• Two ISPs and backup for a home network (dual-homing)

    From Victor Sudakov@2:5005/49 to Dmitry Protasoff on Thu Jul 1 20:31:04 2021
    Dear Dmitry,

    30 Jun 21 23:17, you wrote to me:

    NAT66 is what NAT for ipv6 is called.

    What was the incentive to create such an abomination?

    "There are more things in heaven and earth, Horatio,
    Than are dreamt of in your philosophy."(c)Shakespeare

    And original ipv6 was just a miserable philosophy, created by people
    with limited knowledge about real life.

    The original IPv4 was also miserable with its classful networks, RIPv1 etc. I still cannot imagine however what "real life" problem they are solving by creating NAT for ipv6.

    NPTv6 is not a NAT, it's
    stateless solution.

    Even if NPT is called "prefix translation" and is stateless, it
    is still a NAT (in IPv4 terms, a type of a one-to-one NAT).

    NPTv6 is for prefix translation only, not for address translation.
    It's much more lightweight and easy to implement.

    Either you translate only the higher 64 bits of the address, or the whole 128 bits of the address, you still rewrite the packet. True, you don't do PAT, that's why I said that it looks like a one-to-one IPv4 NAT (much like in AWS VPC "public" subnets).

    However, the creators of IPv6 had better invent something like
    "dead gateway detection" or some other way for end devices to
    select a working outgoing address when they have several global
    prefixes (and gateways) available. I thought my knowledge was
    lacking, but it turns out the new and flashy protocol stack is
    lacking.

    Do you have a time machine to send some ideas to ipv6 creators? :)

    Nope, but I think $subj can be implemented today, e.g. via some field in RAs etc. In FreeBSD (and I'm sure in other IPv6 implementations) you can select the prerred source address, you only have to add some way to change it automatically when a "dead gateway" is detected.

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20170303-b20170303
    * Origin: Ulthar (2:5005/49)
  • From Dmitry Protasoff@2:5001/100.1 to Victor Sudakov on Thu Jul 1 16:46:56 2021
    Hello, Victor!

    Thursday July 01 2021 20:31, you wrote to me:

    The original IPv4 was also miserable with its classful networks, RIPv1 etc. I still cannot imagine however what "real life" problem they are solving by creating NAT for ipv6.

    For example - rerouting traffic via VPN to get thru RKN's DPI.
    Real life scenario :)

    translation. It's much more lightweight and easy to implement.

    Either you translate only the higher 64 bits of the address, or the
    whole 128 bits of the address, you still rewrite the packet. True, you don't do PAT, that's why I said that it looks like a one-to-one IPv4
    NAT (much like in AWS VPC "public" subnets).

    Yeah, but you can have "host" part the same for several uplinks and change prefix only on NPTv6 gateway.
    It's the best ipv6 can offer for you, sorry.

    Nope, but I think $subj can be implemented today, e.g. via some field
    in RAs etc. In FreeBSD (and I'm sure in other IPv6 implementations)
    you can select the prerred source address, you only have to add some
    way to change it automatically when a "dead gateway" is detected.

    It adds more complexity and cannot be implemented easily in userland across multiple OSes.


    Best regards,
    dp.

    --- GoldED+/W64-MSVC 1.1.5-b20180707
    * Origin: No rest for the wicked (2:5001/100.1)
  • From Victor Sudakov@2:5005/49 to Dmitry Protasoff on Sun Jul 4 12:36:40 2021
    Dear Dmitry,

    01 Jul 21 16:46, you wrote to me:

    The original IPv4 was also miserable with its classful networks,
    RIPv1 etc. I still cannot imagine however what "real life"
    problem they are solving by creating NAT for ipv6.

    For example - rerouting traffic via VPN to get thru RKN's DPI.
    Real life scenario :)

    Why would you need NAT for that? Get a VPN/tunnel provider who offers a global /64 or /56 or even a /48, like HE does.

    translation. It's much more lightweight and easy to implement.

    Either you translate only the higher 64 bits of the address, or
    the whole 128 bits of the address, you still rewrite the packet.
    True, you don't do PAT, that's why I said that it looks like a
    one-to-one IPv4 NAT (much like in AWS VPC "public" subnets).

    Yeah, but you can have "host" part the same for several uplinks and
    change prefix only on NPTv6 gateway. It's the best ipv6 can offer for
    you, sorry.

    Too bad and a bit unexpected. There are/were rather complex things like Mobile IPv6 and HMIP, and they have not thought of a simple failover?

    Nope, but I think $subj can be implemented today, e.g. via some
    field in RAs etc. In FreeBSD (and I'm sure in other IPv6
    implementations) you can select the prerred source address, you
    only have to add some way to change it automatically when a "dead
    gateway" is detected.

    It adds more complexity and cannot be implemented easily in userland across multiple OSes.

    OK, let's start anew with a simple setup. If there are two routers in a home LAN advertising different global prefixes, and one of them goes offline, will IPv6 end hosts detect that and remove the corresponding addresses from their configuration?

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20170303-b20170303
    * Origin: Ulthar (2:5005/49)
  • From Victor Sudakov@2:5005/49 to Alexey Vissarionov on Sun Jul 4 12:44:50 2021
    Dear Alexey,

    30 Jun 21 05:24, you wrote to me:

    I know that my home router can advertise multiple global IPv6
    prefixes into the LAN, but how will LAN hosts failover to the
    backup gateway if the primary ISP fails? They will have IPv6
    addresses from both blocks, which should they choose for their
    outgoing src address?
    This is the preferred mode of operation, but it has (only) two
    disadvantages: 1. All hosts in the LAN must be able to do the
    switching|balancing on thy own (that means, run Linux; the
    BSD-style networking stack, like the one used in Windoze, has
    very limited functionality). 2. This may require some manual
    configuration on every of them. Not really a problem, but may
    be boring.
    This is not feasible because most of those LAN hosts are
    smartphones, smart TVs, vacuum cleaners, cameras and other IoT
    devices.

    Most of these devices have Linux kernel, but crippled userspace.

    With two IPv4 ISPs and NAT, the setup is rather trivial,
    outgoing connections will work via either of the ISPs because
    the hosts needn't be aware of the failure, and their src
    private IP is always the same. Can anyone enlighten me?
    This is second option, but you'd lose the main advantage of
    IPv6: the use of publicly routed addresses.
    Indeed. I don't like the idea of using NAT in IPv6 even if I
    could. So what's the solution?

    For dumb devices, especially portable, I'd suggest using NPT.

    How well does NPT (being stateless) work with FTP, SIP and other protocols which embed addresses into payload?

    Fully
    functional computers may be connected to some other VLANs (two at once
    in your case) and configured to use real addresses.

    Speaking of those fully functional computers in the LAN, do you mean the setup when there is a script pinging some outside hosts/interfaces and modifying the IPv6 routing table, or something more advanced and interesting?

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20170303-b20170303
    * Origin: Ulthar (2:5005/49)
  • From Dmitry Protasoff@2:5001/100.1 to Victor Sudakov on Sun Jul 4 13:51:28 2021
    *** Answering a msg posted in area carbonArea (Carbon Area).

    Hello, Victor!

    Sunday July 04 2021 12:36, you wrote to me:

    For example - rerouting traffic via VPN to get thru RKN's DPI.
    Real life scenario :)

    Why would you need NAT for that? Get a VPN/tunnel provider who offers
    a global /64 or /56 or even a /48, like HE does.

    With he.net you'll loose access to local google caches and to local CDNs.
    With ipv4 I can forward only blocked subnetworks via VPN, with ipv6 and without NAT66 I can't do that.

    Yeah, but you can have "host" part the same for several uplinks
    and change prefix only on NPTv6 gateway. It's the best ipv6 can
    offer for you, sorry.

    Too bad and a bit unexpected. There are/were rather complex things
    like Mobile IPv6 and HMIP, and they have not thought of a simple
    failover?

    Mobile IPV6 is an operator controlled tool to keep your IPv6 address intact. But you are asking for exactly the opposite solution - to change your IPv6 address.

    It adds more complexity and cannot be implemented easily in
    userland across multiple OSes.

    OK, let's start anew with a simple setup. If there are two routers in
    a home LAN advertising different global prefixes, and one of them goes offline, will IPv6 end hosts detect that and remove the corresponding addresses from their configuration?

    Yes but you'll still have single routing table and timeout for client to remove dead ipv6 address from interface and routing table is large enough to be unacceptable for general use.

    Best regards,
    dp.
    --- GoldED+/W64-MSVC 1.1.5-b20180707
    * Origin: No rest for the wicked (2:5001/100.1)
  • From Alexey Vissarionov@2:5020/545 to Victor Sudakov on Sun Jul 4 17:27:22 2021
    Good ${greeting_time}, Victor!

    04 Jul 2021 12:44:50, you wrote to me:

    I know that my home router can advertise multiple global IPv6
    prefixes into the LAN, but how will LAN hosts failover to the
    backup gateway if the primary ISP fails? They will have IPv6
    addresses from both blocks, which should they choose for their
    outgoing src address?
    This is the preferred mode of operation
    1. All hosts in the LAN must be able to do the switching|balancing
    on thy own
    2. This may require some manual configuration on every of them.
    This is not feasible because most of those LAN hosts are
    smartphones, smart TVs, vacuum cleaners, cameras and other IoT
    devices.
    Most of these devices have Linux kernel, but crippled userspace.

    In general, IoT devices should reside in a separate VLAN without any access to outer world. Whether you need to access any of them from outside, you have SSH running on the gateway for that.

    With two IPv4 ISPs and NAT, the setup is rather trivial,
    outgoing connections will work via either of the ISPs because
    the hosts needn't be aware of the failure, and their src
    private IP is always the same. Can anyone enlighten me?
    This is second option, but you'd lose the main advantage of
    IPv6: the use of publicly routed addresses.
    Indeed. I don't like the idea of using NAT in IPv6 even if I
    could. So what's the solution?
    For dumb devices, especially portable, I'd suggest using NPT.
    How well does NPT (being stateless) work with FTP, SIP and other
    protocols which embed addresses into payload?

    FTP is dead. SIP clients normally use only LAN (everything else should be performed by a gateway).

    Well, I can imagine a SIP client connecting to the corporate SIP PBX. To work properly in a multi-link environment, it have to establish _two_ connections for the SIP control channels. Software PBXes (Asterisk and some others) are known to work. Clients running on a PDAs are unlikely.

    Fully functional computers may be connected to some other VLANs
    (two at once in your case) and configured to use real addresses.
    Speaking of those fully functional computers in the LAN, do you
    mean the setup when there is a script pinging some outside hosts/ interfaces and modifying the IPv6 routing table, or something more advanced and interesting?

    Trivial per-interface VRF.


    --
    Alexey V. Vissarionov aka Gremlin from Kremlin
    gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

    ... god@universe:~ # cvs up && make world
    --- /bin/vi
    * Origin: ::1 (2:5020/545)
  • From Benny Pedersen@2:230/0 to Nil A on Thu Jul 22 14:07:36 2021
    Hello Nil!

    28 Jun 2021 18:15, Nil A wrote to Victor Sudakov:

    I don't see how iPv6 differs from IPv4 in this regard. Is it like you have multiple A DNS records vs multiple AAAA records to point to your node host name?

    ask isp to deliver with hardware peer bundled modems, the ipv6 router does not need to know its 2 fysicly lines on the outside

    hardware exists for 2 lines, and imho up to 8 phone lines, each can then add more stable connection and more speed, even if each of the lines is diffrent central, but in most cases it would not be good since ping time would then not be equal, but in teori it could be prioter to make compensation for that


    Regards Benny

    ... too late to die young :)

    --- Msged/LNX 6.1.2 (Linux/5.12.19-gentoo-dist (x86_64))
    * Origin: gopher://fido.junc.eu/ (2:230/0)
  • From Victor Sudakov@2:5005/49 to Alexey Vissarionov on Wed Aug 4 21:49:42 2021
    Dear Alexey,

    04 Jul 21 17:27, you wrote to me:

    I know that my home router can advertise multiple global IPv6
    prefixes into the LAN, but how will LAN hosts failover to the
    backup gateway if the primary ISP fails? They will have IPv6
    addresses from both blocks, which should they choose for
    their outgoing src address?
    This is the preferred mode of operation
    1. All hosts in the LAN must be able to do the
    switching|balancing on thy own 2. This may require some manual
    configuration on every of them.
    This is not feasible because most of those LAN hosts are
    smartphones, smart TVs, vacuum cleaners, cameras and other IoT
    devices.
    Most of these devices have Linux kernel, but crippled userspace.

    In general, IoT devices should reside in a separate VLAN without any access to outer world.

    Most of the value of IoT devices depends on their access to the outer world. By denying them access, you lose this value.

    Whether you need to access any of them from
    outside, you have SSH running on the gateway for that.

    Who in their right mind would access their smart vacuum cleaner, thermostat or security camera by SSH? I want the vaccuum cleaner to notify me on the mobile app when it's finished or stuck.

    I can agree that ingress access to the IoT device network is usually unnecessary, egress access is enough for them.

    With two IPv4 ISPs and NAT, the setup is rather trivial,
    outgoing connections will work via either of the ISPs because
    the hosts needn't be aware of the failure, and their src
    private IP is always the same. Can anyone enlighten me?
    This is second option, but you'd lose the main advantage of
    IPv6: the use of publicly routed addresses.
    Indeed. I don't like the idea of using NAT in IPv6 even if I
    could. So what's the solution?
    For dumb devices, especially portable, I'd suggest using NPT.
    How well does NPT (being stateless) work with FTP, SIP and other
    protocols which embed addresses into payload?

    FTP is dead.

    It is not. You just don't know.

    SIP clients normally use only LAN (everything else should
    be performed by a gateway).

    Tell that to sipnet.ru and many other VoIP providers. I've seen even semi-private VoIP networks (for admins) working over the Internet.

    Well, I can imagine a SIP client connecting to the corporate SIP PBX.
    To work properly in a multi-link environment, it have to establish
    _two_ connections for the SIP control channels.

    May be so, if a SIP client itself is multihomed. In this case, it may survive the disconnection of one of the uplinks, is that what you mean?

    Fully functional computers may be connected to some other VLANs
    (two at once in your case) and configured to use real addresses.
    Speaking of those fully functional computers in the LAN, do you
    mean the setup when there is a script pinging some outside hosts/
    interfaces and modifying the IPv6 routing table, or something
    more advanced and interesting?

    Trivial per-interface VRF.

    And how do applications (e.g. a Web browser) decide which VRF to use for outgoing connections? If one of the VRFs has no connection to the Internet, as was the original question. The application must know that this VRF is currently "disconnected" and act accordingly, how do you handle that?

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20170303-b20170303
    * Origin: Ulthar (2:5005/49)
  • From Victor Sudakov@2:5005/49 to Dmitry Protasoff on Wed Aug 4 22:12:18 2021
    Dear Dmitry,

    04 Jul 21 13:51, you wrote to me:

    For example - rerouting traffic via VPN to get thru RKN's DPI.
    Real life scenario :)

    Why would you need NAT for that? Get a VPN/tunnel provider who
    offers a global /64 or /56 or even a /48, like HE does.

    With he.net you'll loose access to local google caches and to local
    CDNs. With ipv4 I can forward only blocked subnetworks via VPN, with
    ipv6 and without NAT66 I can't do that.

    Well, it's a valid point of course. The protocol designers are not required to forsee the acts of malicious morons breaking the Internet intentionally. But they could have provided for a simple failover mechanism.

    OTOH, when I have to circumvent RKN, I prefer to start a new browser session where all traffic goes via a VPN. Yes, I lose access to local google caches and to local CDNs, but be it so.

    Yeah, but you can have "host" part the same for several uplinks
    and change prefix only on NPTv6 gateway. It's the best ipv6 can
    offer for you, sorry.

    Too bad and a bit unexpected. There are/were rather complex
    things like Mobile IPv6 and HMIP, and they have not thought of a
    simple failover?

    Mobile IPV6 is an operator controlled tool to keep your IPv6 address intact. But you are asking for exactly the opposite solution - to
    change your IPv6 address.

    Not exactly "to change my IPv6 address", but rather provide some simple failover mechanism for multihomed IPv6 hosts. It has just come to my mind: if those multihomed hosts ran some kind of routing protocol (OSPFv3 or a simple equivalent thereof) there would be absolutely no problem selecting the working gateway.

    It adds more complexity and cannot be implemented easily in
    userland across multiple OSes.

    OK, let's start anew with a simple setup. If there are two
    routers in a home LAN advertising different global prefixes, and
    one of them goes offline, will IPv6 end hosts detect that and
    remove the corresponding addresses from their configuration?

    Yes but you'll still have single routing table and timeout for client
    to remove dead ipv6 address from interface and routing table is large enough to be unacceptable for general use.

    So, we need some simple routing protocol with keepalives, running both on end hosts and the router?

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20170303-b20170303
    * Origin: Ulthar (2:5005/49)
  • From Dmitry Protasoff@2:5001/100.1 to Victor Sudakov on Thu Aug 19 01:24:34 2021
    Hello, Victor!

    Wednesday August 04 2021 22:12, you wrote to me:

    Well, it's a valid point of course. The protocol designers are not required to forsee the acts of malicious morons breaking the Internet intentionally. But they could have provided for a simple failover mechanism.

    I am taking a break. My idea is to redesign my home network according to new insight from Rostelecom about their DPI's ipv6 support.
    Will come back with new thoughts later :)

    Best regards,
    dp.

    --- GoldED+/W64-MSVC 1.1.5-b20180707
    * Origin: No rest for the wicked (2:5001/100.1)