|
1 subnet / 2 tunnels (2 endpoints)
![[fr]](/s/countries/fr.gif) Shadow Hawkins on Friday, 30 May 2008 19:11:09
Hello,
I have two networks split on two different sites.
The native ipv6 is not longer working (thanks to cheap hoster) and I'd like to make them belong to the same network if possible.
Is that possible (according to POP software and to policy) to have 2 tunnels connecting to the same subnet (like a vpn would do) ? (I don't want to run a tunnel server or vpn on a site.)
SiteA/Endpoint A ----(subnet0)---- POP ----(subnet0)---- Endpoint B/SiteB
* They could use the same POP as they are not so far.
1 subnet / 2 tunnels (2 endpoints)
![[si]](/s/countries/si.gif) Shadow Hawkins on Monday, 02 June 2008 10:45:43
I believe it is in the FAQ, that tunnels and subnets can not be used from multiple sites.
The only solution is VPN (or some special arrangement with the ISP, which might be hard to get).
1 subnet / 2 tunnels (2 endpoints)
The real solution is to request two subnets, one to each tunnel endpoint.
For direct inter-site traffic one could then setup a tunnel between the two sites.
1 subnet / 2 tunnels (2 endpoints)
![[ch]](/s/countries/ch.gif) Shadow Hawkins on Wednesday, 22 October 2008 13:17:38
Have a 1 subnet / 2 tunnel configuration would be nice to provide for failover. For example, I have two OpenBSD boxes configured in failover using CARP active/active. At the moment, AICCU runs on one of them and if the machine fails, AICCU has to be started on the other box, new default routes for IPv6 advertised, etc.
Any chance that a single subnet can be associated to two (or even more) tunnels?
1 subnet / 2 tunnels (2 endpoints)
![[us]](/s/countries/us.gif) Shadow Hawkins on Wednesday, 22 October 2008 21:02:09
While it would be nice to have failover and be able to use one subnet in two tunnels, failover can be accomplished with two subnets and two tunnels.
I currently have three subnets, two here and one somewhere else. Each of the machines on my internal network has an almost identical address on each of the subnets, with the exception of the initial prefix: ie. each server has 3 addresses, 2001:xxxx:xxxx:aaaa:aaaa..., 2001:yyyy:yyyy:aaaaa...., 2001:zzzz:zzzz:aaaa....
That makes it easy to remember. For the end users who I'm attempting to provide IPv6 connectivity to, I simply give them an address on one of the subnets. If that subnet is down I simply change my radvd config file to give them an address on a working subnet.
My only problem is with source address selection in Linux. I understand the newer kernels handle this better, but I have trouble telling my servers which source address to use on CentOS 5.2. My servers like to pick a source address on a non-working subnet and send it through the working tunnel, which of course gets rejected by the tunnel. I route all the traffic between my subnets internally, so as not to unnecessarily send traffic through the tunnel.
1 subnet / 2 tunnels (2 endpoints)
Shadow Hawkins on Wednesday, 29 October 2008 02:03:40
I thought about using two tunnels and two subnets, but the problem is the interaction with DNS: What IPv6 address do I use in the DNS AAAA/A6 record for a given host? I could use two IPv6 addresses (one from each subnet) but if one subnet goes own about 50% of the connections will use the DNS AAAA/A6 record that lies in the wrong (as in unavailable) subnet, which is suboptimal.
1 subnet / 2 tunnels (2 endpoints)
Applications that are properly written will use all possible addresses (IPv6 first, then IPv4). As such the only thing is that you will have a little bit of delay at connection time. (unless ICMP unreachables are being dropped somewhere)
1 subnet / 2 tunnels (2 endpoints)
Shadow Hawkins on Wednesday, 29 October 2008 11:17:24
Do you mean that if a host has two DNS AAAA RRs, and I SSH to that host by name, SSH will try to connect to one of the AAAA RRs and if the host is down, it will try the other AAAA RR? Or do you mean it will fallback from the AAAA RR to the A RR?
1 subnet / 2 tunnels (2 endpoints)
Shadow Hawkins on Friday, 31 October 2008 01:41:24
I see more problems with the multiple subnets approach. Let's say we use to subnets, A::/48 and B::/48 to be resilient to a link/tunnel going down. We use rtadvd to advertise both prefixes. So, a host ends up having two IPv6 addresses: A::1/64 and B::1/64. Now, the host starts a FTP download over IPv6 and decides to use A::1/64 as the source address. If the A::/48 subnet/link goes down, the FTP connection will be aborted since the host can't be reached at A::1/64 anymore (the tunnel becomes inactive/disabled). And even if we can reach the host at B::1/64 over the tunnel that routes B::/48, we failed to keep the FTP download from being disrupted in case of a tunnel/link failure.
So, how does using 2 subnets and 2 IPv6 addresses per host solve the resiliency problem? I can't see how. I'm still looking for BGP support for SixXS tunnels :)
1 subnet / 2 tunnels (2 endpoints)
Shadow Hawkins on Friday, 31 October 2008 01:44:18
As I said in another comment, if you change your rtadvd configuration to advertise a new prefix when the existing tunnel/link goes down, then your client's hosts will see their IPv6 addresses change (renumbered), breaking any active sessions (i.e. SSH connection over IPv6). Your client's hosts will be reachable over the new IPv6 prefix, but I think that's not optimal (and also requires manual intervention).
At least, this won't work for me. I'm looking for resilience in case of a tunnel/link failure. So far, it seems BGP is the only solution to my requirements.
1 subnet / 2 tunnels (2 endpoints)
There is a Wishlist item for BGP support for this reason.
If you are using CARP though, you don't need to advertise any new defaults, you just have to configure the 'default' to be on your CARP device, failover will then handle that part. You will indeed have to either start/stop aiccu on the relevant machine, or maybe easier, add/remove a firewall rule which disallows traffic to the PoP.
Do take care of one thing though: when the tunnel-IP flips too often the tunnel gets disabled!
1 subnet / 2 tunnels (2 endpoints)
Shadow Hawkins on Wednesday, 29 October 2008 02:00:27
Exactly.
That's what I'm doing now using ifstated on OpenBSD: when the CARP interface becomes BACKUP, AICCU is killed; when the CARP interface becomes MASTER, AICCU is started. Obviously, the CARP interface does not fail-over often (once a month or when upgrading the OS) :)
The problem is that the host with the CARP interface in BACKUP mode needs the IPv6 default route updated so that it can reach the IPv6 Internet. I can do this using ifstated too, but I also have a patch against AICCU that, on exit, installs an IPv6 default route specified in the configuration file.
|
on Monday, 02 June 2008 11:22:16
Posting is only allowed when you are