Ben thanks for the thoguhtful response.
Yes, we really are trying to build a *private* network with connection points in various countries in North America and Europe. That said, this is a project, which will have a limited lifetime, and even if it goes live, the sponsor would not want the average 6Bone user to be able to play with their machines. (We also intend to use ISDN, and maybe SATCOM, to interconnect the labs. 6Bone is mostly to prove to doubting Thomas's that it can be done.) The labs we are trying to connect all have (will have) their own global IPv6 addresses with their own connection to the 6Bone. So what I envision is starting testing with each country using their own addresses on a limited number of machines in order to verify basic application functionality. Then, we'd subdivide the global address block we get, and use something like GRE set up tunnels between the various sites, and then move the machines behind the tunnelling routers. This would be an unencrypted VPN to allow testing the apps in this configuration, and to allow debugging while the traffic in the tunnels is not encrypted (yet). Part of the reason for the tunnel is to hide the 6Bone routers, and thus give the appearance of end-to-end management of the private network, and to allow testing the management apps at this stage. Of course when using ISDN, or SATCOM we would have true end-to-end management of all the routers. (End-to-End management is another of the things to be demo'd.) [ BTW, does anyone know whether there is an implementation of GRE (or some other tunnelling protocol) which allows IPv6 as both the delivery and the payload protocol? As of March 2000 RFC-2784 says not. :-( If not the tunnels may just be though the IPv4 Internet ... but since I believe much of the 6Bone is interconnected this way, what's the diff ... other than there is one less level of encapsulation. :-) ] The last step would be to use IPSec6 tunnels, either through the GRE tunnels, or more likely directly through the 6Bone, to secure the traffic. Re: DNS, since we have a private network, we'd have a private DNS. The current idea is to subnet the addresses such that each nation gets a portion, and that they are aggregatable ... eg. Canada and US would be contiguous, allowing that traffic to be routed over a single pipe from Europe, and then "split" and routed accordingly once it reaches this side of the pond. Each nation would be the SOA for addresses in their subnet, with a root DNS server on each side of the Atlantic. See any show stoppers here? Don > From [EMAIL PROTECTED] Sat Nov 17 19:29:13 2001 > > > As part of a multinational project we are planning a network. The plan > > is to construct a private network, connected via methods including tunnelling > > through the 6Bone. > > > > I envisioned using a site local netowrk, but concensus seems to be to allocate > > some real addresses, and then make them unroutable from the 6Bone. Is there > > any benefit do doing it this way rather than just sharing out a site-local > > address and treating it as a multi-campus site? > > Here are some things that I can think of, off the top of my head. > > You would remove the ability for components of your network to use their > own site local addressing - they have to get networks allocated by your > global "site-local" address registry. One of the advantages of site-local > addressing seems to be that site administrators do not have to do much to > get hold of site-local address space. If you are planning a multinational > network, I assume that you will have to have a large central registry of > site-local prefixes - this registry would be equally capable of allocating > global prefixes. > > You say that you want the network to be private - will this be forever? Is > it utterly inconcievable that your network would ever want to interconnect > with the rest of the internet? If this happens, you have to go through and > configure all your devices with globally routable addresses (although you > should be able to map very easily between site local and a /48 global > allocation). > > As your would have no upstream provider, I'm not sure where you would get > globally routable space from? Perhaps someone else on the list can > comment on this. > > For anyone who wants to connect hosts/routers to your network as well as > to the main IPv6 Internet (as you talk about tunneling through the 6bone, > I that there will be a lot of people with such connectivity): > use of site local scope in software at the moment seems less developed - > if someone has a device connected to your site and to another site through > which they are connected to the 6bone, it is awkward/impossible at the > moment to specify which site is meant. Using global address space removes > the problem. In the future, this will probably be tidied up. > > DNS: If you are using DNS, you would have to put site-local addresses in > DNS. I don't think this works well for multi-site machines - all the DNS > returns is an address, without any indication of site. > > You cannot allocate more than 65536 networks, and that is assuming that > you can allocate them all and don't use a heirarchical allocation system. > With global, you can get more prefixes, and could, if need be, get a > shorter prefix than /48. > > My gut feeling is that global address space is more appropriate for this. > > -- > Ben Clifford [EMAIL PROTECTED] http://www.hawaga.org.uk/ben/ > Currently seeking employment in Los Angeles: http://www.hawaga.org.uk/resume/ > IPv6 only webserver at: http://edge.ipv6.hawaga.org.uk:81/ben/ > > > > --------------------------------------------------------------------- > The IPv6 Users Mailing List > Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED] > > --------------------------------------------------------------------- The IPv6 Users Mailing List Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
