On Thursday 19 July 2007 18:00, Mike Williams wrote: > fe80::214:f600:b67e:b4db is the link local address of the upstream > router, which is also configured as dead:beef:2::1/48.
Strictly speaking, if it's taken from the same block, it should be at least /49; otherwise, they would uncorrectly believe that the single (giant) dead:beef:2::/48 subnet is attached *directly* to the interface between you and them, and try to map ipv6 addresses to link-layer addresses accordingly. In practice, if reachability of the transit network is needed, most providers give you a /64 or longer (even /126 in some cases), taken from a dedicated pool reserved for point-to-point and transit networks. In many cases then, the use of global addresses can be avoided altogether (see my other reply). > It is required that all hosts are access via, and get access though, > the firewall we control. The upstream router can have changes made to > it if required, but it's not good to keep bothering the ISP. Of course, but configuring their end of the link correctly is something that should be done by them, and /if/ they got it wrong, they should correct it (imho). > Now I think I understand what's wrong. The upstream router needs a > route to dead:beef:2:1::/49 (or similar to cover any and all of our > "internal" networks) via dead:beef:2::11, and be configured as > dead:beef:2::1/64 instead of /48. Then it would route packets for > dead:beef:2:136:204:23ff:fed7:e86a to dead:beef:2::11, rather than > soliciting a link-local address for it. Have I got that right? Almost (see what I wrote above). With ipv6, using link-local addresses for routing is not in any way wrong, and in fact is usually the preferred way of doing things (this is different from ipv4, if nothing else because ipv4 does not have the notion of link-local address!). So, to summarize: - you can use only link-local addresses, and manually configure static routes pointing to the correct local interfaces and to the other end's link-local address; your static route is a default one (::/0), and their static route is for the dead:beef:2::/48 block. If you have a single link to the provider and don't do dynamic routing, this is usually the easiest setup; - optionally, you can also agree on assigning global addresses to the link; in this case, you must make sure that the subnet address assigned to the link is more specific (ie, has a longer prefix) than the block assigned to you, or is taken from a different pool. When things are set up correctly, packets arriving at the ISP and addressed to dead:beef:2::/48 would be routed out their interface to you. To find the next hop, they would perform a neighbor discovery on your end's ipv6 link-local address (which they know) and, once they get your end's link-layer (MAC) address, they would send the traffic to your firewall's Internet interface. From there, your firewall has specific routes for the internal networks, and can delivery the packets to the intended recipients. If the physical layer betwwen you and the ISP is not ethernet, things are similar (there are well defined procedures for discovering the link-layer next-hop on almost every kind of media); the important thing is that each end knows the other end's link-local address. -- [EMAIL PROTECTED] mailing list
