Noted. So I guess the only way to properly secure the network is to have seperate physical media. Thanks ------Original Message------ From: Peter Bieringer To: nullv@xxxxxxx Cc: ds6@xxxxxxxxxxxxxxxxxxxx Cc: users@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: [ds6] Disabling link local IPv6 addresses Sent: Jan 10, 2012 10:08 PM Hi, Am 10.01.2012 11:00, schrieb nullv@xxxxxxx: > Hi, > > I've been using radvd to set up a group of clients using RA broadcasts. I also have a group of client PCs using static IPv6 in a different ::/64 subnet altogether but on the same physical network. The two networks have to remain separate for security reasons. > > The problem I'm having is that clients on the two separate networks can still "see" each other through the automatic link-local (fe80::) addresses. I've added the line IPv6_AUTOCONF=no to network& my ifcfg-* files but I can't seem to stop this behaviour. You mean you want to run 2 independend IPv6 network on the same physical link? > Any hints, tricks, hacks, gotchas? I suggest to use at least VLANs, because killing link-local address can kill neigbor and router detection. But neither removing link-local nor VLAN will really increase security, an unfriendly client can sniff on the network and configure itself a new static IPv6 address (and in case the VLAN ID also), as long as broad- or allhost-multicast are running on the link. Use local firewalling and permit only the link-local addresses of the participating clients can help you a little bit, but even link-local addresses can be faked (e.g. changing the MAC address on an interface). Regards, Peter -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
