Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6in wheezy as default?

To: debian-devel@lists.debian.org
Subject: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6in wheezy as default?
From: Arnd Hannemann <arnd@arndnet.de>
Date: Mon, 09 May 2011 16:37:52 +0200
Message-id: <[🔎] 4DC7FC40.8080405@arndnet.de>
In-reply-to: <[🔎] 4DC7CDC7.6030304@free.fr>
References: <[🔎] 4DC7CDC7.6030304@free.fr>

> On 09/05/2011 12:51, Arnd Hannemann wrote:
>> Hi,
>> 
>> Am 09.05.2011 11:34, schrieb Vincent Danjean:
>>> RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP,
>>> at least until the kernel allow to proxy a network instead of hosts.
>>> This does not seem for now:
>>> http://marc.info/?l=linux-kernel&m=130385156131530&w=2
>> 
>> But if anoyone has enough knowledge to setup proxy NDP he should
>> be able to disable the privacy extension on its client hosts, too.
> 
> It is not the problem of knowing how to do it. It is the problem of
> doing it by default. And I do not have strong opinion on the
> problem. For info, I setup privacy extension on my laptop but
> I use a (Hurricane) IPv6 tunnel instead of using the /64 given
> by my ISP.
> 
>> Also, wouldn't using DHCPv6 solve this problem as well?
> 
> DHCPv6 is useful when you do not want to you auto-configuration.
> It can be the case if you would like several networks with
> auto-configuration in a /64: DHCPv6 seems the only way to go in
> this case. if you want only one subnetwork with autoconfiguration
> and you have only a /64, you whould be able to create a correct
> routing table on your firewall.
> 
> It does not solve the proxy NDP (here, the problem is for the
> ISP gateway that makes false assumption about the network layout,
> not for the other host that can easily be instructed to have
> a default route the the good host)
> 
> I just realized that, perhaps, you want to says that privacy
> extension is disabled when you are using DHCPv6 ? I did not
> test it, so I do not know if this is right or not.

Yes thats exactly what I wanted to say here: if the gateway
requires control about the address assignment one probably
should use DHCPv6 instead of relying on Stateless Autoconfiguration.

>> Its really good to know that there exists such a problem with Privacy Extension
>> and Linux gateways, but in IMO it shouldn't hinder the deployment
>> of privacy extensions as default for for wheezy.
> 
> An another problem is for firewalls that wants to do strict
> controls (ie also filtering out-going connections). But here
> again, there will be default rules for all client. Or, if
> special rules are required for a client, the client can be
> reconfigured to avoid using Privacy Extension.

Yeah, or use DHCPv6 to have more control about address assignment.

Best regards
Arnd


> PS: no need to CC me

But please CC: me, I'm not (yet) on the list.

Reply to:

References:
- Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
  - From: Vincent Danjean <vdanjean.ml@free.fr>

Prev by Date: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
Next by Date: Re: Writing to /etc/ from a "privileged" UI
Previous by thread: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
Next by thread: Re: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?
Index(es):
- Date
- Thread