Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6in wheezy as default?
> On 09/05/2011 12:51, Arnd Hannemann wrote:
>> Hi,
>>
>> Am 09.05.2011 11:34, schrieb Vincent Danjean:
>>> RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP,
>>> at least until the kernel allow to proxy a network instead of hosts.
>>> This does not seem for now:
>>> http://marc.info/?l=linux-kernel&m=130385156131530&w=2
>>
>> But if anoyone has enough knowledge to setup proxy NDP he should
>> be able to disable the privacy extension on its client hosts, too.
>
> It is not the problem of knowing how to do it. It is the problem of
> doing it by default. And I do not have strong opinion on the
> problem. For info, I setup privacy extension on my laptop but
> I use a (Hurricane) IPv6 tunnel instead of using the /64 given
> by my ISP.
>
>> Also, wouldn't using DHCPv6 solve this problem as well?
>
> DHCPv6 is useful when you do not want to you auto-configuration.
> It can be the case if you would like several networks with
> auto-configuration in a /64: DHCPv6 seems the only way to go in
> this case. if you want only one subnetwork with autoconfiguration
> and you have only a /64, you whould be able to create a correct
> routing table on your firewall.
>
> It does not solve the proxy NDP (here, the problem is for the
> ISP gateway that makes false assumption about the network layout,
> not for the other host that can easily be instructed to have
> a default route the the good host)
>
> I just realized that, perhaps, you want to says that privacy
> extension is disabled when you are using DHCPv6 ? I did not
> test it, so I do not know if this is right or not.
Yes thats exactly what I wanted to say here: if the gateway
requires control about the address assignment one probably
should use DHCPv6 instead of relying on Stateless Autoconfiguration.
>> Its really good to know that there exists such a problem with Privacy Extension
>> and Linux gateways, but in IMO it shouldn't hinder the deployment
>> of privacy extensions as default for for wheezy.
>
> An another problem is for firewalls that wants to do strict
> controls (ie also filtering out-going connections). But here
> again, there will be default rules for all client. Or, if
> special rules are required for a client, the client can be
> reconfigured to avoid using Privacy Extension.
Yeah, or use DHCPv6 to have more control about address assignment.
Best regards
Arnd
> PS: no need to CC me
But please CC: me, I'm not (yet) on the list.
Reply to: