On 2011-11-30 11:07, Jan Engelhardt wrote:
On Wednesday 2011-11-30 01:21, Krzysztof Olędzki wrote:
However with NAT you could get some kind of anonymity.
But without NAT you have pretty big chance to have the same IPv6
*suffix* everywhere, based on you MAC address. without NAT you have
pretty big chance to have the same IPv6 *suffix* everywhere, based on
you MAC address.
Same suffix? Certainly not with [PrivExt...]
What if:
1. You or your users don't have modern OS on your device so there is no
DHCPv6 or rfc3041/4941 support?
Dedicated separate program (that's what you would probably do on
Windows XP which lacks DHCPv6, PrivExt and also does not even allow
manually setting an address via GUI).
Too much effort. Really.
3. You need to have static addresses in your network for access control?
Access control can be done based on MAC within a broadcast domain so
you don't have to eschew Privacy Extensions if you can do so.
Maybe if you have a very small network - just one or two subnets, one
router... Again - maybe. It is definitely not going to work on a large,
multisite network with many intermediate routers.
All you can do on edge devices is checking client's MAC, requring 802.1X
and making sure that IP matches MAC (and possibly DHCP lease) and
similar things.
Best regards,
Krzysztof Olędzki
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
