failing over better with multiple prefixes?
d at teklibre.org
Wed Feb 24 17:21:51 CET 2010
I've been wrestling with this one for a while.
Let's assume that Joe Corporation is not willing to pony up for a BGP
number ($1000 + $600/yr membership fee from lacnic) or a dedicated IPv6
allocation large enough (/32)? for someone to be willing to route.
(currently lacnic appears to not be charging for IPv6 allocations but
it is unclear how to get it routed or how much you can get)
Q1) Is there a "best (and cheap) way" to get a dedicated, independent
IPv6 address space and BGP AS number that people are willing to route?
Note that I am in the third world and the problem of who to contact to
get stuff routed is augmented by the language barrier, and the fees
involved above are nearly double what the average person makes here, per
Moving on into the alternate hole I've dug myself:
So joe has a dedicated IPv4 address and uses the resultant 2002 network
to add IPv6 to their net.
Yea, there's 64k worth of subnets there so they proceed merrily slamming
out 2002 nets across their offices, currently 11...
There are also dedicated links between the offices, in more or less of a
wireless mountainous mesh, many of which have their own real IPv4 IP
gateway from various providers as well, as well as a few that are stuck
behind NAT from less wealthy providers, for which they use a hurricane
electric tunnel currently. So it's a huge waste of very limited
bandwidth to backhaul everything to the main office...
So for local routing, they add 2002:the-local-office-net:bla:bla:bla:bla
to each local network, or 2001:the-hurricane-tunnel if needed, and
distribute those addresses via radvd, and route the internal routes
around (currently) via babeld.
Every machine ends up with one IPv6 address per (IPv4 or tunnel)
gateway. This is kind of unwieldy, particularly if you want to wedge all
this into DNS, too...
Still, this works pretty good when everything is working.
Q2a) It's unclear, that once you start assigning multiple 2002: or 2001:
tunnel prefixes how to make the local 2002 or 2001 gateway prefix be the
primary source address prefix. The routers are all running a reasonably
recent version of linux (2.6.26 at minimum), and have ip rules tables
installed for source routing (ipv4 only at the moment) where needed...
Q2b) It's really unclear how IPv6 interacts with the linux RPDB these
Q3) When an external link goes down they'd like the offices to fail-over
to routing internally to the next best gateway. But if the source
address is 2002:the-local-office, sending stuff out
2002:some-other-office's-gateway isn't going to work very well.
Now, I don't really want to talk about NAT. What I would like to have
happen, is when an external tunnel goes down, that the IPv6 addresses
derived from it become deprecated and aren't used for future
connections, and when it goes back up they get undeprecated....
It's not clear to me how to do this aside from rewriting the radvd.conf
file and restarting radvd, and even then, there doesn't appear to be
syntax to "deprecate" an address only (thus eliminating the need to
remove it from DNS)
Is there something that I could use other than radvd?
it's not clear how to deprecate static addresses either (for example, on
a DNS server or a virtual machine).
Q4) This is maybe just a syntax problem with the "ip" tool
For example, I can rid myself of an address by:
ip addr change 2001:470:b9d7:e::1/64 dev eth1 valid_lft 1 preferred_lft 1
But INTERNALLY that IPv6 address is fine, so what I really want to do is
deprecate the address so it's not used for future external communication
and I don't mess up any on-going internal communications. So, somehow, I
need to "hear" from userspace, that my default gateway for this prefix
is toast and then (for example)
ip addr change 2001:470:b9d7:e::1/64 dev eth1 deprecated
Error: either "local" is duplicate, or "deprecated" is a garbage.
(whenever this happens I can also remove the IP address from DNS via
I've been fiddling with the syntax of this ip command for a while to no
avail. (linux 2.6.32) It doesn't accept any of the other documented
flags (primary, secondary, etc) either.
And for dynamically configured clients to able to "hear" a deprecated
IPv6 prefix via some normal method that windows and linux clients would
respond to without any scripting would be nice.
Q5) Taking a prefix to a tunnel up or down is somewhat problematic. For
example, right now, (what prompted this mail), my HE tunnel is down
(external gateway is down), but it says it's up:
9: he-ipv6: <POINTOPOINT,NOARP,UP>
inet6 2001:470:1f0e:34a::2/64 scope global
inet6 fe80::c0a8:702/128 scope link
So the only way I know to test the tunnel is via pinging the other side
of it 2001:470:1f0e:34a::1,
and if that fails, rewrite the radvd file...
More information about the ipv6-ops