forwarding *some* web traffic to a virtual machine

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Thu Sep 9 04:14:07 UTC 2010 

| From: William Muriithi <william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>

| I am not certain this will help Matt. He is trying to avoid using 2
| IPv4 IPs but still be reachable by the public - Who are all still
| mostly in IPv4.  I think he solution is some kind of NAT/PAT and that
| is it
| 
| Problem with using IPv6 is he will still not be reachable from IPv4.
| Those two protocols have different headers - for efficiency reasons -
| and therefore not compatible.  That imply he will need a kind a
| tunnel, but one way or the other that tunnel will expose the IPv6 as 2
| IPv4 IPs.  So the initial problem will still remain only far down the
| stream. I could be wrong though

Makes sense to me.  You'd need a way to address all IPv6 endpoints
with an IPv4 address.  This cannot be done because there are only
2^32 IPv4 addresses and 2^128 IPv6 addresses.

There are various compromises to get around this, but they are not
general.

1) both endpoints in a conversation must be speaking IPv6, or both must
   be speaking IPv4, or there is a proxy in the middle of the
   conversation to translate.  The proxy does something very like
   NATing.

2) the intermediate points of a conversation must also use the same
   protocol UNLESS the conversation is carried by a tunnel.
   Using a tunnel adds translation overhead and often involves
   disoptimal routing of packets.

It is easiest to think of there being two internets: the IPv4 cloud
and the IPv6 cloud.  The implementations of each may share
infrastructure, but that isn't important at this level.

It is possible to have disconnected IPv6 islands, but it is only
useful for limited purposes and can create problems (i.e. you know an
IPv6 address, and try to use it, but there is no route to that
address because it is on a different island).

If you switch to IPv6 at home, say, you might have local problems with
some applications that are not willing to talk IPv6 (some applications
have been mentioned).  If your ISP does not handle IPv6, you will need
a tunnel to a place in the IPv6 cloud.

The transition to IPv6 is tricky.  If your node only speaks IPv6, it
cannot talk to IPv4-only nodes (the majority, at this time).  So we
need a long period during which nodes that speak both IPv4 and IPv6.

Initial condition: every node on the internet has an IPv4 address
(nodes behind NAT are not on the internet).

Next step:
More and more nodes add an IPv6 address (while retaining their IPv4
address).  Of course only nodes connected to the IPv6 cloud can
do this.
Nodes speak IPv6 when spoken to in IPv6.
AAAA records are added to DNS so that IPv6 address can be found.

Next step: programs query for AAAA records as well as A records and
use the IPv6 in preference to the IPv4 address.  I don't remember but
I think that the resolver may already provide such a capability.  This
step could be merged into the previous one.

Next step: nodes start to turn off their IPv4 address (and their DNS A
records).  New nodes are never given an IPv4 address (unless a
compelling case is made).  This can only be done after everyone that
matters is connected to the IPv6 cloud.

Now IPv4 is unnecessary and can be turned off.

There may well be stranded islands of IPv4 at this time.  If they are
LANs of SCADA, the world might be a safer place :-)

Just for fun:

    $ host -t aaaa google.ca
    google.ca has no AAAA record
    $ host -t aaaa microsoft.com
    microsoft.com has no AAAA record
    $ host -t aaaa arin.net
    arin.net has IPv6 address 2001:500:4:13::80
    arin.net has IPv6 address 2001:500:4:13::81
    $ host -t aaaa cbc.ca
    cbc.ca has no AAAA record
    $ host -t aaaa wikipedia.org
    wikipedia.org has no AAAA record
    $ host -t aaaa yahoo.com
    yahoo.com has no AAAA record
    $ host -t aaaa facebook.com
    facebook.com has no AAAA record
    $ host -t aaaa hp.com
    hp.com has no AAAA record
    $ host -t aaaa kernel.org
    kernel.org has no AAAA record
    $ host -t aaaa rogers.com
    rogers.com has no AAAA record
    $ host -t aaaa ss.org
    ss.org has no AAAA record
    $ host -t aaaa slashdot.org
    slashdot.org has no AAAA record
    $ host -t aaaa ripe.net
    ripe.net has IPv6 address 2001:610:240:22::c100:68b
    $ host -t aaaa www.cra-arc.gc.ca
    www.cra-arc.gc.ca has no AAAA record
    $ host -t aaaa ietf.org
    ietf.org has IPv6 address 2001:1890:1112:1::20
    $ host -t aaaa www.defense.gov
    www.defense.gov is an alias for www.defense.gov.edgesuite.net.
    www.defense.gov.edgesuite.net is an alias for a445.b.akamai.net.
    $ host -t aaaa a445.b.akamai.net.
    a445.b.akamai.net has no AAAA record
    $ host -t aaaa icann.org
    icann.org has IPv6 address 2620:0:2d0:200::7

Looks like we're not far along this transition.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list