From: Vincent Danjean <vincent@danjean.fr>
To: linux-kernel@vger.kernel.org
Subject: [IPv6] Proxy NDP for subnetwork (instead of host)
Date: Tue, 26 Apr 2011 22:30:51 +0200 [thread overview]
Message-ID: <4DB72B7B.6060408@danjean.fr> (raw)
Hi,
First, the main question: I did not find a way to do proxy_ndp for
an entire network (instead of per host). Did I miss something ? Would
not it be useful for linux to allow it ? Is there something (a RFC, a
technical limitation) that forbid it ?
Then, a more detailed explanation.
I setup a IPv6 tunnel with Hurricane. Hurricane provides a tunnel endpoint
in which it routes another full /48 IPv6 network. This allow me to setup
my firewall with the rules I want and to have several IPv6 (sub)network at
home: at least one for the wifi and one for the wired-DMZ. All is good but
the fact that this is a tunneled IPv6 connection, not a native one.
My ISP also provides "native" IPv6 (in fact, this is 6rd). Their
router advices a /64 network (even if a /60 seems really routed).
The problem is that the ISP router is itself on this network (prefix::1)
and it thinks that all machines on this network is seen directly by it
(ie there is only a flat network).
However, what I would like is this kind of topology:
ISP router ----- firewall ----- internal hosts
But, for this to work, I need that the firewall do proxy NDP for all
internal hosts.
Currently, the only way to do this I found is to add *all* IP from
the internal network one by one to the firewall proxy NDP:
firewall> for IP in $all_IP_in_internal_network; do
ip neigh add proxy $IP dev eth0 ;
done
This is not very interesting. Each time someone connects to
my network (friends that come at home), I would need to reconfigure
the firewall. Moreover, this is not compatible with
net.ipv6.conf.default.use_tempaddr=2 that generate new IPv6 addresses
for each outbound connection.
This is why I stick to the Hurricane tunnel instead of using my
native IPv6 ISP connection for now.
So, I come back to my initial question: what do you think to
the possibility to do something like "ip neigh add proxy $IP/64 dev eth0"
so that the firewall do proxy NDP for the whole /64 network ?
Regards,
Vincent
PS: even if I read the list, I would welcome to be CC for answer.
--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main
reply other threads:[~2011-04-26 20:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DB72B7B.6060408@danjean.fr \
--to=vincent@danjean.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.