Re: [RFC PATCH 00/18] netfilter: IPv6 NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2011-11-29 23:21, Jan Engelhardt wrote:

On Tuesday 2011-11-29 22:38, Krzysztof Olędzki wrote:

Same network prefix, some cookies, or a login form. Blam, identified,
or at least (Almost-)Uniquely Identified Visitor tagging.

But without NAT you have pretty big chance to have the same IPv6 *suffix*
everywhere, based on you MAC address.

Everywhere? No, one small village of indomitable Gauls.^^^^^^^^W

$ ip a
2: eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>  mtu 1500 qdisc mq state UP qlen 1000
     link/ether 00:0d:93:9e:08:78 brd ff:ff:ff:ff:ff:ff
     inet6 2001:638:600:8810:d070:3a36:464e:b3db/64 scope global temporary dynamic
        valid_lft 583732sec preferred_lft 64732sec
     inet6 2001:638:600:8810:d9f5:18f5:4fc1:9a20/64 scope global temporary deprecated dynamic
        valid_lft 497938sec preferred_lft 0sec
     [...]

Same suffix? Certainly not with contemporary configurations (and
Linux did this quite on its own there). In fact, now that there is
almost v6-NAT in the kernel, I fear that users who are blinded by NAT
now make the problem worse by actually feeding perfectly good Privacy
Extension Addresses into a n:1-configured SNAT/MASQUERADE target
instead of a NETMAP.

What if:

1. You or your users don't have modern OS on your device so there is no DHCPv6 or rfc3041/4941 support?

2. It is not enabled by default and you are not aware of this?

3. You need to have static addresses in your network for access control?

Best regards,

			Krzysztof Olędzki
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux