0

I am looking at deploying IPv6 to my virtual machines. Right now I have v6 working great on the dom0 using a 6in4 provided by Hurricane Electric as I do not have native v6.

However, I would like to distribute some of the /48 I am receiving to the domUs (/64 per machine would be ideal, but I am open to your suggestions). Static configuration on the domU side is fine.

All I want to accomplish is getting the traffic to pass through the dom0 to the domU. To say the least, I'm still trying to wrap my head around all the virtual interfaces and bridges Xen creates.

Yes, I have Googled around for this a bit and have not found anything great. I tried using two "vif-route6" bash scripts with no luck (possibly due to my ignorance with Xen networking).

I am still stuck (mainly in how to configure the dom0). I would like to imagine this problem is relatively easy to solve and I look forward to your suggestions and help!

Edited post to clarify my end goal: getting IPv6 to domU guests. I am completely open to suggestions but am hoping for something other than setting up a tunnel for every guest.

user98651
  • 95
  • 1
  • 2
  • 11
  • 1
    You wish to use your hypervisor as a router, facing the internet? Really? REALLY? – pauska Jun 21 '12 at 05:29
  • @pauska dom0 is not the hypervisor! Nevertheless, your point is taken with s/hypervisor/dom0/ . Whereas I believe it is more common in Xen networking configurations to use dom0 as a BRIDGE passing traffic to the domUs than a ROUTER, dom0 is in the path of the traffic one way or the other. I would be curious why you think it's such a bad idea for it to be a router. – Celada Jun 21 '12 at 14:19
  • I completely agree with @Celada. Why exactly do you feel it is a bad idea? Additionally, what would your preferred method for getting v6 to domU guests, if it had to be done through the dom0? – user98651 Jun 21 '12 at 14:42
  • Fine. The dom0 is not the actual hypervisor, but it is required and has unlimited hardware access. What happens if someone manages to exploit it? Think about it. – pauska Jun 21 '12 at 14:46

1 Answers1

1

Instead of being a bastard in comments, my suggestion is that you get a firewall that supports ipv6. If a hardware appliance doesn't fit then install it as a guest (domU), and use it to route traffic. That way you can at least protect the dom0 from being visible at all against the internet.

pfsense could probably fit fine.

pauska
  • 19,532
  • 4
  • 55
  • 75
  • Thank you for the suggestion and for being more friendly, but ultimately this will not work for me. Two points: One, v4 address space is already at a premium so I can't use another v4 IP on a IPv6 domU firewall. I understand this is at my own expense of security. But secondly, my dom0 is already fully available on the internet through IPv4. As mentioned in a previous comment, all traffic already passes through it. I like your idea of segmenting services as well as sheltering the dom0 in the name of security, but I do not feel like adding IPv6 really changes much (routed or not routed). – user98651 Jun 21 '12 at 14:56