On 11/03/2010 06:52 PM, Jan Engelhardt wrote:
I take it you mean a setup where addresses are automatically assigned
(DHCPv6, PPP).
DHCPv6, PPP, RA, anything. Keep in mind that "expect prefix changes" is
a deliberate part of the IPv6 systems design.
Still I don't see the problem - any security-conscious person would use
a drop-by-default ruleset. So a change of prefix address would, if
anything, cause packets to get dropped in FORWARD. (What do we have the
"ip6table_filter.forward" module option for? Right. And why is it set to
ACCEPT by default? *headshakethere*)
>
In IPv4 this is generally masked by NAT, but in IPv6 it affects every
host.
Different scenario. Because packets from Internet are
only destined for your home gateway address, they would get locally
delivered in the normal case, and any forwarding is an opt-in
process on the admin's behalf.
>
If you used a FORWARD-DROP policy in IPv6, forwarding also becomes the
same opt-in process. So it's not like NAT would be any magic.
On Wednesday 2010-11-03 23:36, H. Peter Anvin wrote:
Sorry this is nonsense. There is a huge difference -- with IPv6, the
local prefix affect the addresses *on your internal network*, whereas
with IPv4/NAT, they do not. In theory, IPv4 with dynamically assigned
publically routable blocks would have the same problem, but in practice
those simply do not exist.
Consider for example the case where I get from my ISP the netblock
2001:0db8:ac10::/48. I subnet this internally with subnet numbers
prefixed by /52 security domains, i.e 2001:0db8:ac10:0000::/52,
2001:0db8:ac10:1000::/52 and so forth. Accordingly, my ip6tables would
contain rules as to what kind of traffic can flow between these prefixes.
Now, the upstream (ISP-assigned) prefix changes to 2001:6b2f:1705::/48.
RA will handle reassigning addresses to actual downstream hosts, but
things that explicitly encode IPv6 addresses need to be changed, and
that includes ip6tables, in this case these rules now need to refer to
2001:6b2f:1705:0000::/52, 2001:62bf:1705:1000::/52 and so on.
Different scenario. Because packets from Internet are
only destined for your home gateway address, they would get locally
delivered in the normal case, and any forwarding is an opt-in
process on the admin's behalf.
If you used a FORWARD-DROP policy in IPv6, forwarding also becomes the
same opt-in process. So it's not like NAT would be any magic.
You're assuming (a) that I'm talking about a home gateway here (which
may be, but is far from certain -- the dynamic prefixes are a design
feature of the entire IPv6 Internet, and any entity that is not large
enough to have direct access to BGP6 is required to handle arbitrary
prefix changes), and (b) that I'm only concerned about entry/egress
control, but this also affects internal control.
-hpa
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
