|
Ipv6 privacy extensions and firewall...
![[se]](/s/countries/se.gif) Shadow Hawkins on Sunday, 16 September 2012 10:23:40
After upgrading my ubuntu I noticed that my network interface got another global address within my /64. After som investinagtion I found this was because the newer ubuntu comes with privacy extensions ON by default.
In itself this is not a problem, but I had also noticed that a few of my network connections were failing, and the reason is that the network stack favors using the global address with privacy extensions instead of the one generated from MAC.
This also applies to connections on the same network, meaning that when I set up connections to a firewalled machine on the same /64, the source address will be random and change over time, meaning that having firewall rules on the destination machine other than "let connections from the same network in" will be meaningless.
I'm a bit stumped by this and other than turning the privacy extensions off I wonder what ways I have to deal with the problem?
So far I've looked at:
- searching for a way to configure privacy extensions not to use the whole lower 64 bits in the address, leaving me some bits within the host identifier to map to my firewall rule. No luck.
- rewriting traffic from/to the firewalled machine. While this one is possible I do not want to venture down this particular route. (pun intended)
- Assigning the machines to different networks, so I can use the network prefix in my firewall rules. While it looks as if dhcpv6 could handle this, radvd turns into a problem as it is limited to one /64 per network interface. (and the machines in questions are on the same network, so mapping several logical networks to it to solve this problem seems ... stupid)
Anyone who can provide me with help on how to have both privacy extensions _and_ firewall host-to-host rules?
Ipv6 privacy extensions and firewall...
![[de]](/s/countries/de.gif) Shadow Hawkins on Sunday, 16 September 2012 16:31:35
I think your idea to use a second prefix is the only one that might solve your problem besides switching off privacy extensions at all. But you can't advertise this second prefix via Router Advertisements (radvd) because in this case your LAN clients again would autoconfigure two addresses from this prefix, one public (derived from MAC) and one temporary (privacy extensions) and this is not what you want. So best choice is to configure the addresses from this second prefix manually or use DHCPv6 combined with address reservations.
ULA addresses from fd00::/8 are a good choice for use as a second prefix, because you can only use them inside your LAN and not for communication with the Internet. But in order to assure that they are used for intra LAN communication you have to adjust the policy table (see chapter 2.1 in http://www.ietf.org/rfc/rfc3484.txt) on every node of your LAN by adding a line like this:
Prefix Precedence Label
fed0::/8 45 5
(use a Precedence value higher than the one configured for ::/0 in the present table and a new Label value that does not yet exist).
You have to figure out how to configure the policy table in the different operating systems you use (e.g. Windows: netsh int ipv6 show|set|add|del pref ...)
Ipv6 privacy extensions and firewall...
Shadow Hawkins on Sunday, 16 September 2012 16:33:32
sorry: the prefix in the policy table should be fd00::/8 instead of fed0::/8.
Ipv6 privacy extensions and firewall...
I'm a bit stumped by this and other than turning the privacy extensions off I wonder what ways I have to deal with the problem?
Generally one turns it off as, as you noticed, privacy extensions are annoying for logging etc.
Ipv6 privacy extensions and firewall...
Shadow Hawkins on Sunday, 16 September 2012 21:18:51
Thanks for the feedback (both of you). I'll probably take the easy route and disable the privacy extensions, but since I was curious on how the problem could/should be handled I had to ask. :) As long as a second prefix is enough ULA adresses will probably work fine to solve the problem I posed.
Thanks also as I did not know about the policy table.
Ipv6 privacy extensions and firewall...
Shadow Hawkins on Wednesday, 19 September 2012 11:54:35
An improved configuration of the policy table in case you want to use ULA can be found in chapter 10.6 of RFC6724 (http://tools.ietf.org/html/rfc6724#section-10.6). By having both an entry for all ULA (fc00::/7) with a low precedence (lower than the one used for ::/0) and an entry for the ULA you use inside your LAN (fdxx:xxxx:xxxx::/48) with a high precedence (higher than the one used for ::/0) you prevent using ULA for external ULA destinations (which would produce problems, because they are not routable through the Internet) while the use of ULA for internal ULA destinations (any one within fdxx:xxxx:xxxx::/48) is preferred.
RFC6724 is a result of problems described in RFC5220 (http://tools.ietf.org/html/rfc5220) and replaces RFC3484.
|
![[ch]](/s/countries/ch.gif)
on Sunday, 16 September 2012 19:55:25
Posting is only allowed when you are