SixXS Tunnel vs. Subnet?
Shadow Hawkins on Wednesday, 15 October 2008 03:37:41
I've been reading all the various FAQs and through these forum posts, and still have a basic question about the addressing scheme.
I just received my "tunnel" account. It's through uschi02.sixxs.net, as shown at http://www.sixxs.net/pops/yourorg/. I see that 2 separate address ranges are used for "tunnels" and "subnets".
https://www.sixxs.net/faq/connectivity/?faq=usingsubnet states that "in tunnels from the /64 only ::1 (the PoP) and ::2 (your endpoint) can be used". And if I understand correctly, any requested subnets and allocated out of the 2nd range? If so, what is the purpose of doing this, rather than just enabling subnets? Is this just due to the IPv6 routing boundary of 64 bits?
I understand that saying that there is an abundance of addresses in IPv6 is an understatement. But just so I understand correctly, does this mean that the other 4,294,967,296 addresses from ::3 to FFFF:FFFF:FFFF:FFFF are simply unused for the "simpler" SixXS Tunnel accounts?
Thanks!
SixXS Tunnel vs. Subnet?
Jeroen Massar on Wednesday, 15 October 2008 11:04:45
The tunnel is for connecting your host/router to the PoP, the tunnel acts as a transit network.
The subnet is what you use at your site, this will be a /48. These indeed come from a separate range. Depending on the PoP we generally have a /40 per PoP, where the first /48 is for tunnels, the other 255 /48's are given out to users. deham01 for instance has a /39 because of the amount of users behind it.
Our system does not support unnumbered interfaces, as such you require a transit network for the tunnel. We could have taken the first /64 out of the /48, but not everybody needs a /48 anyway. Also, now always ::2 is the user, ::1 is the PoP, this makes debugging easy, and it also makes it clear in traceroutes how packets flow.
And yes, out of the /64 for the tunnel, only ::1 and ::2 are used at the moment, thus indeed 2^64 - 3 (:: is the subnet anycast address) addresses are unused.
The /48 contains 65536 /64's and I am pretty sure you won't use all of these either.
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Tuesday, 04 November 2008 17:38:17
Do you think it would be possible to move the IPv6 address on the client from the tun0 interface to another interface, like a loopback interface? From the point of view of the client, tun0 would be an unnumbered interface while still keeping the /64 tunnel IPs.
SixXS Tunnel vs. Subnet?
Jeroen Massar on Tuesday, 04 November 2008 20:51:14
The Tunnel /64 is for the transit link, not for anything else.
<tunnel>::1 is the gateway for the tunnel, how are you going to route packets to that address if that /64 is not on the tunnel interface?
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Friday, 24 October 2008 02:50:55
I've found that on hurricane electric, they route the entire /64 to you rather then just the endpoint; this is basically the equilivent of giving you exactly one subnet. This seems like the right thing for a lot of people; for instance, I could give all the devices around my house IPv6 addresses within the /64. That doesn't really require the larger address space of a subnet, though. Would you guys consider enabling routing for the entire /64 to the endpoints? That would be really useful.
Thanks!
SixXS Tunnel vs. Subnet?
Jeroen Massar on Friday, 24 October 2008 12:29:15 I've found that on hurricane electric, they route the entire /64 to you rather then just the endpoint;
I don't know if they understand routing, but you can only assign a /64 ONCE to one link, you can't split it over multiple links.
As a tunnel is a Point to Point interface, it is, indeed that, only two points, and those two points are you (::2) and the PoP (::1) and nothing more.
So where would the rest of the /64 be used?
this is basically the equilivent of giving you exactly one subnet.
That is correct, but that subnet can only be used on the tunnel, not on another interface (unless you do really nasty tricks, and IPv6 was made so that you don't have to do any tricks anymore)
This seems like the right thing for a lot of people; for instance, I could give all the devices around my house IPv6 addresses within the /64. That doesn't really require the larger address space of a subnet, though. Would you guys consider enabling routing for the entire /64 to the endpoints? That would be really useful.
As explained above, it can't technically work unless you start using tricks.
If you want an allocation that you can use to assign to multiple devices and to route inside your house, then request a subnet (/48), and you can do all you want.
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Saturday, 25 October 2008 10:40:50 I don't know if they understand routing, but you can only assign a /64 ONCE to > one link, you can't split it over multiple links. So where would the rest of the /64 be used?
Other machines on the subnet.
As a tunnel is a Point to Point interface, it is, indeed that, only two points, and those two points are you (::2) and the PoP (::1) and nothing more.
This is not exactly correct, at least in general. Although the tunnel (a virtual link) does have endpoints with the addresses as you say, it is perfectly reasonable to pass packets over the link which are not destined for either endpoint. Any packet matching the first /64 of the link would be routed from the broker (::1) to ::2, which is then responsible for further routing the packets within the subnet. In fact, this is the primary advantage of IPv6 since then you no longer need NAT; machines on the /64 subnet can assign themselves valid addresses using only stateless autoconfiguration and DAD.
An example configuration where this would work is as follows. Suppose you have a tunnel interface named 'sixxs', and a wireless interface 'ath0'. Assign the address prefix::2/128 to sixxs, and add a routing table entry of prefix::1/128 pointing to sixxs as the next hop. Then configure a router advertisement daemon to advertise the /64 prefix on ath0, and setup a default IPv6 route (::/0) also pointed to sixxs. This will provide IPv6 to an entire subnet of machines with only one tunnel.
All the tunnel broker needs to do is add a routing table entry like 'prefix/64' for this to work; right now you're actually doing something like routing '::2/128'. No tricks are necessary.
If a /48 is required to route to multiple devices, you seem to be assuming that each device needs its own /64 prefix, which is certainly not the case. This is only necessary with the way your system is configured.
Anyways, I do appreciate the free IPv6 connectivity and all your hard work.
Best,
Steve
SixXS Tunnel vs. Subnet?
Jeroen Massar on Saturday, 25 October 2008 18:25:04 > I don't know if they understand routing, but you can only assign a > /64 ONCE to one link, you can't split it over multiple links. > So where would the rest of the /64 be used?
Other machines on the subnet.
There can only two machines on a PtP interface; thus which ones again?
Tunnels we provide are not Multipoint, thus there are no others.
> As a tunnel is a Point to Point interface, it is, indeed that, only two points, > and those two points are you (::2) and the PoP (::1) and nothing more.
This is not exactly correct, at least in general.
It is always correct, unless you talk about a multipoint tunnel, which we don't have.
Although the tunnel (a virtual link) does have endpoints with the addresses as you say, it is perfectly reasonable to pass packets over the link which are not destined for either endpoint.
When you set magic routes smaller than the /64, yes you could. But that violates a lot of RFCs and more importantly common sense.
Any packet matching the first /64 of the link would be routed from the broker (::1) to ::2, which is then responsible for further routing the packets within the subnet.
How do you routing entries look like for this? Oh, indeed, two interfaces and two subnets, a /127 (which is automatically broken by design in IPv6 due to subnet anycast addresses) and the rest of the /64 which will mean several routes as you can't describe it with a single entry.
In fact, this is the primary advantage of IPv6 since then you no longer need NAT; machines on the /64 subnet can assign themselves valid addresses using only stateless autoconfiguration and DAD.
No you can't, because you have two interfaces, and thus multiple /64's, if you are taking a bit out of the /64 autoconfig fails as it can only work with a full /64.
An example configuration where this would work is as follows. Suppose you have a tunnel interface named 'sixxs', and a wireless interface 'ath0'. Assign the address prefix::2/128 to sixxs, and add a routing table entry of prefix::1/128 pointing to sixxs as the next hop.
You thus have two interfaces and thus require two /64s. That is how IPv6 works, not anything else. You can indeed MAKE it to work, but that is just hacking around things. We are not going to introduce hacks.
Then configure a router advertisement daemon to advertise the /64 prefix on ath0, and setup a default IPv6 route (::/0) also pointed to sixxs. This will provide IPv6 to an entire subnet of machines with only one tunnel.
How exactly are devices on ath0 going to reach <tunnel>::1 ?
Indeed, as they have a /64 to the ath0 interface, they will never be able to reach it.
All the tunnel broker needs to do is add a routing table entry like 'prefix/64' for this to work; right now you're actually doing something like routing '::2/128'. No tricks are necessary.
That is a HUGE trick, as that is not how routing can work.
If a /48 is required to route to multiple devices, you seem to be assuming that each device needs its own /64 prefix, which is certainly not the case.
Each *switched interface* (thus an L2 that is not routed) needs its own /64, that is the design of IPv6, if you want to properly use autoconfiguration.
If you indeed just want to play around with weird hacks you can do whatever you want.
If you really really really want to have the tunnel interface and the ath0 interface 'connected' you will need to make them into a L2 bridge, then they are one interface and you could indeed get away with one /64. But as most people on this planet don't have this configuration, we are not going to support it.
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Saturday, 25 October 2008 18:59:27 If you indeed just want to play around with weird hacks you can do whatever you want.
Well, not with sixxs.
If you really really really want to have the tunnel interface and the ath0 interface 'connected' you will need to make them into a L2 bridge, then they are one interface and you could indeed get away with one /64. But as most people on this planet don't have this configuration, we are not going to support it.
You're perfectly right, an L2 bridge is more appropriate here. The case of a bridging with the tunnel seems like a pretty useful case, since then you could enable your whole subnet for IPv6 by running the tunnel from the AP. I wanted to do that, but there's an issue with bridging with a tun, becasue they're different phy's; not sure if anything can be done about that.
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Wednesday, 29 October 2008 18:17:14 So where would the rest of the /64 be used?
One of the usage that could be done is ip based virtual hosting on the host, like for having hundreds of SSL certs, or dozens of FTP daemons with anonymous accounts.
Most of us are still thinking in IPv4 IP scarcity way and feel bad about this waste of space.
SixXS Tunnel vs. Subnet?
Jeroen Massar on Tuesday, 04 November 2008 20:49:36
Request a subnet and you can do all that... it is not wasting space.
And really, if you are going to host "dozens of FTP daemons" or similar things you will be needing something much better than a tunnel anyway.
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Saturday, 29 November 2008 21:08:46
Little question (theoretical):
If I would want to assign multiply IPs to a machine having a tunnel established on it, with no other usage, like routing for a local LAN (let's call it "dozens of FTP daemons" setup), is it ok for me to assign a /64 subnet to loopback interface and then assign several IPs to this interface or should I grab some network card "eth0" or do everything on tunnel interface i.e. "sixxs"?
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Monday, 08 December 2008 10:47:20
I believe you could order a subnet and then assign the addresses to the tunnel interface (your working IPv6 network device).
SixXS Tunnel vs. Subnet?
Shadow Hawkins on Monday, 08 December 2008 18:32:39 > I've found that on hurricane electric, they route the entire /64 to
Just for the reference: HE gives you two /64 by default. One for the tunnel, and a single /64 routed over the tunnel.
But testing reveals that they actually do route the rest of the tunnel /64 too. My tunnel is configured with 2001:470:1f04:19d::2/64 on my end and 2001:470:1f04:19d::1/64 on the HE end. Here's the tshark output while pinging a non-existent address on the tunnel /64 from the outeside:
you rather then just the endpoint;
I don't know if they understand routing, but you can only assign a /64 ONCE to one link, you can't split it over multiple links.
As a tunnel is a Point to Point interface, it is, indeed that, only two points, and those two points are you (::2) and the PoP (::1) and nothing more.
dewey:/tmp# tshark -n -i he-ipv6 not tcp port 22
Capturing on he-ipv6
0.000000 2001:470:1f04:19d::1 -> 2001:470:1f04:19d::4 ICMPv6 Neighbor solicitation
0.034857 2001:16d8:ffb4::1 -> 2001:470:1f04:19d::4 ICMPv6 Echo request
0.999963 2001:470:1f04:19d::1 -> 2001:470:1f04:19d::4 ICMPv6 Neighbor solicitation
1.034967 2001:16d8:ffb4::1 -> 2001:470:1f04:19d::4 ICMPv6 Echo request
2.034847 2001:16d8:ffb4::1 -> 2001:470:1f04:19d::4 ICMPv6 Echo request
3.034995 2001:16d8:ffb4::1 -> 2001:470:1f04:19d::4 ICMPv6 Echo request
4.035126 2001:16d8:ffb4::1 -> 2001:470:1f04:19d::4 ICMPv6 Echo request
7 packets captured
Pretty weird.
So where would the rest of the /64 be used?
I guess you could split the /64 (claiming the the tunnel is really a /126 or something) and route it somewhere? But why?
Or you might use multiple addresses on the tunnel host. But again, why?
Posting is only allowed when you are logged in. |