[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: enable stateless persistant network interface names

On Thu, 14 May 2015 09:07:16 +1000, Russell Stuart
<russell-debian@stuart.id.au> wrote:
>On Wed, 2015-05-13 at 17:16 +0200, Vincent Lefevre wrote:
>> Well, having some of the network traffic (more precisely, connections
>> to machines that have an IPv6 address) re-routed to some unknown
>> machine on the local network is not a nice feature.
>> 
>> IMHO, such a feature should be enabled only by the network management
>> system, not by default at the kernel level.
>
>Now I've looked up what Marc is referring to in an earlier reply, SLAAC
>and DHCP look pretty similar to me.  Both have the "re-route your NIC to
>some unknown machine" feature.  I'm sure everybody here will be the
>victim of a rouge router sending NDP responses, just as everybody has
>already been the victim of a rouge DHCP server.

Good networks know which machines are allowed to send DHCP offers and
Router Advertisements and do not allow such packets to enter from
unauthorized network ports.

ARP and NDP spoofing is way more dangerous since all end systems need
to be able to legitimately send such packets, and maintaining a static
list between MAC and IP addresses is a significant burden and a
significant loss in flexibility.

Genereally, you need to trust your LAN. If you don't, you need to
restrict access to your LAN (for example by locking your network ports
away, not patching unneeded ports, or using technical level network
access control such as 802.1x) so that you can trust it.

With this in mind, IPv6 is no less secure than IPv4 is. I have to
violently oppose any voice that suggests that enabling IPv6 is a
security risk. It isn't.

>The one difference between the two right now is dhclient make it easy
>for the client to watch for changes using scripts.  AFAICT, there is no
>off the shelf way of doing it for SLAAC.  It's easy enough to do - just
>have a daemon listen to kernel netlink messages and fire off a script.
>The right place to put that now would be in systemd, but if they are
>opposed to scripts as Marc says that ain't going to happen.  Sigh.

They are walking in this direction via systemd-networkd. In systemd
terminology, there will probably be a target or a regular unit that
will be subjected to some state change whenever the network
configuration changes. One will then be able to depend on that
target/unit with one's own units, and they will of course be able to
call scripts.

Greetings
Marc
-- 
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber         |   " Questions are the         | Mailadresse im Header
Mannheim, Germany  |     Beginning of Wisdom "     | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: