Re: [Xen-users] Xen with 'Routing' scripts

[Roland Paterson-Jones <roland@xxxxxxxxxxxx>]

Nils, thanks for the great response.

Some more details: we have a network of dom-0's that will host a number 
of dom-U's.
We need dynamic addressing, so proxy-arp sounds the simplest for us 
(simpler than full-on routing, that is).
Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.

We can't use NAT cos we want the dom-U's to be externally addressable.

Something I'm still unclear on - we don't want to reserve dom-U 
addresses for each dom-0 (it'll be wasteful), so we want dom-U to use 
DHCP. But then we've got to do DHCP relaying in dom-0, I think, and 
capture the dom-U IP address, unless there's a better way.
Another thing that's confusing me is that I expect there should be a 
left-hand (dom-0) and right-hand (dom-U) address for each of the vif's 
in routing mode, but I see only the one address in the scripts.
I hope this makes sense - as you might have noticed I'm approaching this 
from first principles. I'm sure I'll get there in the end :(
Regards
Roland


Nils Toedtmann wrote:

> Am Freitag, den 15.04.2005, 09:20 +0200 schrieb Roland Paterson-Jones: 
>  
>
> > Hi
> >
> > I had a brief look at the routing scripts in /etc/xen/scripts. 
> > Essentially the main script turns on ip forwarding in dom-0, and the 
> > dom-U vif script seems to configure a 169.254.1.0 address for each vif 
> > (auto-configure address, I think), then enable proxy ARP on the vif.
> > Some questions: How do remote machines pick up routing information for 
> > the dom-U's? Do I have to run a routing protocol in dom-0 (maybe with 
> > zebra) so that remote machines can 'see' the dom-U's?
> >    
> Depends on network configuration: If you use bridging or proxy-arp or
> NAT that's not necessary. If not, routes can be configured statically
> into remote machines or dynamically via routing protocals like RIP or
> OSPF. 
>
> This is not a Xen-specific question, look around for networking howtos.
>
>
>  
>
> > Could someone maybe explain the details of the ifconfig <vif> 
> > 169.254.1.0 ... 
> >    
> > From RFC 3330 <http://www.faqs.org/rfcs/rfc3330.html>:
>  169.254.0.0/16 - This is the "link local" block.  It is allocated for 
>  communication between hosts on a single link.  Hosts obtain these
>  addresses by auto-configuration, such as when a DHCP server may not
>  be found.
>
> You may use random IPs in this range as a poor backup alternative to 
> dhcp. MS Windows and many devices like printers use such IPs if they
> cannot find a dhcp server.
>
>
>  
>
> > and what the proxy ARP stuff does?
> >    
> It kinda "pseudo-bridging". For example if your domU and your dom0 shall
> use ips within the same IP prefix (say 192.168.1.0/24), and another
> physical host is acting as default gateway (lets say dom0=192.168.1.2,
> domU=192.168.1.3, gw=192.168.1.1), there are (at least) four
> alternatives:
>
> * DNAT all domU-services on dom0
>
>    iptables -t nat -A PREROUTING -j DNAT -d 192.168.1.2 \
>       --dport 80 --to-destination 192.168.1.3
>
> * hostroutes for domU 
>
>    gw#   ip route add 192.168.1.3/32 via 192.168.1.2
>    dom0# ip route add 192.168.1.3/32 dev vif1.0
>
> * bridging
>
> * proxy-arp: When gw tries to send an IP packet to domU it thinks domU
>  is link-local, so it tries to resolve 192.168.1.3 to a MAC address by
>  ARP-request. But that ARP-request can never reach domU (it's not
>  bridged). Now 
>
>    ip route add 192.168.1.3/32 dev vif1.0
>    sysctl -w net.ipv4.conf.eth0.proxy_arp=1
>
>  (or has it to be "net.ipv4.conf.vif1.0.proxy_arp"?) tells dom0 to
>  reply to that ARP-request with dom0's MAC-address on behalf of domU.
>
>  A better way to do proxyarp are static arp entries:
>  <http://www.tldp.org/HOWTO/Proxy-ARP-Subnet/index.html>
>
>
> So the xen-script 169.254.0.0/16 ips plus proxyarp on vif* is probably
> for automagical inter-domU-communication.
>
>
> /nils.
>
>
>  

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users