* [IPv6] Proxy NDP for subnetwork (instead of host)
@ 2011-04-26 20:30 Vincent Danjean
0 siblings, 0 replies; only message in thread
From: Vincent Danjean @ 2011-04-26 20:30 UTC (permalink / raw)
To: linux-kernel
Hi,
First, the main question: I did not find a way to do proxy_ndp for
an entire network (instead of per host). Did I miss something ? Would
not it be useful for linux to allow it ? Is there something (a RFC, a
technical limitation) that forbid it ?
Then, a more detailed explanation.
I setup a IPv6 tunnel with Hurricane. Hurricane provides a tunnel endpoint
in which it routes another full /48 IPv6 network. This allow me to setup
my firewall with the rules I want and to have several IPv6 (sub)network at
home: at least one for the wifi and one for the wired-DMZ. All is good but
the fact that this is a tunneled IPv6 connection, not a native one.
My ISP also provides "native" IPv6 (in fact, this is 6rd). Their
router advices a /64 network (even if a /60 seems really routed).
The problem is that the ISP router is itself on this network (prefix::1)
and it thinks that all machines on this network is seen directly by it
(ie there is only a flat network).
However, what I would like is this kind of topology:
ISP router ----- firewall ----- internal hosts
But, for this to work, I need that the firewall do proxy NDP for all
internal hosts.
Currently, the only way to do this I found is to add *all* IP from
the internal network one by one to the firewall proxy NDP:
firewall> for IP in $all_IP_in_internal_network; do
ip neigh add proxy $IP dev eth0 ;
done
This is not very interesting. Each time someone connects to
my network (friends that come at home), I would need to reconfigure
the firewall. Moreover, this is not compatible with
net.ipv6.conf.default.use_tempaddr=2 that generate new IPv6 addresses
for each outbound connection.
This is why I stick to the Hurricane tunnel instead of using my
native IPv6 ISP connection for now.
So, I come back to my initial question: what do you think to
the possibility to do something like "ip neigh add proxy $IP/64 dev eth0"
so that the firewall do proxy NDP for the whole /64 network ?
Regards,
Vincent
PS: even if I read the list, I would welcome to be CC for answer.
--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2011-04-26 20:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-26 20:30 [IPv6] Proxy NDP for subnetwork (instead of host) Vincent Danjean
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.