ip6tables and multiple possible source addresses

Ivan Shmakov oneingray at gmail.com
Wed Jan 18 14:03:35 CET 2012

>>>>> Gert Doering <gert at space.net> writes:
>>>>> On Tue, Jan 17, 2012 at 05:04:00PM -0800, Tom Perrine wrote:

 >> When writing a host-specific ip6tables rule, which address do you
 >> need to list? All of the possible Global Scoped addresses?

 > Maybe this is an indication that host-specific ipv6 firewall rules
 > for "only certain hosts in an otherwise non-trusted /64 subnet" is a
 > stupid idea right from the start...

 > Of course it's completely unheard-of that evil host A could imperson
 > trusted host B's address to circumvent these rules.

	I tend to agree with that.  It makes little sense to use IP
	addresses for authentication nowadays, as, e. g., Kerberos and
	X.509-based authentication allow for way more secure and
	flexible operation.

FSF associate member #7257

More information about the ipv6-ops mailing list