1

This is not my area of expertise, so forgive me if I am getting this completely wrong. Some datacentres are now offering IPv6 addresses and potentially 100s per VM. What would the benefit of this be? Surely you only ever need one address and many ports? What benefit would be gained from having 100s of IPv6 addresses point to the same ethernet interface?

thanks

Zuriar
  • 151
  • 1
  • 6
  • Can you give an example of the addresses? A URL to a service making this offer? There are a variety of reasons to do this, but any answer would be just guessing. As it stands, this question is a bit unanswerable. – mawcsco Aug 19 '14 at 17:18
  • I vaguely recall seeing a post where someone described how you could make an entire '/64' network be treated as if each address was on a single interface on Linux. – Zoredache Aug 19 '14 at 17:46
  • @Zoredache http://serverfault.com/q/209203/126632 – Michael Hampton Aug 19 '14 at 19:45

2 Answers2

6

What would the benefit of this be?

One IP per Website or other such web service immediately springs to mind. Then you don't need to worry about SNI, Virtual Hosts, or any of that. Also, darknet honeypots.

Surely you only ever need one address and many ports?

Most protocols can't specify a different port without the user manually specifying it (a very few services can, usually using using SRV records - I can think of about 3 applications that actually use SRV records off the top of my head).

What benefit would be gained from having 100s of IPv6 addresses point to the same ethernet interface?

You already asked that.

How many IPv6 addresses can one network card have assigned to it?

At least tens of thousands, though if you need more than that you're probably doing something wrong.

Chris S
  • 77,337
  • 11
  • 120
  • 212
1

You can bind services to particular addresses. For instance, suppose you have machine with global routable address 2001:db8:cafe:babe:20c:29ff:fe01:2345 and you run a DNS- and a web server on that machine. Then, you could add the addresses, say, 2001:db8:cafe:babe::53 for DNS and 2001:db8:cafe:babe::80 for HTTP (and HTTPS) (some purists calculate the hex values for 53 and 80 and use them as interface identifier...). This makes for simple firewall rules: Allow only UDP/53 to 2001:db8:cafe:babe::53 and allow only TCP/80 and TCP/443 to 2001:db8:cafe:babe::80 and so on. For redundancy you might add ULAs, say fc73:607:a09f:babe:20c:29ff:fe01:2345. And so on.

Another use case is what Chris S mentioned.

Bear in mind that for each unicast address on an interface the host must join the according link-local solicited node multicast group. So you may use addresses liberally but you should not exaggerate.

countermode
  • 375
  • 1
  • 4
  • 14