failing over better with multiple prefixes?

Dave Taht d at teklibre.org
Wed Feb 24 17:21:51 CET 2010


I've been wrestling with this one for a while.

Let's assume that Joe Corporation is not willing to pony up for a BGP 
number ($1000 + $600/yr membership fee from lacnic) or a dedicated IPv6 
allocation large enough (/32)? for someone to be willing to route. 
(currently lacnic appears to not be charging for IPv6 allocations  but 
it is unclear how to get it routed or how much you can get)

Q1) Is there a "best (and cheap) way" to get a dedicated, independent 
IPv6 address space and BGP AS number that people are willing to route? 
Note that I am in the third world and the problem of who to contact to 
get stuff routed is augmented by the language barrier, and the fees 
involved above are nearly double what the average person makes here, per 
year....

Moving on into the alternate hole I've dug myself:

So joe has a dedicated IPv4 address and uses the resultant 2002 network 
to add IPv6 to their net.
Yea, there's 64k worth of subnets there so they proceed merrily slamming 
out 2002 nets across their offices, currently 11...

There are also dedicated links between the offices, in more or less of a 
wireless mountainous mesh, many of which have their own real IPv4 IP 
gateway from various providers as well, as well as a few that are stuck 
behind NAT from less wealthy providers, for which they use a hurricane 
electric tunnel currently. So it's a huge waste of very limited 
bandwidth to backhaul everything to the main office...

So for local routing, they add 2002:the-local-office-net:bla:bla:bla:bla 
to each local network, or 2001:the-hurricane-tunnel if needed, and 
distribute those addresses via radvd, and route the internal routes 
around (currently) via babeld.

Every machine ends up with one IPv6 address per (IPv4 or tunnel) 
gateway. This is kind of unwieldy, particularly if you want to wedge all 
this into DNS, too...

Still, this works pretty good when everything is working.

Q2a) It's unclear, that once you start assigning multiple 2002: or 2001: 
tunnel prefixes how to make the local 2002 or 2001 gateway prefix be the 
primary source address prefix. The routers are all running a reasonably 
recent version of linux (2.6.26 at minimum), and have ip rules tables 
installed for source routing (ipv4 only at the moment) where needed...

Q2b) It's really unclear how IPv6 interacts with the linux RPDB these 
days...

Q3) When an external link goes down they'd like the offices to fail-over 
to routing internally to the next best gateway. But if the source 
address is 2002:the-local-office, sending stuff out 
2002:some-other-office's-gateway isn't going to work very well.

Now, I don't really want to talk about NAT. What I would like to have 
happen, is when an external tunnel goes down, that the IPv6 addresses 
derived from it become deprecated and aren't used for future 
connections, and when it goes back up they get undeprecated....

It's not clear to me how to do this aside from rewriting the radvd.conf 
file and restarting radvd, and even then, there doesn't appear to be 
syntax to "deprecate" an address only (thus eliminating the need to 
remove it from DNS)

Is there something that I could use other than radvd?

it's not clear how to deprecate static addresses either (for example, on 
a DNS server or a virtual machine).

Q4) This is maybe just a syntax problem with the "ip" tool

For example, I can rid myself of an address by:

ip addr change 2001:470:b9d7:e::1/64 dev eth1 valid_lft 1 preferred_lft 1

But INTERNALLY that IPv6 address is fine, so what I really want to do is 
deprecate the address so it's not used for future external communication 
and I don't mess up any on-going internal communications. So, somehow, I 
need to "hear" from userspace, that my default gateway for this prefix 
is toast and then (for example)

ip addr change 2001:470:b9d7:e::1/64 dev eth1 deprecated
Error: either "local" is duplicate, or "deprecated" is a garbage.

(whenever this happens I can also remove the IP address from DNS via 
nsupdate)

I've been fiddling with the syntax of this ip command for a while to no 
avail. (linux 2.6.32) It doesn't accept any of the other documented 
flags (primary, secondary, etc) either.

And for dynamically configured clients to able to "hear" a deprecated 
IPv6 prefix via some normal method that windows and linux clients would 
respond to without any scripting would be nice.

Q5) Taking a prefix to a tunnel up or down is somewhat problematic. For 
example, right now, (what prompted this mail), my HE tunnel is down 
(external gateway is down), but it says it's up:

9: he-ipv6: <POINTOPOINT,NOARP,UP>
     inet6 2001:470:1f0e:34a::2/64 scope global
     inet6 fe80::c0a8:702/128 scope link

So the only way I know to test the tunnel is via pinging the other side 
of it 2001:470:1f0e:34a::1,
and if that fails, rewrite the radvd file...




More information about the ipv6-ops mailing list