OpenBSD as IPv4+6 gateway

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

OpenBSD as IPv4+6 gateway

Hugo Osvaldo Barrera
Hi,

I'm trying to evaluate how to set up my OpenBSD server as an internet
gateway.

I've a static IPv4 address, and a /48 IPv6 block.
I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the
IPv6 part without breaking the IPv4 NAT.

I'll assume lan=eth0 and wan=eth1 to make this a bit more readable.

From what I've managed to think up, I'd have to bridge both interfaces
(eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1.

My doubt is: if I bridge both interfaces, can I still NAT properly?
If br0 contains eth1 and eth0, can I bridge "from br0 to br0"?
This may sound odd, but br0 has actually two IPv4 addresses; the private
and public.

Also, if eth1 in bridged, I can still drop packets using pf properly,
right? (discarting private-network packets on it is what I've in mind).

Is this the proper solution?  Or is there some other way I haven't
thought of?

Cheers, thanks,

--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Jérémie Courrèges-Anglas-2
Hugo Osvaldo Barrera <[hidden email]> writes:

> Hi,

Hi.

> I'm trying to evaluate how to set up my OpenBSD server as an internet
> gateway.
>
> I've a static IPv4 address, and a /48 IPv6 block.
> I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the
> IPv6 part without breaking the IPv4 NAT.
>
> I'll assume lan=eth0 and wan=eth1 to make this a bit more readable.

Sadly, what should we understand here?  Are they really both ethernet
interfaces?

> From what I've managed to think up, I'd have to bridge both interfaces
> (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1.

Bridging can be seen as an ugly solution when you only get a /64 from
your ISP, and you have to let RAs go through.  Slightly less ugly, ndp
proxying.  I've not tested it, though, but I believe ndp(8) could be
used here.  But...

> My doubt is: if I bridge both interfaces, can I still NAT properly?
> If br0 contains eth1 and eth0, can I bridge "from br0 to br0"?
> This may sound odd, but br0 has actually two IPv4 addresses; the private
> and public.
>
> Also, if eth1 in bridged, I can still drop packets using pf properly,
> right? (discarting private-network packets on it is what I've in mind).
>
> Is this the proper solution?  Or is there some other way I haven't
> thought of?

... how does your ISP provide you IPv6 connectivity?  I can't see why
someone couldn't use proper subnetting, being given a /48.  You should
also tell us how you get v4 connectivity, I think.

HTH
--
Jérémie Courrèges-Anglas
GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Hugo Osvaldo Barrera
On 2012-06-21 03:05, Jérémie Courrèges-Anglas wrote:

> Hugo Osvaldo Barrera <[hidden email]> writes:
>
>> Hi,
>
> Hi.
>
>> I'm trying to evaluate how to set up my OpenBSD server as an internet
>> gateway.
>>
>> I've a static IPv4 address, and a /48 IPv6 block.
>> I've already NATed IPv4 using PF, but I'm in doubt on how to bridge the
>> IPv6 part without breaking the IPv4 NAT.
>>
>> I'll assume lan=eth0 and wan=eth1 to make this a bit more readable.
>
> Sadly, what should we understand here?  Are they really both ethernet
> interfaces?

I just meant to give them names to reference them more easily later on.
 Yes; they're just two ethernet interfaces.

>
>> From what I've managed to think up, I'd have to bridge both interfaces
>> (eth0/eth1), and use PF to disallow traffic to/from private IP4s on eth1.
>
> Bridging can be seen as an ugly solution when you only get a /64 from
> your ISP, and you have to let RAs go through.  Slightly less ugly, ndp
> proxying.  I've not tested it, though, but I believe ndp(8) could be
> used here.  But...

My ISP doesn't seem to be running any RA actually (more related info below).

>
>> My doubt is: if I bridge both interfaces, can I still NAT properly?
>> If br0 contains eth1 and eth0, can I bridge "from br0 to br0"?
>> This may sound odd, but br0 has actually two IPv4 addresses; the private
>> and public.
>>
>> Also, if eth1 in bridged, I can still drop packets using pf properly,
>> right? (discarting private-network packets on it is what I've in mind).
>>
>> Is this the proper solution?  Or is there some other way I haven't
>> thought of?
>
> ... how does your ISP provide you IPv6 connectivity?  I can't see why
> someone couldn't use proper subnetting, being given a /48.  You should
> also tell us how you get v4 connectivity, I think.

I get a /48 block, and a gateway I should use.  As for IPv4, I get an IP
address, and a gateway I should use.

If I subnet the IPv6 block, and set up my server as a router, wouldn't
my ISP have to now which IP is the route to my subnet?  Or is this what
you mean by ndp proxying?  I'd still don't understand how to set up pf
to forward the appropiate packets if I managed to do that.

>
> HTH
> --
> Jérémie Courrèges-Anglas
> GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
>

Sorry, I should have mentioned those details in the first place.

--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Jérémie Courrèges-Anglas-2
Hugo Osvaldo Barrera <[hidden email]> writes:

[...]

>> ... how does your ISP provide you IPv6 connectivity?  I can't see why
>> someone couldn't use proper subnetting, being given a /48.  You should
>> also tell us how you get v4 connectivity, I think.
>
> I get a /48 block, and a gateway I should use.  As for IPv4, I get an IP
> address, and a gateway I should use.

What's the address of the gateway, then?  Is it part of your /48?
Is there an equipment furnished by your ISP involved?  C'mon, just
provide raw information.

> If I subnet the IPv6 block, and set up my server as a router, wouldn't
> my ISP have to now which IP is the route to my subnet?

Probably, but see my question above.  What exact instructions were you
given?  What's your ISP?  Are there online docs?

I may be missing something, but still...

[...]

--
Jérémie Courrèges-Anglas
GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Hugo Osvaldo Barrera
On 2012-06-21 04:39, Jérémie Courrèges-Anglas wrote:

> Hugo Osvaldo Barrera <[hidden email]> writes:
>
> [...]
>
>>> ... how does your ISP provide you IPv6 connectivity?  I can't see why
>>> someone couldn't use proper subnetting, being given a /48.  You should
>>> also tell us how you get v4 connectivity, I think.
>>
>> I get a /48 block, and a gateway I should use.  As for IPv4, I get an IP
>> address, and a gateway I should use.
>
> What's the address of the gateway, then?  Is it part of your /48?
> Is there an equipment furnished by your ISP involved?  C'mon, just
> provide raw information.

Sorry, I didn't mean to withhold any information;

My assigned block is  2800:40:402::0/48
My default gateway is 2800:40:402:ffff::ffff (it's inside my assigned
block).

I've a single static IPv4 address, and a default gateway to use with it.
Not totally relevant, but I also received a couple of DNS servers they
provide, capable of resolving IPv4 and AAAA records fine.

They provide no DHCP, RA, etc; manual configuration must be done on the
client side.

My ISP gives me a single device (modem) with an ethernet port (and a
rj11 port on the other end that goes over to the ISP's network).
It doesn't have an IP address AFAIK, and merely bridges everything over
to the ISP's network.

>
>> If I subnet the IPv6 block, and set up my server as a router, wouldn't
>> my ISP have to now which IP is the route to my subnet?
>
> Probably, but see my question above.  What exact instructions were you
> given?  What's your ISP?  Are there online docs?

There are no docs, my ISP is Iplan (Argentina), and IPv6 isn't provided
mainstream, only to certain users.

>
> I may be missing something, but still...
>
> [...]
>


--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Simon Perreault-3
On 2012-06-21 03:46, Hugo Osvaldo Barrera wrote:
> My assigned block is  2800:40:402::0/48
> My default gateway is 2800:40:402:ffff::ffff (it's inside my assigned
> block).

Hugo,

Friendly suggestion: read a book on IPv6. If you had understood the
above information, you wouldn't be talking about "bridging". This makes
me think that your question isn't about OpenBSD, it is about IPv6. You
need to understand IPv6 first, and then when you know exactly what you
want on a protocol level you can come back and ask how to do it in OpenBSD.

Simon

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Hugo Osvaldo Barrera
On 2012-06-21 09:52, Simon Perreault wrote:

> On 2012-06-21 03:46, Hugo Osvaldo Barrera wrote:
>> My assigned block is  2800:40:402::0/48
>> My default gateway is 2800:40:402:ffff::ffff (it's inside my assigned
>> block).
>
> Hugo,
>
> Friendly suggestion: read a book on IPv6. If you had understood the
> above information, you wouldn't be talking about "bridging". This makes
> me think that your question isn't about OpenBSD, it is about IPv6. You
> need to understand IPv6 first, and then when you know exactly what you
> want on a protocol level you can come back and ask how to do it in OpenBSD.
>
> Simon
>

I have read a great deal regarding IPv6, and IIRC, if I subnet my
network block, my ISP would have to know it has to route traffic to that
subnet through the WAN IP address of my router.

The alternative would be to proxy ndp and have OpenBSD forward packets,
yet I don't see a way to proxy an entire subnet using ndp.

Am I missing something perhaps?

--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Simon Perreault-3
On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:
> I have read a great deal regarding IPv6  and IIRC, if I subnet my
> network block, my ISP would have to know it has to route traffic to that
> subnet through the WAN IP address of my router.

Yes. If they don't allow that, then they don't know what they are doing.
You're not supposed to assign a /48 to a single link. A single link gets
a /64.

> The alternative would be to proxy ndp and have OpenBSD forward packets,
> yet I don't see a way to proxy an entire subnet using ndp.

Right, because you shouldn't do that, especially in IPv6 with the 64
bits of addressing for a single subnet.

> Am I missing something perhaps?

Call the support and ask them for the missing information?

You're definitely not supposed to bridge.

Simon

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Ryan Kirk
In my limited experience with ipv6, this has been the case. The
provider has you on a /64 of their own (not part of your /48), so your
WAN interface would have one of their IP's on it, and they should tell
you exactly what it should be. Just as it's done in IPv4. Your own
personal /48 is then routed through that IP. You can assign more IP's
from your /48 to your WAN interface, of course, by dedicating a /64 to
it. But you will always need to have at least the one ISP IP on it.


RK


On Thu, Jun 21, 2012 at 4:22 PM, Simon Perreault
<[hidden email]> wrote:

> On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:
>>
>> I have read a great deal regarding IPv6  and IIRC, if I subnet my
>>
>> network block, my ISP would have to know it has to route traffic to that
>> subnet through the WAN IP address of my router.
>
>
> Yes. If they don't allow that, then they don't know what they are doing.
> You're not supposed to assign a /48 to a single link. A single link gets a
> /64.
>
>
>> The alternative would be to proxy ndp and have OpenBSD forward packets,
>> yet I don't see a way to proxy an entire subnet using ndp.
>
>
> Right, because you shouldn't do that, especially in IPv6 with the 64 bits
of

> addressing for a single subnet.
>
>
>> Am I missing something perhaps?
>
>
> Call the support and ask them for the missing information?
>
> You're definitely not supposed to bridge.
>
> Simon

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Mark Felder-4
On Thu, 21 Jun 2012 16:34:51 -0500, Ryan Kirk <[hidden email]> wrote:

> In my limited experience with ipv6, this has been the case. The
> provider has you on a /64 of their own (not part of your /48), so your
> WAN interface would have one of their IP's on it, and they should tell
> you exactly what it should be. Just as it's done in IPv4. Your own
> personal /48 is then routed through that IP. You can assign more IP's
> from your /48 to your WAN interface, of course, by dedicating a /64 to
> it. But you will always need to have at least the one ISP IP on it.

The provider shouldn't be using a /64 for the link net. That means your  
router is getting the broadcasts from everyone else on that link net. The  
provider should be setting aside something like a /64 for link nets and  
actually be giving you /126s.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Michael H Lambert
On 21 Jun 2012, at 18:04, Mark Felder wrote:

> The provider shouldn't be using a /64 for the link net. That means your
router is getting the broadcasts from everyone else on that link net. The
provider should be setting aside something like a /64 for link nets and
actually be giving you /126s.

There is a school of thought that says point-to-point links should be
allocated /64s, just like LAN subnets.  Not everyone agrees.  I like /120s to
keep things octet-aligned for reverse DNS.

Michael

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Mark Felder-4
On Thu, 21 Jun 2012 17:28:05 -0500, Michael Lambert <[hidden email]>  
wrote:

> There is a school of thought that says point-to-point links should be
> allocated /64s, just like LAN subnets.  Not everyone agrees.  I like  
> /120s to
> keep things octet-aligned for reverse DNS.

I was under the assumption that all customers were sharing the same /64  
for their link nets. Either way, this is a really bizarre usage of the  
abundant ipv6 space. :-)

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Rod Whitworth-3
In reply to this post by Michael H Lambert
On Thu, 21 Jun 2012 18:28:05 -0400, Michael Lambert wrote:

>On 21 Jun 2012, at 18:04, Mark Felder wrote:
>
>> The provider shouldn't be using a /64 for the link net. That means your
>router is getting the broadcasts from everyone else on that link net. The
>provider should be setting aside something like a /64 for link nets and
>actually be giving you /126s.

No. The smallest network IS a /64. This even applies to link-local
addresses which are only used for point-to-point connections. Just run
ifconfig on your machine and see.

Your ISP has enough /64s to give you one that contains no other
clients.

>
>There is a school of thought that says point-to-point links should be
>allocated /64s, just like LAN subnets.  Not everyone agrees.  I like /120s to
>keep things octet-aligned for reverse DNS.

It is not a "school of thought" - it is how it is. I have seen one /126
out in the wild but it is very lonely.

I manage a /32 and that would let me hand out as many /64s as there are
IPv4 addresses in total (4G).

My ISP for my home connection uses a dynamic /64 per client to carry my
/56 which is sliced up here to use 4 /64s for my various LANs. The fact
that the link has a dynamic address is irrelevant as the ISP routes all
traffic to me over the link whatever address it currently has. There
are no packets travelling on the link that are not for me.

R/

*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Mark Felder-4
On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth <[hidden email]>  
wrote:

> It is not a "school of thought" - it is how it is. I have seen one /126
> out in the wild but it is very lonely.

I work at an ISP/datacenter. We use /126s for the link net. Handing out  
/64's "because you can" is stupid in my worthless opinion :-)

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Daniel Ouellet
On 6/21/12 7:52 PM, Mark Felder wrote:
> On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth <[hidden email]>
> wrote:
>
>> It is not a "school of thought" - it is how it is. I have seen one /126
>> out in the wild but it is very lonely.
>
> I work at an ISP/datacenter. We use /126s for the link net. Handing out
> /64's "because you can" is stupid in my worthless opinion :-)
>

It just make everything less efficient and as IPv6 is all done by the
processor as no ASIC process that IPv6 mess yet, then... well, what ever.

As for the school of though, as Rob said, it's not a school of thought,
it's how the RFC said you should assign them period.

You cold read the RFC 5375 for example, or a few more like 4291, 3587,
and other like it.

The reason why many ISP are assigning different side and not the /48, or
56 in some case, or even the /64 is because the IPv6 does have and would
allow you to actually change ISP without the need for renumbering
depending on the process of IP allocation you use See RFC 4291 for
example. I do not argue the good/ or bad of it. That's a totally
different question.

Plus when you need to carry these routers in your iBGP, or OSPF, or what
ever your poison is, you have lots more small route then needed, etc.

Just think about it, when only IPv4 were available, the ISP at large
wasted it no question asked, now they have more then they could possibly
use regardless how how they might want to waste it, so dong /120, or
/126, or what not to a single customer is NOT because they are all
suddenly conscientious and just wake up, it's because it make them lock
you in and not allow you to easily switch ISP if you get piss and lets
face it, if you run a decent side office, renumbering is and always been
painful.

They don't do it because they like you or are acting responsibly now,
but because they need to find a different way to lock you in.

Same reason why do we have NAT for IPv6!?! Really, who could possibly
need that with the address space we have today.

Nat was invented to compensate for IPv4 depletion, but way to many early
IT guys used it for simple way to provide security setup and forgot how
to do it right. It's just easier for them, however with the higher
bandwidth usage we have today they start to run into problem when NAT is
in use and you see jitter, latency and what not cause by it, but they
are clueless about it.

So, don't get me started on the stupidity of IPv6 and how the assignment
is now done.

Does anyone actually need /64 for a company, or possibly a /56 for a
single house connection as the RFC specify it, not really, and a /64 for
the point to point link, I don't think so, but if we are going to use
ti, then use it as it was designed for with it's pro and cons.

But look at the real reason why /126, or /96, or /120 are given in
Europe a lots specially by France Telecom for example it's not because
they are so brilliant, but that's their way to lock you in with them and
not make it easy for you to renumber and if you ever had to do this for
many computers and multiple subnet, and all, you know what I am talking
about. No one is looking forward to that and in many cases, company do
not change ISP because of that simple fact.

One that that IPv6 made good for users was the possibility to switch ISP
overnight and no need to renumber their address space. BIG ISP cut on to
that and do everything possible to not let you have that choice!

They do not want to improve their service to you so that you do not look
anywhere else for good connectivity, but are working in ways to limit
your choice and pretend to do it under the umbrella of IP conversation
when everyone knows these same ISP wasted IPv4 like crazy before as they
can't manage it properly anyway.

Again, I am not arguing on the merit of IPv6 or flaw of it and there is
plenty, but if you are gong to use it and roll it out, then at a minimum
do it as it is suppose to be done and don't try to create a school of
thought that is not based on merit but on ways to lock people in and
that don't stand on their own justification and merit.

I will grate you this however with how they want the assignment to be
done, they address space is sure getting wasted plenty fast as well,
with size accordingly obviously.

The funny part or sad part depending how you actually understand proper
setup, you will still see countless users using NAT for IPv6 that have a
/48 assigned to them...

How crazy is that!

If you ever realize that NAT does have impact on your network
performance on high bandwidth, just wait when you do this for IPv6 and see.

Have fun, but please read the RFC and don't suggest assignment based on
school of thought. Try to do it right from the start and save you pain
down the road now.

Daniel

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Hugo Osvaldo Barrera
In reply to this post by Simon Perreault-3
On 2012-06-21 17:22, Simon Perreault wrote:
> On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:
>> I have read a great deal regarding IPv6  and IIRC, if I subnet my
>> network block, my ISP would have to know it has to route traffic to that
>> subnet through the WAN IP address of my router.
>
> Yes. If they don't allow that, then they don't know what they are doing.
> You're not supposed to assign a /48 to a single link. A single link gets
> a /64.

But how would they know though which single IP to route the rest of the
subnets?

I mean, if I assign:
2800:40:402:ffff::1/64 to my router's WAN interface
(2800:40:402:ffff::ffff is it's default gateway)
2800:40:402::1/64 to it's LAN interface
2800:40:402::2/64 to one of my clients

Doesn't my ISP need to know that traffic to 2800:40:402::1 should be
routed through 2800:40:402:ffff::1?

>
>> The alternative would be to proxy ndp and have OpenBSD forward packets,
>> yet I don't see a way to proxy an entire subnet using ndp.
>
> Right, because you shouldn't do that, especially in IPv6 with the 64
> bits of addressing for a single subnet.
>
>> Am I missing something perhaps?
>
> Call the support and ask them for the missing information?
>
> You're definitely not supposed to bridge.
>
> Simon
>


--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Shane Lazarus
Heya

On Fri, Jun 22, 2012 at 2:00 PM, Hugo Osvaldo Barrera <
[hidden email]> wrote:

> On 2012-06-21 17:22, Simon Perreault wrote:
> > On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:
> >> I have read a great deal regarding IPv6  and IIRC, if I subnet my
> >> network block, my ISP would have to know it has to route traffic to that
> >> subnet through the WAN IP address of my router.
> >
> > Yes. If they don't allow that, then they don't know what they are doing.
> > You're not supposed to assign a /48 to a single link. A single link gets
> > a /64.
>
> But how would they know though which single IP to route the rest of the
> subnets?
>
> I mean, if I assign:
> 2800:40:402:ffff::1/64 to my router's WAN interface
> (2800:40:402:ffff::ffff is it's default gateway)
> 2800:40:402::1/64 to it's LAN interface
> 2800:40:402::2/64 to one of my clients
>
> Doesn't my ISP need to know that traffic to 2800:40:402::1 should be
> routed through 2800:40:402:ffff::1?
>
>
What you have outlined there is that the ISP has configured their upstream
device such that it is directly connected to your entire IPv6 allocation.
If that is how they want to do things, then your best hope is to define the
/64 between their space and yours as being 2800:40:402:ffff::/64, and
asking them to configure their upstream device to deliver 2800:40:402::/48
to 2800:40:402:ffff::1

Alternatively, ask them for a linking allocation to remove the block
allocated to you from being directly attached to one of their devices.


Shane

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Mark Felder-4
In reply to this post by Daniel Ouellet
On Thu, 21 Jun 2012 20:00:17 -0500, Daniel Ouellet <[hidden email]>  
wrote:

>
> Have fun, but please read the RFC and don't suggest assignment based on  
> school of thought. Try to do it right from the start and save you pain  
> down the road now.

The number of customers asking for IPv6 right now I can probably count on  
one hand, so this can quickly be changed. Your mention of the routing  
table has me thinking about some long-term dire consequences though. And  
yes, this is going to be a comedy of errors for quite some time. People  
can't grasp the concept of firewalling+routing vs firewalling+NAT. We have  
customers with /24s who choose to do 1:1 NAT at their firewall instead of  
just routing the damn IPs. And then they wonder why they have to upgrade  
their firewall hardware because it can't handle that many NAT  
entries/states....

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Rod Whitworth-3
In reply to this post by Mark Felder-4
On Thu, 21 Jun 2012 18:52:18 -0500, Mark Felder wrote:

>On Thu, 21 Jun 2012 18:39:24 -0500, Rod Whitworth <[hidden email]>  
>wrote:
>
>> It is not a "school of thought" - it is how it is. I have seen one /126
>> out in the wild but it is very lonely.
>
>I work at an ISP/datacenter. We use /126s for the link net. Handing out  
>/64's "because you can" is stupid in my worthless opinion :-)
>

It's not because you can, it's because it's best practice, it makes
renumbering easier and most of all when you use /64s your subnet
addresses are so easily readable.

What do you have?
 /24 ?
/32 ?
/48 ?
/56 ?
All of the above have xx00:0:0:0:0:0 as the last part of the address
and when you slice off /64s they all have 0:0:0:0 as the last four
words so documenting is easy for any of your subnets.

But I guess that being ultra-frugal with sunbnet prefixlen is really
important for operators who have more clients than there are grains of
sand on the face of the earth.
That's roughly a /57's worth.

8-))
*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD as IPv4+6 gateway

Simon Perreault-3
In reply to this post by Hugo Osvaldo Barrera
On 2012-06-21 22:00, Hugo Osvaldo Barrera wrote:

> On 2012-06-21 17:22, Simon Perreault wrote:
>> On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote:
>>> I have read a great deal regarding IPv6  and IIRC, if I subnet my
>>> network block, my ISP would have to know it has to route traffic to that
>>> subnet through the WAN IP address of my router.
>>
>> Yes. If they don't allow that, then they don't know what they are doing.
>> You're not supposed to assign a /48 to a single link. A single link gets
>> a /64.
>
> But how would they know though which single IP to route the rest of the
> subnets?
>
> I mean, if I assign:
> 2800:40:402:ffff::1/64 to my router's WAN interface
> (2800:40:402:ffff::ffff is it's default gateway)
> 2800:40:402::1/64 to it's LAN interface
> 2800:40:402::2/64 to one of my clients
>
> Doesn't my ISP need to know that traffic to 2800:40:402::1 should be
> routed through 2800:40:402:ffff::1?

Yes. They need to tell you the address. Call and ask them.

Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

12