Multihoming IPv6

I am lucky, I have an IPv6 PI block and announcements via multiple transit providers, but most people don't have that and rely on somewhat more flaky DSL lines and the like.

If you have two providers for IPv6 you end up with two separate PA public IPv6 blocks, which is exactly what one of our customers ended up with. A /60 from us and a /60 from someone else. Well, technically, from A&A he had a /48, but was only using /60.

He wanted some higher availability networking, so went for "prefix mapping" RFC6296. Now, this does seem a lot like IPv6 NAT, I agree, but not really and almost none of the usual NAT issues.

Basically he maps the low bits of the /60 from each provider incoming (68 bits of host) on to a local FD01::/60 block for machines on his LAN. He can have DNS for each device/IP on the LAN pointing to both the external IP blocks. No change of source IP, nor ports, just mapping the IPv6 space.

For outgoing he can map to a preferred link, or even randomly or randomly with a bias, mapping the host part of the FD01::/60 to each of the external public IPv6 blocks, and can even make that mapping apply depending on whether the PPP link in question is up or down!

So for outgoing, one link down, just works. For incoming, one link down means things trying both IPs from DNS, which is quite common these days in many protocols.

How has he done that? Well, he asked on irc if FireBrick do it, and the answer was no! We had something similar for IPv4 only on the older FB105 model but not on current FireBricks.

I ended up making him wait a whole 48 hours before I did an new alpha release that does this. The reason was I was waiting to issue a stable release with all the recent ACME code first. No last minute changes for a new feature like this - a stable release needs to be, err, stable.
But, it was a good idea, a good feature, restored some of the old FB105 features for block mapped addresses, and so I have issued it as an alpha now. My only thought now is if I should have some way to do random IP mapping one day... Hmmm...

Obvious the solution is more complex than the IPv4 only old FB105 FireBricks, as we not only allow IPv6 prefix mapping of any size, but also IPv4 prefix and range mapping, and IPv4 to IPv6 as well as IPv6 to IPv4 mapping. You can use this to make a NAT64 mapping engine putting all of IPv4 space in an IPv6 /96 if you want. Very flexible.

Have fun if you try the latest alpha, and obviously in a few weeks it will be in a general release.


  1. Not sure if comments system working on your blog. Not seen any comments for quite some time.

  2. Really sorry for being thick, how can his system not have to rewrite source addresses in internet-bound packets? And doesn't it still suffer from the NAT protocol problem where if you mention your own address, as you believe it is, inside the user data in some protocol then you are telling the remote machine something useless? I do so apologise if I have missed the whole point.

    And good for you - outstanding and generous support for your man!

  3. Would you consider providing an NTP server in the Brick?

    1. Superb. Thanks. Is there some high quality free C source around that could be used to save you a ton of work?

  4. Also I was wondering how one gets PI space? I assume a mere mortal has no chance. I just ask out of intellectual curiosity. (I get IPv4 and v6 space from AA.)

    1. I'd say it's practically impossible to apply and get PI for IPv4 now - it's why any company who does have it has some extra value. You can't officially sell your IPv4 PI space but if another company were to purchase you then...

    2. IPv4 PI space is pay £lol on the secondary market to someone with PI space they don't want any more.

      For IPv6 PI, it's find an ISP (A&A will do this) who'll do the paperwork with you. Expect to pay for this - RIPE charges the ISP €50 per year per PI block, plus you'll pay the ISP an admin fee for handling the application, and an admin cost for sorting out the billing. £60 plus VAT per year is reasonable after your first year.

    3. Does RIPE have some eligibility criteria apart from the usual requirement that you will indeed be _using_ the address space, or will be expecting to grow to a certain size with 3 years (or whatever it is)? Do you have to be a major and dominant vastcorp or can mere very small businesses ask?

    4. I am not sure of latest rule off top of my head but was a multihoming requirement. Not a size one.


Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Tweaking the CCTV

Having run the CCTV for a while (and not trying to cover the legal issues today), I have been having some fun tweaking. I am really liking t...