= Сообщение: 6728 из 7402 ============================================= IPV6 = От : Victor Sudakov 2:5005/49 04 Aug 21 21:49:42 Кому : Alexey Vissarionov 04 Aug 21 21:49:42 Тема : Two ISPs and backup for a home network (dual-homing) FGHI : area://IPV6?msgid=2:5005/49+610aadfa На : area://IPV6?msgid=2:5020/545+60e1ce69 = Кодировка сообщения определена как: CP866 ================================== ============================================================================== Dear Alexey,
04 Jul 21 17:27, you wrote to me:
VS>>>>>> I know that my home router can advertise multiple global IPv6 VS>>>>>> prefixes into the LAN, but how will LAN hosts failover to the VS>>>>>> backup gateway if the primary ISP fails? They will have IPv6 VS>>>>>> addresses from both blocks, which should they choose for VS>>>>>> their outgoing src address? AV>>>>> This is the preferred mode of operation AV>>>>> 1. All hosts in the LAN must be able to do the AV>>>>> switching|balancing on thy own 2. This may require some manual AV>>>>> configuration on every of them. VS>>>> This is not feasible because most of those LAN hosts are VS>>>> smartphones, smart TVs, vacuum cleaners, cameras and other IoT VS>>>> devices. AV>>> Most of these devices have Linux kernel, but crippled userspace.
AV> In general, IoT devices should reside in a separate VLAN without any AV> access to outer world.
Most of the value of IoT devices depends on their access to the outer world. By denying them access, you lose this value.
AV> Whether you need to access any of them from AV> outside, you have SSH running on the gateway for that.
Who in their right mind would access their smart vacuum cleaner, thermostat or security camera by SSH? I want the vaccuum cleaner to notify me on the mobile app when it's finished or stuck.
I can agree that ingress access to the IoT device network is usually unnecessary, egress access is enough for them.
VS>>>>>> With two IPv4 ISPs and NAT, the setup is rather trivial, VS>>>>>> outgoing connections will work via either of the ISPs because VS>>>>>> the hosts needn't be aware of the failure, and their src VS>>>>>> private IP is always the same. Can anyone enlighten me? AV>>>>> This is second option, but you'd lose the main advantage of AV>>>>> IPv6: the use of publicly routed addresses. VS>>>> Indeed. I don't like the idea of using NAT in IPv6 even if I VS>>>> could. So what's the solution? AV>>> For dumb devices, especially portable, I'd suggest using NPT. VS>> How well does NPT (being stateless) work with FTP, SIP and other VS>> protocols which embed addresses into payload?
AV> FTP is dead.
It is not. You just don't know.
AV> SIP clients normally use only LAN (everything else should AV> be performed by a gateway).
Tell that to sipnet.ru and many other VoIP providers. I've seen even semi-private VoIP networks (for admins) working over the Internet.
AV> Well, I can imagine a SIP client connecting to the corporate SIP PBX. AV> To work properly in a multi-link environment, it have to establish AV> _two_ connections for the SIP control channels.
May be so, if a SIP client itself is multihomed. In this case, it may survive the disconnection of one of the uplinks, is that what you mean?
AV>>> Fully functional computers may be connected to some other VLANs AV>>> (two at once in your case) and configured to use real addresses. VS>> Speaking of those fully functional computers in the LAN, do you VS>> mean the setup when there is a script pinging some outside hosts/ VS>> interfaces and modifying the IPv6 routing table, or something VS>> more advanced and interesting?
AV> Trivial per-interface VRF.
And how do applications (e.g. a Web browser) decide which VRF to use for outgoing connections? If one of the VRFs has no connection to the Internet, as was the original question. The application must know that this VRF is currently "disconnected" and act accordingly, how do you handle that?