Re: Netfilter (Linux) Does IPv6 NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In message <4EDD894E.6030408@xxxxxxxxx>, Brian E Carpenter writes:
> On 2011-12-06 15:40, Martin Rex wrote:
> > Brian E Carpenter wrote:
> >> Martin Rex wrote:
> >>> Sabahattin Gucukoglu wrote:
> >>>> In case you didn't see this:
> >>>> http://www.h-online.com/open/news/item/Netfilter-developers-working-on-N
> AT-for-ip6tables-1385877.html
> >>>>
> >>>> It's a complete IPv6 NAT implementation with the functionality of
> >>>> the IPv4 one in the same stack.  ALGs.  Port translation.  Connection
> >>>> tracking.  You don't need me to tell you why I don't like this.
> >>>
> >>> I fail to understand the issue that you have with this.
> >>>
> >>> Doing home gateways and *NOT* using dynamic temporary IPv6 addresses for
> >>> outbound connections by default (i.e. *NO* static network prefix that
> >>> can be linked to a single ISP customer) 
> >>
> >> I think you're confused. Whatever IPv6 source address is in the outgoing
> >> packet from the CPE is bound 1:1 to the subscriber. You can't conceal
> >> the address of the subscriber, if you ever want to get any packets back.
> > 
> > The outgoing packet is bound 1:1 to the ISP of the subscriber, any only
> > the ISP knows to which of his customers he is routing the datagrams
> > during any specific point in time.  The DHCP lease should be 24h at most
> > and the ISP is bound by data protection laws to not make the mapping
> > publicly accessible except under very specific legal exceptions.
> 
> If you are paranoid about your IP address, that's fine. Personally, I prefer
> a stable address. If your IPv6 prefix changes every day, your home network
> will get renumbered every day. What does this have to do with NAT?
> 
> >> If you want to protect the privacy of individuals within the home (etc.)
> >> behind the CPE, you can use IPv6 privacy addresses. But the traffic will
> >> still be traceable back to the CPE, of course.
> > 
> > The so-called "IPv6 privacy addresses" are terminology fud.
> 
> No, there is no fear, uncertainty or doubt involved. If you don't want
> to be traceable by your MAC address, use privacy addresses. That will
> even conceal from parents which child is downloading music.

If parents want to know which child is doing what they can do that
even with privacy addresses.  Privacy addresses don't change the
mac, that just don't encode the mac in the IPv6 address.  If the
kids start playing mac games use 802.1x.

> >> I hope you aren't under the illusion that NAT44 in CPE provides any
> >> privacy.
> > 
> > For my ISP (and it seems to be the norm for german home customers),
> > that is not an illusion, but rather a feature.
> 
> You mean there is a privacy benefit in translating some address such
> as 10.1.1.2 into a routeable IPv4 address that can, as you say, be traced
> back to you even if it changes every day?
> 
> You'll have to explain that.
> 
>     Brian
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@xxxxxxx
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]