From: Vincent Danjean <vincent@danjean.fr>
To: linux-kernel@vger.kernel.org
Subject: [IPv6] Proxy NDP for subnetwork (instead of host)
Date: Tue, 26 Apr 2011 22:30:51 +0200 [thread overview]
Message-ID: <4DB72B7B.6060408@danjean.fr> (raw)
Hi,
First, the main question: I did not find a way to do proxy_ndp for
an entire network (instead of per host). Did I miss something ? Would
not it be useful for linux to allow it ? Is there something (a RFC, a
technical limitation) that forbid it ?
Then, a more detailed explanation.
I setup a IPv6 tunnel with Hurricane. Hurricane provides a tunnel endpoint
in which it routes another full /48 IPv6 network. This allow me to setup
my firewall with the rules I want and to have several IPv6 (sub)network at
home: at least one for the wifi and one for the wired-DMZ. All is good but
the fact that this is a tunneled IPv6 connection, not a native one.
My ISP also provides "native" IPv6 (in fact, this is 6rd). Their
router advices a /64 network (even if a /60 seems really routed).
The problem is that the ISP router is itself on this network (prefix::1)
and it thinks that all machines on this network is seen directly by it
(ie there is only a flat network).
However, what I would like is this kind of topology:
ISP router ----- firewall ----- internal hosts
But, for this to work, I need that the firewall do proxy NDP for all
internal hosts.
Currently, the only way to do this I found is to add *all* IP from
the internal network one by one to the firewall proxy NDP:
firewall> for IP in $all_IP_in_internal_network; do
ip neigh add proxy $IP dev eth0 ;
done
This is not very interesting. Each time someone connects to
my network (friends that come at home), I would need to reconfigure
the firewall. Moreover, this is not compatible with
net.ipv6.conf.default.use_tempaddr=2 that generate new IPv6 addresses
for each outbound connection.
This is why I stick to the Hurricane tunnel instead of using my
native IPv6 ISP connection for now.
So, I come back to my initial question: what do you think to
the possibility to do something like "ip neigh add proxy $IP/64 dev eth0"
so that the firewall do proxy NDP for the whole /64 network ?
Regards,
Vincent
PS: even if I read the list, I would welcome to be CC for answer.
--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main
reply other threads:[~2011-04-26 20:59 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DB72B7B.6060408@danjean.fr \
--to=vincent@danjean.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox