On 11/03/2010 10:12 PM, H. Peter Anvin wrote:
On 11/03/2010 06:52 PM, Jan Engelhardt wrote:
I take it you mean a setup where addresses are automatically assigned
(DHCPv6, PPP).
DHCPv6, PPP, RA, anything. Keep in mind that "expect prefix changes"
is a deliberate part of the IPv6 systems design.
Still I don't see the problem - any security-conscious person would use
a drop-by-default ruleset. So a change of prefix address would, if
anything, cause packets to get dropped in FORWARD. (What do we have the
"ip6table_filter.forward" module option for? Right. And why is it set to
ACCEPT by default? *headshakethere*)
>
In IPv4 this is generally masked by NAT, but in IPv6 it affects every
host.
Different scenario. Because packets from Internet are
only destined for your home gateway address, they would get locally
delivered in the normal case, and any forwarding is an opt-in
process on the admin's behalf.
>
If you used a FORWARD-DROP policy in IPv6, forwarding also becomes the
same opt-in process. So it's not like NAT would be any magic.
On Wednesday 2010-11-03 23:36, H. Peter Anvin wrote:
Sorry this is nonsense. There is a huge difference -- with IPv6, the
local prefix affect the addresses *on your internal network*, whereas
with IPv4/NAT, they do not. In theory, IPv4 with dynamically assigned
publically routable blocks would have the same problem, but in
practice those simply do not exist.
Consider for example the case where I get from my ISP the netblock
2001:0db8:ac10::/48. I subnet this internally with subnet numbers
prefixed by /52 security domains, i.e 2001:0db8:ac10:0000::/52,
2001:0db8:ac10:1000::/52 and so forth. Accordingly, my ip6tables
would contain rules as to what kind of traffic can flow between these
prefixes.
Now, the upstream (ISP-assigned) prefix changes to
2001:6b2f:1705::/48. RA will handle reassigning addresses to actual
downstream hosts, but things that explicitly encode IPv6 addresses
need to be changed, and that includes ip6tables, in this case these
rules now need to refer to 2001:6b2f:1705:0000::/52,
2001:62bf:1705:1000::/52 and so on.
Won't this break existing tcp connections if all of a sudden you get a
new address?
Different scenario. Because packets from Internet are
only destined for your home gateway address, they would get locally
delivered in the normal case, and any forwarding is an opt-in
process on the admin's behalf.
If you used a FORWARD-DROP policy in IPv6, forwarding also becomes the
same opt-in process. So it's not like NAT would be any magic.
You're assuming (a) that I'm talking about a home gateway here (which
may be, but is far from certain -- the dynamic prefixes are a design
feature of the entire IPv6 Internet, and any entity that is not large
enough to have direct access to BGP6 is required to handle arbitrary
prefix changes), and (b) that I'm only concerned about entry/egress
control, but this also affects internal control.
-hpa
--
To unsubscribe from this list: send the line "unsubscribe
netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
