[IPv6] Proxy NDP for subnetwork (instead of host)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [IPv6] Proxy NDP for subnetwork (instead of host)
@ 2011-04-26 20:30 Vincent Danjean
  0 siblings, 0 replies; only message in thread
From: Vincent Danjean @ 2011-04-26 20:30 UTC (permalink / raw)
  To: linux-kernel

  Hi,

  First, the main question: I did not find a way to do proxy_ndp for
an entire network (instead of per host). Did I miss something ? Would
not it be useful for linux to allow it ? Is there something (a RFC, a
technical limitation) that forbid it ?

  Then, a more detailed explanation.

  I setup a IPv6 tunnel with Hurricane. Hurricane provides a tunnel endpoint
in which it routes another full /48 IPv6 network. This allow me to setup
my firewall with the rules I want and to have several IPv6 (sub)network at
home: at least one for the wifi and one for the wired-DMZ. All is good but
the fact that this is a tunneled IPv6 connection, not a native one.

  My ISP also provides "native" IPv6 (in fact, this is 6rd). Their
router advices a /64 network (even if a /60 seems really routed).
The problem is that the ISP router is itself on this network (prefix::1)
and it thinks that all machines on this network is seen directly by it
(ie there is only a flat network).
  However, what I would like is this kind of topology:
ISP router  ----- firewall ----- internal hosts
But, for this to work, I need that the firewall do proxy NDP for all
internal hosts.
  Currently, the only way to do this I found is to add *all* IP from
the internal network one by one to the firewall proxy NDP:
firewall> for IP in $all_IP_in_internal_network; do
            ip neigh add proxy $IP dev eth0 ;
          done
This is not very interesting. Each time someone connects to
my network (friends that come at home), I would need to reconfigure
the firewall. Moreover, this is not compatible with
net.ipv6.conf.default.use_tempaddr=2 that generate new IPv6 addresses
for each outbound connection.
  This is why I stick to the Hurricane tunnel instead of using my
native IPv6 ISP connection for now.

So, I come back to my initial question: what do you think to
the possibility to do something like "ip neigh add proxy $IP/64 dev eth0"
so that the firewall do proxy NDP for the whole /64 network ?

  Regards,
    Vincent

PS: even if I read the list, I would welcome to be CC for answer.

-- 
Vincent Danjean       GPG key ID 0x9D025E87         vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A  8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://people.debian.org/~vdanjean/debian unstable main

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2011-04-26 20:59 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-26 20:30 [IPv6] Proxy NDP for subnetwork (instead of host) Vincent Danjean

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox