ip6tables and multiple possible source addresses
Brian E Carpenter
brian.e.carpenter at gmail.com
Wed Jan 18 20:48:57 CET 2012
The fact is that
a) this sort of scenario is intrinsic to the design of IPv6, so get used to it.
b) it is *very* hard to get border router and firewall configurations correct
to deal with it. In fact, reports on the reachability of 2404:138:4004::1 and
2001:df0:0:201e::1 would help me a lot right now: they are the same machine,
but we are having difficulty getting them both pingable simultaneously.
c) the IETF is trying to sort this out in the MIF (multiple interface) and
HOMENET WGs, but for now it does seem to be a matter of twiddling router
rules and firewall rules by hand. Not pretty.
On 2012-01-19 01:26, Marc Blanchet wrote:
> Le 2012-01-18 à 02:10, Ben Jencks a écrit :
>> On Jan 17, 2012, at 8:04 PM, Tom Perrine wrote:
>>> Someone must have already figured this out; I'm feeling "virtual Monday" pretty bad right now :-(
>>> With IPv6 a host can have "lots" (more than 1) of possible IPv6 addresses to use as the source address. I've read the RFCs, so I can (usually) make a good guess as to which one will be used, but...
>>> When writing a host-specific ip6tables rule, which address do you need to list? All of the possible Global Scoped addresses?
>>> This seems...... awkward (and error prone).
>>> Am I missing something, or is it that bad?
>> If you have control over the host, you can set and/or verify its source address selection policy to make sure you use the right IP.
> might not work all time, since the source and destination address selection algorithm depends on the destination. Therefore, the host can use address A to reach B and address C to reach D. Moreover, host OS and software (browsers) already implement happy-eyeballs or variations of this that make the assumption even less appropriate.
>> If you don't, you shouldn't trust that the IP continues to refer to the same host over long periods of time, and simply filter based on the actual source IP you see at the moment. Besides, if a host starts using a different source address (e.g. privacy addresses) it's very likely that it doesn't *want* to be treated as the same host.
> things that _may_ help you Tom is whether the provisioning of the host is done by DHCPv6, which is what many enterprises are using/planning to use. In this case, the host most likely have a single global address and is not going to use temporary addresses.
More information about the ipv6-ops