I had an idea for designing a network setup in order to acquire high availability connections to my (small) network, but I seem to be running into a few problems trying to find out the particulars.

The Quest

I want to be able to have, in a location where dedicated circuits are at best infeasible but commodity connections of many different types and sizes are available, the ability to have a network that is considered to be “highly available” in the face of connection failures to the upstream network(s). I currently manage a few networks where there are two sets of IPv4 address space, and it is a bit of a PITA to continue doing it that way.

I think that I have found a possible way to work around that, and get something closer to a “normal” network (in terms of appearances, anyway). But I am having trouble with the particulars.

Requirements

For a first run, I would need:

• Two independent connections to commodity ISP services. Already done.
• A router capable of bonding two tunneled links together. Already done.
• A portable routed /28 network block. I cannot find any place that will sell a network block of this size to me, without also constraining it to their network. If they have a multiply-redundant network that I can host on, then I am happy. Otherwise, I can’t use it.
• A server running on the Internet, preferably in a data center (and even a VPS would be acceptable for a test run), which can “host” the network. I was hoping to do an initial test with Linode, but they said that they require 100% address utilization and only assign addresses individually; they won’t sell you a routed block, nor will they let you bring your own.

The idea would then be to have the system in a data center have the ability to tunnel to any endpoint that authenticates itself to the server. All such tunnels would be “bonded” together so that they can provide both aggregate bandwidth and durability. The router on my own network would be connected to each of the ISP connections, and initiate one tunnel connection to the data center system for each ISP connection. (Also note that the router will handle IPv6 routing directly to the Internet, without having to use this somewhat convoluted setup.)

Can it be done?

So far, it seems the two questions here are blocking my path to success here:

• Where can I buy a small (say, a /28) IPv4 network block that is portable?
• Where can I rent a VPS that will let me bring my own IP block?

Thanks for your help!

I'd like to have an SSH server running on an unprivileged port (say, 2222) such that I could have users be able to use the Bazaar DVCS; the idea would be whole set of repositories and the like would be owned by a single user (from the operating system’s point of view, that is) and then the SSH server that is running under the context of that single user account would be configured with users and passwords from some sort of a custom source.

The big things that would be required to make this work would be:

• The SSH server would be forced to run a custom shell program that would check the username and check the command line to ensure that the user is accessing a bzr repository/branch that the user has authorization to use.
• The SSH server would be able to ensure that some environment variable is set to indicate what username was successfully authenticated (otherwise none of this would work).

I would like to do it this way because it can be troublesome to keep permissions on repositories correct for a repository with shared access through the system’s SSH server; also, I would like to have the SSH server eventually be run as part of a more complete service (with a Web interface, etc.) such that the Web service would ultimately manage the users and workgroups associated with a series of Bazaar repositories (and even possibly branches). Since the overall service would run as a single user at the operating system level and use its own notion of user accounts (perhaps even things like using OpenID), it would be very useful to essentially integrate the SSH server into the service as a whole.

I've been looking for software to do this for a little while but seem to find only pages that talk about projects that never materialized, or are not capable of running on a Linux system.

Does anyone know of a tunnel setup dæmon that will run on Linux? It doesn't have to do a whole heck of a lot; doesn't even have to have a fancy UI. I can wrap a UI around it for the Web or a different type of interface.

The reason for this is that I am looking to create a setup where the client systems can roam around the Internet, but there is a problem: IPv6 is not universally available. I don't have a problem with that; I have tons and tons of IPv6 address space and can support the required number of clients via my Internet connection. However, what I need is for those client workstations to, when they boot up:

• If an IPv6 connection is present, use it and login/authenticate.
• If an IPv4 connection is present, but an IPv6 connection is not present, setup an IPv6-over-IPv4 tunnel using a particular IPv4 endpoint on the Internet. The IPv4 endpoint that we're talking about here is the server that I want the tunnel dæmon on.

IOW, if there is no IPv6 connection, the client will have to authenticate to the IPv4 tunnel server in order to be able to build a tunnel. Then an IPv6 network connection will be created and all will be well.

Of course, this is only a temporary measure, but as it so happens, it's needed now, before the majority of the Internet is actually providing IPv6 connections.