Failover IPv6 with multiple PA prefixes (Was: IPv6 fc00::/7 - Unique local addresses)
Owen DeLong
owen at delong.com
Thu Nov 4 00:01:32 UTC 2010
On Nov 3, 2010, at 3:43 PM, Mark Andrews wrote:
>
> In message <2CE5A700-EB60-453F-85CF-5E679E94EE4C at delong.com>, Owen DeLong write
> s:
>> <massive snip>
>>>>> =20
>>>> Actually, gethostbyname returns a linked-list and applications should
>>>> try everything in the list until successfully connecting. Most do.
>>>> =20
>>>> However, the long timeouts in the connection attempt process make
>>>> that a less than ideal solution. (In fact, this is one of the main =3D
>>>> reasons
>>>> that Google does not publish AAAA records generally today).
>>>> =20
>>>> However, that isn't the issue above. The issue above is about whether
>>>> or not:
>>>> getaddrinfo() always returns the addresses to be tried in proper
>>>> order.
>>>> Applications are always well behaved in attempting connections
>>>> in the order returned by getaddrinfo()
>>>> Whether the deployment of the gal.conf file to hosts in order to
>>>> give getaddrlinfo() the correct hints about ordering is
>>>> likely to occur correctly and reliably.
>>>> etc.
>>>> =20
>>>> There are many dependencies to making source address selection
>>>> in IPv6 work correctly. They are exacerbated in a ULA environment.
>>>> If you thought putting a single address (or prefix) into a CPE router
>>>> by hand was hard, do you really expect the customer to manage
>>>> a gal.conf file on all their hosts? Seems to me this is much harder
>>>> than the router configuration.
>>> =20
>>> You do realise that it is easy to do completly automate this as ULA
>>> come from a well defined address block. A simple tool can generate
>>> this for the older machines which haven't been updated to know about
>>> ULAs
>>> =20
>> Sure, or, you can use PI without ULA and not need to develop a tool.
>
> Actually PI is WORSE if you can't get it routed as it requires NAT or
> it requires MANUAL configuration of the address selection rules to be
> used with PA.
>
It's very easy to get PIv6 routed for free, so, I don't see the issue there.
> If you can get PI *and* get it routed then yes PI is the way to go.
> PA alone is also not the way to go.
>
OK, so, PI is the way to go, since you can get it routed for free.
(If you don't know how, see http://tunnelbroker.net and look for the
subject "BGP tunnel")
>>> If you have a interface configured with a ULA address. Take that
>>> address, generate two entries. One for /48 and one for the /64.
>>> =20
>>> Preference the ULA/64 addresses first (link).=20
>>> Preference the ULA/48 addresses next (site).
>>> Preference the PA/PI/6to4/64 addresses next (link).
>>> Preference the PA/PI/6to4/48 addresses next (site). (a RA would be a =
>> good way
>>> to distribute the site size other than /48 for PA/PI).
>>> Preference 2000::/3 next.=20
>>> Preference 2002::/16 next.
>>> [2000::/3 2002::/16 reverse order if you don't have any non-ULAs =
>> outside of
>>> 2002::/16]
>>> Preference fc00::/7 last.
>>> =20
>>> For ULA/64 destination select a source address from the corresponding =
>> ULA/64.
>>> For ULA/48 destination select a source address from the corresponding =
>> ULA/48.
>>> For PA/PI/6to4/64 destination addresses select a source address from =
>> the corresponding PA/PI/6to4/64.
>>> For PA/PI/6to4/48 destination addresses select a source address from =
>> the corresponding PA/PI/6to4/48.
>>> For 6to4 destination addresses not already handled select a 6to4 =
>> address if available then a PA/PI source address and ULA address last.
>>> For 2000::/2 destination addresses not already handled select a PA/PI =
>> source address then 6to4 addres and ULA address last.
>>> For ULA destination addresses not already handled select a PA/PI =
>> source address then 6to4 addres and ULA address last.
>>> =20
>>> Now is that really so hard?
>>> =20
>> It just took you 20+ lines to describe the process in english without =
>> producing a single
>> line of code. PI without ULA strikes me as being a lot less complicated.
>
> And PA alone doesn't work well.
>
Where did PA enter into my statement above?
> As for lines of code they won't be many as basically it is just
> inserting/removing rules when addresses are assigned/removed to/from
> interfaces.
>
And then distributing those rules to EVERY host (or you have to pre-
distribute the script to EVERY host).
<snip>
Owen
More information about the NANOG
mailing list