IPv6 Source Address Selection on Mac OS X Lion
Christoph Stahl
cstahl at netcologne.de
Fri Dec 16 13:23:01 CET 2011
Hi Dick,
because then you cannot find out which admin IP belongs to which admin
when looking at your logs. And then access to the layer 2 would bring
access through firewalls/host.allows. So its security and
operational/"administrational" reason behind this design.
There is one or maybe little more admin-IPv6-addresses per admin: Each
should be configured in the firewall. Of course there is a little
operational overhead but we consider it worth it.
And then: If you want to surf the internet you want such a thing as
privacy extension. So we see the need for having both: static IPs for
administartion of our hardware and private autoconfigured ones for
access everything that is not ours.
@Janos:
What is that apple opensource sourcecode - very interesting find!? Does
it built to a working ip6addrctl tool? Have you tried - has anyone?
Best regards,
Christoph
Am 16.12.2011 00:37, schrieb Dick Visser:
> Hi Christoph
>
> On 2011-12-14 15:00, Christoph Stahl wrote:
>> The goal is to use a stateless autoconfigured IPv6 Adress to "surf the
>> the internet" and a statically configured IPv6 Adress to reach the IPv6
>> (or dual stacked) hosts that use IPs belonging to our assigned
>> IPv6-prefix. So that we can configure the static "admin" IPv6 address in
>> firewalls or host.allows, but surf the web with all the benefits of the
>> automatic privacy extension.
> Maybe I misunderstand the problem, but why don't you dedicate a /64 to
> the "admin" network, use autoconfigured addresses, and filter the /64 in
> firewalls/hosts.allows?
> That would mean less configuration, and easier filtering.
>
> Cheers,
>
More information about the ipv6-ops
mailing list