ip6tables and multiple possible source addresses

Eric Vyncke (evyncke) evyncke at cisco.com
Wed Jan 18 21:32:31 CET 2012

Or more simply, with modern (cough since 1995!) switches it is easy to get as many layer-2 domains as you want with VLAN. With IPv6, you usually receives thousands of /64. As it is easy to spoof among a layer-2 (assuming SAVI/SeND are not used) domain for IPv4 and IPv6, then, the best recommendation is to put all hosts with the same security level into one /64 (.1X can help) and build your ip6tables on /64 and not /128. Then SLAAC & DHCP or whatever will work like a charm (assuming basic anti-spoofing)


> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Olipro
> Sent: mercredi 18 janvier 2012 20:58
> To: ipv6-ops at lists.cluenet.de
> Subject: Re: ip6tables and multiple possible source addresses
> On Tuesday 17 Jan 2012 17:04:00 Tom Perrine wrote:
> > Someone must have already figured this out; I'm feeling "virtual Monday"
> > pretty bad right now :-(
> >
> > With IPv6 a host can have "lots" (more than 1) of possible IPv6
> > addresses to use as the source address. I've read the RFCs, so I can
> > (usually) make a good guess as to which one will be used, but...
> >
> > When writing a host-specific ip6tables rule, which address do you need
> > to list? All of the possible Global Scoped addresses?
> >
> > This seems...... awkward (and error prone).
> >
> > Am I missing something, or is it that bad?
> >
> > --tep
> if using DHCPv6 and refusing to route unleased addresses (or subnets)
> *isn't* an option for you and SLAAC is a must, then the only real way to
> handle this is allocate a /64 *per host* and perform your firewalling on
> the CIDR boundary - not an entirely impossible prospect if you have a
> reasonable subnet size to play with.
> On a side note, one thing to bear in mind is that when you make router
> advertisements, you can set AdvOnlink to off which has the effect of
> causing /all/ traffic for that subnet to be routed; hosts will not attempt
> or use neighbour discovery - useful if you want to use a single subnet
> across multiple VLANs.

More information about the ipv6-ops mailing list