Hi. On Tue, Jun 18, 2019 at 11:47:08PM +1200, Richard Hector wrote: > On 18/06/19 10:32 PM, Reco wrote: > > Hi. > > > > On Tue, Jun 18, 2019 at 09:56:17PM +1200, Richard Hector wrote: > >> On 18/06/19 3:38 AM, Reco wrote: > >>> Hi. > >>> > >>> On Mon, Jun 17, 2019 at 10:38:27AM -0400, Gene Heskett wrote: > >>>> But that opens yet another container of worms. If I arbitrarily assign > >>>> ipv6 local addresses, and later, ipv6 shows up at my side of the router, > >>>> what if I have an address clash with someone on a satellite circuit in > >>>> Ulan Bator. How is that resolved, by unroutable address blocks such as > >>>> 192.168.xx.xx is now? > >>> > >>> More or less yes. It's called ULA (Unique Local Address) in IPv6 lingua. > >>> If you're using anything from fd00:/8 - you're safe. > >> > >> As long as you choose them randomly. If you decide to use fd00::/64, or > >> something else predictable, you may run into conflicts ... but only if > >> you connect directly to their network. > > > > No sensibly configured router will allow forwarding ULAs to the > > internet. A scenario you're describing is therefore impossible unless > > one adds NAT66 or some kind of VPN to it. In the former case > > predictability of site addresses do not matter, in the latter it's > > solvable with the appropriate amount of custom routes. > > Custom routes? When routing between 2 networks using the same range, > either with a VPN or some kind of direct connection? It's going to need > some evil double NAT sorcery, especially if the same actual addresses > are in use on both.
As long as: a) It's L3 VPN, so ARP is not a concern. b) There are no duplicate IPs on both sites combined. The problem can be 'solved' by announcing specific IP routes to each and every host on both sites. Yes, it's gross. > >> The main reason I'm using v6 is that 2 networks I'm running a VPN > >> between both chose 192.168.1.0/24, and I can't change either ... > > > > So? If your VPN is running in L3 mode it's still possible to add some > > kludges to IPv4 routing. If your VPN passes L2 - you're doing it > > terribly wrong. > > Yes, I'm routing. Not sure what kludges you're proposing to let a > machine at one end talk to a machine at the other which it thinks is on > the same network. See above, it ain't pretty. > Adding v6 at both ends with properly unique ranges seemed much the saner > option. Educational, as well :-) I totally agree here. > >> There are online random ULA generators - but I'm not convinced one of > >> them didn't give me the same block twice, or whether it was my own error. > > > > Never used one. IPv6 /8 block consists of 2^56 unique /64 subnets. > > Surely it's possible to choose several unique /64 subnets by using, say, > > ipv6calc. > > Yes, but there is a recommendation to use random ones, and even a > suggestion of how to do it, in RFC 4193. But this RFC's "random" cannot mean "I start each day with selecting new, custom /64 IPv6 ULA prefix for my site". ipv6calc fills this nicely, try it some day. Reco
