simple fact. Well let me brighten your week-end by putting your French woes in perspective with Spain's, btw unrelated to any financial crisis. There is no IPv6; everybody is "working on it" and acting real busy but really has no fucking clue about IPv6 or 4. I lost about 5 months' work last Fall because my ISP silently started handing out "junk" IPv4 addresses from a previously unassigned block. Some routers (Ciscos and others) had them in a hardcoded blacklist and replied with counter-measures that'd light up Linux's oh-so-helpful security modules like a Christmas tree they'd take my whole LAN down, over and again. I spent the whole time studying the Linux kernel until I switched to OpenBSD. My LAN's safe now but my connection's still shit. Despite being Spain's 3rd largest city, Valencia has only two ISPs: Telefónica, the former state monopoly turned private monopoly, and Ono a cable operator. When the govt deregulated telecoms they privatised those fat tax-paid tubes as if they didn't contain 99% air / 1% fiber but water or gas. When Ono laid its cables it had to get city hall permits to close streets and dig up pavement. Every other ISP uses Telefónica's _service_ (not tubes or cables); RJ45 wall socket, installation receipt and modem are Telefónica's; you just get a different logo on your bill. The only funny parts are those ISPs' tech support "rain dance", since they can't do anything about it, and Telefónica's CEO insulting EU regulators for stifling innovation after paying the yearly fine. Now Ono is out of cash and put a freeze on any new cabling at any price, however outrageous ("supply/demand?" Nope). Colt UK's Spanish subsidiary offered me symmetrical 4 mbps with a 3-year contract for 18'000 Euros... using Telefónica's rusty cables for the last mile. Before I told them to fuck off they assured me they'd "turn on the IPv6 box-thingy" by the end of the year, but if I blew someone they _might_ get me in their VIP beta-test sooner. So, you don't need customer lock-in when the country's one giant jail. Bonne fin de semaine, -- p
Re: OpenBSD as IPv4+6 gateway
On Thu, 21 Jun 2012 20:00:17 -0500, Daniel Ouellet wrote: You cold read the RFC 5375 for example, or a few more like 4291, 3587, and other like it. Interesting. RFC 6547 moves "Use of /127 Prefix Length Between Routers Considered Harmful" (RFC 3627) to Historic status to reflect the updated guidance contained in "Using 127-Bit IPv6 Prefixes on Inter-Router Links" (RFC 6164). RFC 6164 details the use of /127s as being OK now. Now /127s would of course be equal do using /31s in IPv4 which I find interesting but dangerous (compatibility is sketchy outside Cisco from what I've seen, and what happens if your emergency replacement hardware isn't identical and can't do /31s?) There was a lengthy discussion about this on the nanog mailing list http://seclists.org/nanog/2010/Jan/969 I find this to be a great point: On Mon, Jan 25, 2010 at 7:33 PM, Owen DeLong wrote: On Jan 25, 2010, at 8:14 AM, Mathias Seiler wrote: Ok let's summarize: /64: + Sticks to the way IPv6 was designed (64 bits host part) + Probability of renumbering very low + simpler for ACLs and the like + rDNS on a bit boundary <>You can give your peers funny names, like 2001:db8::dead:beef ;) - Prone to attacks (scans, router CPU load) Unless of course you just block nonexistent addresses in the /64 at each end. uhm, how sensible is this? "Use s^64 address, block all but the first 2" I'm confused by the goal of using a /64 on a ptp link that never will have more than 2 addresses on it? This attack is described as: All someone out on the 'net needs to do is scan up through your address space on the link as quickly as possible, sending single packets at all the non-existent addresses on the link, and watch as your router CPU starts to churn keeping track of all the neighbor discovery messages, state table updates, and incomplete age-outs. With the link configured as a /126, there's a very small limit to the number of neighbor discovery messages, and the amount of state table that needs to be maintained and updated for each PtP link. Yeah, I think we'll stick with our /126s.
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21 22:00, Hugo Osvaldo Barrera wrote: On 2012-06-21 17:22, Simon Perreault wrote: On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: I have read a great deal regarding IPv6 and IIRC, if I subnet my network block, my ISP would have to know it has to route traffic to that subnet through the WAN IP address of my router. Yes. If they don't allow that, then they don't know what they are doing. You're not supposed to assign a /48 to a single link. A single link gets a /64. But how would they know though which single IP to route the rest of the subnets? I mean, if I assign: 2800:40:402:::1/64 to my router's WAN interface (2800:40:402::: is it's default gateway) 2800:40:402::1/64 to it's LAN interface 2800:40:402::2/64 to one of my clients Doesn't my ISP need to know that traffic to 2800:40:402::1 should be routed through 2800:40:402:::1? Yes. They need to tell you the address. Call and ask them. Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca
Re: OpenBSD as IPv4+6 gateway
On Thu, 21 Jun 2012 18:52:18 -0500, Mark Felder wrote: >On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth >wrote: > >> It is not a "school of thought" - it is how it is. I have seen one /126 >> out in the wild but it is very lonely. > >I work at an ISP/datacenter. We use /126s for the link net. Handing out >/64's "because you can" is stupid in my worthless opinion :-) > It's not because you can, it's because it's best practice, it makes renumbering easier and most of all when you use /64s your subnet addresses are so easily readable. What do you have? /24 ? /32 ? /48 ? /56 ? All of the above have xx00:0:0:0:0:0 as the last part of the address and when you slice off /64s they all have 0:0:0:0 as the last four words so documenting is easy for any of your subnets. But I guess that being ultra-frugal with sunbnet prefixlen is really important for operators who have more clients than there are grains of sand on the face of the earth. That's roughly a /57's worth. 8-)) *** NOTE *** Please DO NOT CC me. I subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: OpenBSD as IPv4+6 gateway
On Thu, 21 Jun 2012 20:00:17 -0500, Daniel Ouellet wrote: Have fun, but please read the RFC and don't suggest assignment based on school of thought. Try to do it right from the start and save you pain down the road now. The number of customers asking for IPv6 right now I can probably count on one hand, so this can quickly be changed. Your mention of the routing table has me thinking about some long-term dire consequences though. And yes, this is going to be a comedy of errors for quite some time. People can't grasp the concept of firewalling+routing vs firewalling+NAT. We have customers with /24s who choose to do 1:1 NAT at their firewall instead of just routing the damn IPs. And then they wonder why they have to upgrade their firewall hardware because it can't handle that many NAT entries/states
Re: OpenBSD as IPv4+6 gateway
Heya On Fri, Jun 22, 2012 at 2:00 PM, Hugo Osvaldo Barrera < h...@osvaldobarrera.com.ar> wrote: > On 2012-06-21 17:22, Simon Perreault wrote: > > On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: > >> I have read a great deal regarding IPv6 and IIRC, if I subnet my > >> network block, my ISP would have to know it has to route traffic to that > >> subnet through the WAN IP address of my router. > > > > Yes. If they don't allow that, then they don't know what they are doing. > > You're not supposed to assign a /48 to a single link. A single link gets > > a /64. > > But how would they know though which single IP to route the rest of the > subnets? > > I mean, if I assign: > 2800:40:402:::1/64 to my router's WAN interface > (2800:40:402::: is it's default gateway) > 2800:40:402::1/64 to it's LAN interface > 2800:40:402::2/64 to one of my clients > > Doesn't my ISP need to know that traffic to 2800:40:402::1 should be > routed through 2800:40:402:::1? > > What you have outlined there is that the ISP has configured their upstream device such that it is directly connected to your entire IPv6 allocation. If that is how they want to do things, then your best hope is to define the /64 between their space and yours as being 2800:40:402:::/64, and asking them to configure their upstream device to deliver 2800:40:402::/48 to 2800:40:402:::1 Alternatively, ask them for a linking allocation to remove the block allocated to you from being directly attached to one of their devices. Shane
Re: OpenBSD as IPv4+6 gateway
On 6/21/12 7:52 PM, Mark Felder wrote: On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth wrote: It is not a "school of thought" - it is how it is. I have seen one /126 out in the wild but it is very lonely. I work at an ISP/datacenter. We use /126s for the link net. Handing out /64's "because you can" is stupid in my worthless opinion :-) It just make everything less efficient and as IPv6 is all done by the processor as no ASIC process that IPv6 mess yet, then... well, what ever. As for the school of though, as Rob said, it's not a school of thought, it's how the RFC said you should assign them period. You cold read the RFC 5375 for example, or a few more like 4291, 3587, and other like it. The reason why many ISP are assigning different side and not the /48, or 56 in some case, or even the /64 is because the IPv6 does have and would allow you to actually change ISP without the need for renumbering depending on the process of IP allocation you use See RFC 4291 for example. I do not argue the good/ or bad of it. That's a totally different question. Plus when you need to carry these routers in your iBGP, or OSPF, or what ever your poison is, you have lots more small route then needed, etc. Just think about it, when only IPv4 were available, the ISP at large wasted it no question asked, now they have more then they could possibly use regardless how how they might want to waste it, so dong /120, or /126, or what not to a single customer is NOT because they are all suddenly conscientious and just wake up, it's because it make them lock you in and not allow you to easily switch ISP if you get piss and lets face it, if you run a decent side office, renumbering is and always been painful. They don't do it because they like you or are acting responsibly now, but because they need to find a different way to lock you in. Same reason why do we have NAT for IPv6!?! Really, who could possibly need that with the address space we have today. Nat was invented to compensate for IPv4 depletion, but way to many early IT guys used it for simple way to provide security setup and forgot how to do it right. It's just easier for them, however with the higher bandwidth usage we have today they start to run into problem when NAT is in use and you see jitter, latency and what not cause by it, but they are clueless about it. So, don't get me started on the stupidity of IPv6 and how the assignment is now done. Does anyone actually need /64 for a company, or possibly a /56 for a single house connection as the RFC specify it, not really, and a /64 for the point to point link, I don't think so, but if we are going to use ti, then use it as it was designed for with it's pro and cons. But look at the real reason why /126, or /96, or /120 are given in Europe a lots specially by France Telecom for example it's not because they are so brilliant, but that's their way to lock you in with them and not make it easy for you to renumber and if you ever had to do this for many computers and multiple subnet, and all, you know what I am talking about. No one is looking forward to that and in many cases, company do not change ISP because of that simple fact. One that that IPv6 made good for users was the possibility to switch ISP overnight and no need to renumber their address space. BIG ISP cut on to that and do everything possible to not let you have that choice! They do not want to improve their service to you so that you do not look anywhere else for good connectivity, but are working in ways to limit your choice and pretend to do it under the umbrella of IP conversation when everyone knows these same ISP wasted IPv4 like crazy before as they can't manage it properly anyway. Again, I am not arguing on the merit of IPv6 or flaw of it and there is plenty, but if you are gong to use it and roll it out, then at a minimum do it as it is suppose to be done and don't try to create a school of thought that is not based on merit but on ways to lock people in and that don't stand on their own justification and merit. I will grate you this however with how they want the assignment to be done, they address space is sure getting wasted plenty fast as well, with size accordingly obviously. The funny part or sad part depending how you actually understand proper setup, you will still see countless users using NAT for IPv6 that have a /48 assigned to them... How crazy is that! If you ever realize that NAT does have impact on your network performance on high bandwidth, just wait when you do this for IPv6 and see. Have fun, but please read the RFC and don't suggest assignment based on school of thought. Try to do it right from the start and save you pain down the road now. Daniel
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21 17:22, Simon Perreault wrote: > On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: >> I have read a great deal regarding IPv6 and IIRC, if I subnet my >> network block, my ISP would have to know it has to route traffic to that >> subnet through the WAN IP address of my router. > > Yes. If they don't allow that, then they don't know what they are doing. > You're not supposed to assign a /48 to a single link. A single link gets > a /64. But how would they know though which single IP to route the rest of the subnets? I mean, if I assign: 2800:40:402:::1/64 to my router's WAN interface (2800:40:402::: is it's default gateway) 2800:40:402::1/64 to it's LAN interface 2800:40:402::2/64 to one of my clients Doesn't my ISP need to know that traffic to 2800:40:402::1 should be routed through 2800:40:402:::1? > >> The alternative would be to proxy ndp and have OpenBSD forward packets, >> yet I don't see a way to proxy an entire subnet using ndp. > > Right, because you shouldn't do that, especially in IPv6 with the 64 > bits of addressing for a single subnet. > >> Am I missing something perhaps? > > Call the support and ask them for the missing information? > > You're definitely not supposed to bridge. > > Simon > -- Hugo Osvaldo Barrera
Re: OpenBSD as IPv4+6 gateway
On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth wrote: It is not a "school of thought" - it is how it is. I have seen one /126 out in the wild but it is very lonely. I work at an ISP/datacenter. We use /126s for the link net. Handing out /64's "because you can" is stupid in my worthless opinion :-)
Re: OpenBSD as IPv4+6 gateway
On Thu, 21 Jun 2012 18:28:05 -0400, Michael Lambert wrote: >On 21 Jun 2012, at 18:04, Mark Felder wrote: > >> The provider shouldn't be using a /64 for the link net. That means your >router is getting the broadcasts from everyone else on that link net. The >provider should be setting aside something like a /64 for link nets and >actually be giving you /126s. No. The smallest network IS a /64. This even applies to link-local addresses which are only used for point-to-point connections. Just run ifconfig on your machine and see. Your ISP has enough /64s to give you one that contains no other clients. > >There is a school of thought that says point-to-point links should be >allocated /64s, just like LAN subnets. Not everyone agrees. I like /120s to >keep things octet-aligned for reverse DNS. It is not a "school of thought" - it is how it is. I have seen one /126 out in the wild but it is very lonely. I manage a /32 and that would let me hand out as many /64s as there are IPv4 addresses in total (4G). My ISP for my home connection uses a dynamic /64 per client to carry my /56 which is sliced up here to use 4 /64s for my various LANs. The fact that the link has a dynamic address is irrelevant as the ISP routes all traffic to me over the link whatever address it currently has. There are no packets travelling on the link that are not for me. R/ *** NOTE *** Please DO NOT CC me. I subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: OpenBSD as IPv4+6 gateway
On Thu, 21 Jun 2012 17:28:05 -0500, Michael Lambert wrote: There is a school of thought that says point-to-point links should be allocated /64s, just like LAN subnets. Not everyone agrees. I like /120s to keep things octet-aligned for reverse DNS. I was under the assumption that all customers were sharing the same /64 for their link nets. Either way, this is a really bizarre usage of the abundant ipv6 space. :-)
Re: OpenBSD as IPv4+6 gateway
On 21 Jun 2012, at 18:04, Mark Felder wrote: > The provider shouldn't be using a /64 for the link net. That means your router is getting the broadcasts from everyone else on that link net. The provider should be setting aside something like a /64 for link nets and actually be giving you /126s. There is a school of thought that says point-to-point links should be allocated /64s, just like LAN subnets. Not everyone agrees. I like /120s to keep things octet-aligned for reverse DNS. Michael
Re: OpenBSD as IPv4+6 gateway
On Thu, 21 Jun 2012 16:34:51 -0500, Ryan Kirk wrote: In my limited experience with ipv6, this has been the case. The provider has you on a /64 of their own (not part of your /48), so your WAN interface would have one of their IP's on it, and they should tell you exactly what it should be. Just as it's done in IPv4. Your own personal /48 is then routed through that IP. You can assign more IP's from your /48 to your WAN interface, of course, by dedicating a /64 to it. But you will always need to have at least the one ISP IP on it. The provider shouldn't be using a /64 for the link net. That means your router is getting the broadcasts from everyone else on that link net. The provider should be setting aside something like a /64 for link nets and actually be giving you /126s.
Re: OpenBSD as IPv4+6 gateway
In my limited experience with ipv6, this has been the case. The provider has you on a /64 of their own (not part of your /48), so your WAN interface would have one of their IP's on it, and they should tell you exactly what it should be. Just as it's done in IPv4. Your own personal /48 is then routed through that IP. You can assign more IP's from your /48 to your WAN interface, of course, by dedicating a /64 to it. But you will always need to have at least the one ISP IP on it. RK On Thu, Jun 21, 2012 at 4:22 PM, Simon Perreault wrote: > On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: >> >> I have read a great deal regarding IPv6 and IIRC, if I subnet my >> >> network block, my ISP would have to know it has to route traffic to that >> subnet through the WAN IP address of my router. > > > Yes. If they don't allow that, then they don't know what they are doing. > You're not supposed to assign a /48 to a single link. A single link gets a > /64. > > >> The alternative would be to proxy ndp and have OpenBSD forward packets, >> yet I don't see a way to proxy an entire subnet using ndp. > > > Right, because you shouldn't do that, especially in IPv6 with the 64 bits of > addressing for a single subnet. > > >> Am I missing something perhaps? > > > Call the support and ask them for the missing information? > > You're definitely not supposed to bridge. > > Simon
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: I have read a great deal regarding IPv6 and IIRC, if I subnet my network block, my ISP would have to know it has to route traffic to that subnet through the WAN IP address of my router. Yes. If they don't allow that, then they don't know what they are doing. You're not supposed to assign a /48 to a single link. A single link gets a /64. The alternative would be to proxy ndp and have OpenBSD forward packets, yet I don't see a way to proxy an entire subnet using ndp. Right, because you shouldn't do that, especially in IPv6 with the 64 bits of addressing for a single subnet. Am I missing something perhaps? Call the support and ask them for the missing information? You're definitely not supposed to bridge. Simon
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21 09:52, Simon Perreault wrote: > On 2012-06-21 03:46, Hugo Osvaldo Barrera wrote: >> My assigned block is 2800:40:402::0/48 >> My default gateway is 2800:40:402::: (it's inside my assigned >> block). > > Hugo, > > Friendly suggestion: read a book on IPv6. If you had understood the > above information, you wouldn't be talking about "bridging". This makes > me think that your question isn't about OpenBSD, it is about IPv6. You > need to understand IPv6 first, and then when you know exactly what you > want on a protocol level you can come back and ask how to do it in OpenBSD. > > Simon > I have read a great deal regarding IPv6, and IIRC, if I subnet my network block, my ISP would have to know it has to route traffic to that subnet through the WAN IP address of my router. The alternative would be to proxy ndp and have OpenBSD forward packets, yet I don't see a way to proxy an entire subnet using ndp. Am I missing something perhaps? -- Hugo Osvaldo Barrera
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21 03:46, Hugo Osvaldo Barrera wrote: My assigned block is 2800:40:402::0/48 My default gateway is 2800:40:402::: (it's inside my assigned block). Hugo, Friendly suggestion: read a book on IPv6. If you had understood the above information, you wouldn't be talking about "bridging". This makes me think that your question isn't about OpenBSD, it is about IPv6. You need to understand IPv6 first, and then when you know exactly what you want on a protocol level you can come back and ask how to do it in OpenBSD. Simon
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21 04:39, Jérémie Courrèges-Anglas wrote: > Hugo Osvaldo Barrera writes: > > [...] > >>> ... how does your ISP provide you IPv6 connectivity? I can't see why >>> someone couldn't use proper subnetting, being given a /48. You should >>> also tell us how you get v4 connectivity, I think. >> >> I get a /48 block, and a gateway I should use. As for IPv4, I get an IP >> address, and a gateway I should use. > > What's the address of the gateway, then? Is it part of your /48? > Is there an equipment furnished by your ISP involved? C'mon, just > provide raw information. Sorry, I didn't mean to withhold any information; My assigned block is 2800:40:402::0/48 My default gateway is 2800:40:402::: (it's inside my assigned block). I've a single static IPv4 address, and a default gateway to use with it. Not totally relevant, but I also received a couple of DNS servers they provide, capable of resolving IPv4 and records fine. They provide no DHCP, RA, etc; manual configuration must be done on the client side. My ISP gives me a single device (modem) with an ethernet port (and a rj11 port on the other end that goes over to the ISP's network). It doesn't have an IP address AFAIK, and merely bridges everything over to the ISP's network. > >> If I subnet the IPv6 block, and set up my server as a router, wouldn't >> my ISP have to now which IP is the route to my subnet? > > Probably, but see my question above. What exact instructions were you > given? What's your ISP? Are there online docs? There are no docs, my ISP is Iplan (Argentina), and IPv6 isn't provided mainstream, only to certain users. > > I may be missing something, but still... > > [...] > -- Hugo Osvaldo Barrera
Re: OpenBSD as IPv4+6 gateway
Hugo Osvaldo Barrera writes: [...] >> ... how does your ISP provide you IPv6 connectivity? I can't see why >> someone couldn't use proper subnetting, being given a /48. You should >> also tell us how you get v4 connectivity, I think. > > I get a /48 block, and a gateway I should use. As for IPv4, I get an IP > address, and a gateway I should use. What's the address of the gateway, then? Is it part of your /48? Is there an equipment furnished by your ISP involved? C'mon, just provide raw information. > If I subnet the IPv6 block, and set up my server as a router, wouldn't > my ISP have to now which IP is the route to my subnet? Probably, but see my question above. What exact instructions were you given? What's your ISP? Are there online docs? I may be missing something, but still... [...] -- Jérémie Courrèges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: OpenBSD as IPv4+6 gateway
On 2012-06-21 03:05, Jérémie Courrèges-Anglas wrote: > Hugo Osvaldo Barrera writes: > >> Hi, > > Hi. > >> I'm trying to evaluate how to set up my OpenBSD server as an internet >> gateway. >> >> I've a static IPv4 address, and a /48 IPv6 block. >> I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the >> IPv6 part without breaking the IPv4 NAT. >> >> I'll assume lan=eth0 and wan=eth1 to make this a bit more readable. > > Sadly, what should we understand here? Are they really both ethernet > interfaces? I just meant to give them names to reference them more easily later on. Yes; they're just two ethernet interfaces. > >> From what I've managed to think up, I'd have to bridge both interfaces >> (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1. > > Bridging can be seen as an ugly solution when you only get a /64 from > your ISP, and you have to let RAs go through. Slightly less ugly, ndp > proxying. I've not tested it, though, but I believe ndp(8) could be > used here. But... My ISP doesn't seem to be running any RA actually (more related info below). > >> My doubt is: if I bridge both interfaces, can I still NAT properly? >> If br0 contains eth1 and eth0, can I bridge "from br0 to br0"? >> This may sound odd, but br0 has actually two IPv4 addresses; the private >> and public. >> >> Also, if eth1 in bridged, I can still drop packets using pf properly, >> right? (discarting private-network packets on it is what I've in mind). >> >> Is this the proper solution? Or is there some other way I haven't >> thought of? > > ... how does your ISP provide you IPv6 connectivity? I can't see why > someone couldn't use proper subnetting, being given a /48. You should > also tell us how you get v4 connectivity, I think. I get a /48 block, and a gateway I should use. As for IPv4, I get an IP address, and a gateway I should use. If I subnet the IPv6 block, and set up my server as a router, wouldn't my ISP have to now which IP is the route to my subnet? Or is this what you mean by ndp proxying? I'd still don't understand how to set up pf to forward the appropiate packets if I managed to do that. > > HTH > -- > Jérémie Courrèges-Anglas > GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494 > Sorry, I should have mentioned those details in the first place. -- Hugo Osvaldo Barrera
Re: OpenBSD as IPv4+6 gateway
Hugo Osvaldo Barrera writes: > Hi, Hi. > I'm trying to evaluate how to set up my OpenBSD server as an internet > gateway. > > I've a static IPv4 address, and a /48 IPv6 block. > I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the > IPv6 part without breaking the IPv4 NAT. > > I'll assume lan=eth0 and wan=eth1 to make this a bit more readable. Sadly, what should we understand here? Are they really both ethernet interfaces? > From what I've managed to think up, I'd have to bridge both interfaces > (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1. Bridging can be seen as an ugly solution when you only get a /64 from your ISP, and you have to let RAs go through. Slightly less ugly, ndp proxying. I've not tested it, though, but I believe ndp(8) could be used here. But... > My doubt is: if I bridge both interfaces, can I still NAT properly? > If br0 contains eth1 and eth0, can I bridge "from br0 to br0"? > This may sound odd, but br0 has actually two IPv4 addresses; the private > and public. > > Also, if eth1 in bridged, I can still drop packets using pf properly, > right? (discarting private-network packets on it is what I've in mind). > > Is this the proper solution? Or is there some other way I haven't > thought of? ... how does your ISP provide you IPv6 connectivity? I can't see why someone couldn't use proper subnetting, being given a /48. You should also tell us how you get v4 connectivity, I think. HTH -- Jérémie Courrèges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
OpenBSD as IPv4+6 gateway
Hi, I'm trying to evaluate how to set up my OpenBSD server as an internet gateway. I've a static IPv4 address, and a /48 IPv6 block. I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the IPv6 part without breaking the IPv4 NAT. I'll assume lan=eth0 and wan=eth1 to make this a bit more readable. >From what I've managed to think up, I'd have to bridge both interfaces (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1. My doubt is: if I bridge both interfaces, can I still NAT properly? If br0 contains eth1 and eth0, can I bridge "from br0 to br0"? This may sound odd, but br0 has actually two IPv4 addresses; the private and public. Also, if eth1 in bridged, I can still drop packets using pf properly, right? (discarting private-network packets on it is what I've in mind). Is this the proper solution? Or is there some other way I haven't thought of? Cheers, thanks, -- Hugo Osvaldo Barrera