Hi John, thanks for your response. On 2013-06-12 14:56, John Mann wrote: [...]
I would control traffic by giving ppp0, ip6test, and lo interfaces IPv6 addresses, and not giving IPv6 addresses to the interfaces you do not want to send/receive IPv6 traffic.
Alpha won't send IPv6 traffic out the other interfaces if it doesn't have a route pointing out there. Also, without IPv6 enabled, it won't receive IPv6 packets on those interfaces.
How can I prevent these other interfaces obtaining IPv6 addresses if these are being auto-configured via route advertisements etc.? Assuming that's achievable reliably, I agree this is probably the best way to ensure my primary FR: keeping my downstream IPv4 networks secure.
You probably want to use DHCPv6 Prefix Delegation to communicate with Internode to find your allocated IPv6 prefix (so need to allow some IPv6 UDP in and out on ppp0).
I've not read up on DHCPv6 at all yet, so will need to do so before I can fully understand the ramifications of the above paragraph
How about DNS over IPv6? If you give a test host an IPv6 address, but DNS traffic over IPv6 times out, it could be seconds before the host retries over IPv4.
This is true; as I said though, I'm prepared to open up other access (such as DNS) to ip6test, and DNS would be one of the first candidates.
I would recommend running radvd on Alpha, so that hosts on ip6test will learn that Alpha is their default router.
Right. The upcoming concern is going to be taking sufficient care when configuring IPv6 stuff on Alpha to prevent accidental interruption of the IPv4 traffic. I'll do some more research. I may be able to set up a test system (e.g. using 6to4 upstream of a "test Alpha") just to get the config right before deploying on the production box. -- Regards, Matthew Cengia