Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

To: debian-devel@lists.debian.org
Subject: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
From: Vincent Danjean <vdanjean.ml@free.fr>
Date: Mon, 09 May 2011 13:19:35 +0200
Message-id: <[🔎] 4DC7CDC7.6030304@free.fr>
In-reply-to: <[🔎] 4DC7C732.1020801@arndnet.de>
References: <[🔎] 20110508153342.GE9801@ftbfs.de> <[🔎] 4DC7B53C.9010101@free.fr> <[🔎] 4DC7C732.1020801@arndnet.de>

On 09/05/2011 12:51, Arnd Hannemann wrote:
> Hi,
> 
> Am 09.05.2011 11:34, schrieb Vincent Danjean:
>> RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP,
>> at least until the kernel allow to proxy a network instead of hosts.
>> This does not seem for now:
>> http://marc.info/?l=linux-kernel&m=130385156131530&w=2
> 
> But if anoyone has enough knowledge to setup proxy NDP he should
> be able to disable the privacy extension on its client hosts, too.

It is not the problem of knowing how to do it. It is the problem of
doing it by default. And I do not have strong opinion on the
problem. For info, I setup privacy extension on my laptop but
I use a (Hurricane) IPv6 tunnel instead of using the /64 given
by my ISP.

> Also, wouldn't using DHCPv6 solve this problem as well?

DHCPv6 is useful when you do not want to you auto-configuration.
It can be the case if you would like several networks with
auto-configuration in a /64: DHCPv6 seems the only way to go in
this case. if you want only one subnetwork with autoconfiguration
and you have only a /64, you whould be able to create a correct
routing table on your firewall.

It does not solve the proxy NDP (here, the problem is for the
ISP gateway that makes false assumption about the network layout,
not for the other host that can easily be instructed to have
a default route the the good host)

I just realized that, perhaps, you want to says that privacy
extension is disabled when you are using DHCPv6 ? I did not
test it, so I do not know if this is right or not.

> Its really good to know that there exists such a problem with Privacy Extension
> and Linux gateways, but in IMO it shouldn't hinder the deployment
> of privacy extensions as default for for wheezy.

An another problem is for firewalls that wants to do strict
controls (ie also filtering out-going connections). But here
again, there will be default rules for all client. Or, if
special rules are required for a client, the client can be
reconfigured to avoid using Privacy Extension.

But I repeat, I just want to talk about these issues. I'm not
convinced myself they should block privacy extensions enabled
by default.

  Regards,
    Vincent

> Best regards
> Arnd
> 

PS: no need to CC me

-- 
Vincent Danjean                 Adresse: Laboratoire d'Informatique de Grenoble
Téléphone:  +33 4 76 61 20 11            ENSIMAG - antenne de Montbonnot
Fax:        +33 4 76 61 20 99            ZIRST 51, avenue Jean Kuntzmann
Email: Vincent.Danjean@imag.fr           38330 Montbonnot Saint Martin

Reply to:

Follow-Ups:
- Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6in wheezy as default?
  - From: Arnd Hannemann <arnd@arndnet.de>

References:
- Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
  - From: Martin Zobel-Helas <zobel@debian.org>
- Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
  - From: Vincent Danjean <vdanjean.ml@free.fr>
- Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
  - From: Arnd Hannemann <arnd@arndnet.de>

Prev by Date: Re: Writing to /etc/ from a "privileged" UI
Next by Date: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
Previous by thread: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
Next by thread: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6in wheezy as default?
Index(es):
- Date
- Thread