Am Wednesday 02 February 2011 schrieben Sie: > > Answer packets for NDP always have a valid IPv6 address from the > > answering host as their source address. Also, they're IPv6 packets like > > any other and not a separate protocol as with ARP+IPv4. > > Yes, however there is nothing currently like arptables for IPv6 that I > know of. ip -6 neighbor show (Requires iproute2 to be installed) > Even though the NDP answers may have a correct source IP, > surely the payload could provide wrong (i.e. malicious) data... As far as I know, as long the source address of the answer packet is one address, it cannot be used to advertise a different address. If you want certainty, read the respective RFC (4861 afaict), study the packets being sent with wireshark and/or experiment with sending faked packets yourself. > > Note that hosts using IPv6 will usually have at least two autoconfigured > > addresses, and it's sometimes hard to predict which one will be used as > > source address for outgoing packets, especially if the number of > > configured addresses grows. You must not block any of those. > > I'm willing to give up the auto-config features of IPv6. We can just > manually put the address in the respective config file. It's no big deal > really. As long as any of your VPSes still have it enabled (I wouldn't even know how to disable it, and I think disabling the autoconfigured link-local addresses may break things), they will end up using it as a source address sooner or later. I don't see why you want to completely forego autoconfiguration, really. IMHO, it's a nice "it just works"-feature. It can be a bit harder to filter, because you need to predict how these addresses will look like before the fact, but once you understand the principle, it's easy enough: Just take the network address as advertised by your router, or fe80:: for the link-local address, and replace the lowest 8 byte with modified EUID of the machine's NIC. That "modified EUID" in turn can be calculated by taking the 6- byte MAC address of the NIC, inserting the two bytes 0xff and 0xfe between the third and the fourth byte and toggling the second bit of the most significant byte. (Note: Some guides on the Internet will tell you to unconditionally set that last bit to 1. That is wrong.) Guido -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
