I was playing with IPv6 in the last days (started to use a tunnel from he.net as my current ISP doesn't support  native IPv6 and doesn't plan to support it in a short time) and wanted to add IPv6 to some of my CentOS Xen domU's running on a Hetzner box. This part was a little bit more difficult than for a standard network. Due to their internal network design, Hetzner only allow 'routed' xen networks and not standard 'bridged' ones. What I used for IPv4 was just binding the public IPs on the dom0 and configured all my iptables rules there to forward/SNAT/DNAT to the appropriate domU. But you know that NAT is gone with IPv6 so normally it's supposed to be easier, right ? Well, yes and no, depending on your network layout. Even after  having enabled ipv6 forwarding (net.ipv6.conf.all.forwarding=1 ), I was just able to ping the dom0 but not the guests behind. Hmm, that reminds me the proxy ARP that was used for IPv4 but not existing anymore for IPv6 (gone too ...) . ARP was (more or less, not technically correct but read the RFCs if you enough time) replaced by NDP but I don't see such option for IPv6. Well, a kernel feature called proxy_ndp (net.ipv6.conf.all.proxy_ndp=1) exists on newer kernels (like for example the 2.6.32.x that is used on RHEL6 , and so in CentOS 6) but not on CentOS 5.5 (using a 2.6.18.x) kernel .. Hmmm ...

On the other side, I was searching for a 'workaround' probably given by libvirt, but the version included in RHEL5/CentOS5 doesn't know what to do with IPv6. Okay so let's have a look at the Xen and kernel side at the same time. If the proxy_ndp kernel feature is not present on my CentOS 5.5 dom0, I can still 'advertise' my neighbors with the ip command : yes, it supports it : " ip -6 neighbor add proxy your:ipv6:long:address::1 dev eth0"

So we just need to create a modified vif-route script (in fact I decided to call it vif-route6) that will be used for ipv6 guests :


# /etc/xen/scripts/vif-route6
# Script for configuring a vif in routed mode for IPv6 only
# Based on existing vif-route script in /etc/xen/scripts and adapted for ipv6


dir=\$(dirname "\$0")
. "\$dir/vif-common.sh"

main_ip6=\$(ip -6 addr show eth0|grep 'scope global'|sort|head -n 1|awk '{print \$2}'|cut -f 1 -d '/')

case "\$command" in
ifconfig \${vif} \${main_ip} netmask up
ip -6 addr add \${main_ip6} dev \${vif}
do_without_error ifdown \${vif}

if [ "\${ip}" ] ; then
# If we've been given a list of IP addresses, then add routes from dom0 to
# the guest using those addresses.
for addr in \${ip} ; do
\${cmdprefix} ip -6 neighbor \${ipcmd} proxy \${addr} dev \${netdev:-eth0} 2>&1
result=`\${cmdprefix} ip -6 route \${ipcmd} \${addr} dev \${vif} src \${main_ip6} 2>&1`


log debug "Successful vif-route \$command for \$vif."
if [ "\$command" = "online" ]

Ok, so we have just now to modify our xen domU's config to add a vif that will use that specific script and give it the IPv6 address that we'll assign to that domU (from /etc/xen/your-domU-name):

vif = [ \<snip of the first vif> , "mac=00:16:36:38:31:b8,vifname=test.ipv6,script=vif-route6,ip=2a01:4f8:100:4363::dead" ]

You can now start your domU and configure it normally for IPv6 (using obviously that 2a01:4f8:100:4363::dead IPv6 address and choosing the dom0 main IPv6 address as gateway ...

Hope it will help some people in the same situation (using a routed and not a bridged network layout for xen)