From: Lukasz Stelmach <stlman@poczta.fm>
To: netdev@vger.kernel.org
Subject: Re: ipv6 source address selection in addrconf.c (2.6.17)
Date: Thu, 22 Jun 2006 00:57:56 +0200 [thread overview]
Message-ID: <4499CEF4.2050308@poczta.fm> (raw)
In-Reply-To: <44994CB3.6070302@poczta.fm>
[-- Attachment #1: Type: text/plain, Size: 2153 bytes --]
Lukasz Stelmach wrote:
> Lukasz Stelmach wrote:
>
>> [...] when trying to connect to
>>
>> 2001:200:0:8002:203:47ff:fea5:3085 (www.kame.net)
>>
>> with two global addresses assigned to the ethernet card
>>
>> fd24:6f44:46bd:face::254
>> 2002:531f:d667:face::254
>>
>> rule 8 does not work and the first address is chosen.
>
> The answer is that fc00::/7 matches 2001:: better because it gets the same
> label (ipv6_saddr_label()). Although fc00::/7 addresses are defined as global
> unicast IMHO they should be treated *slightly* different. This is the patch.
> Since 6to4 has its own label I have decided to assign one to Teredo too.
There still, however, remains one issue. Aditional labels prevent kernel from
selecting fc00::/7 prematurly. But there is no way to stop it from selecting
it in rule 7. A wrong assumption has been taken that there is only one
"private" address per interface and it is always the best choice. If there are
four addresses on the interface:
fd24:6f44:46bd:face:EUI64 fd24:6f44:46bd:face:RANDOM
and
2002:531f:d667:face:EUI64 2002:531f:d667:face::RANDOM
there seem to be no way to prefere 2002:: over fc00:: in rule 7 and it will be
selected as long as it is before 2002:: on the list. I can see here that an
implicit assumption has been made that an interface either is multihomed or
"private". The seventh rule should not IMHO break the whole process of
selection but rather mark as selectable all "private" (random) addresses. And
it should rather be done before rule 6.
Yet another issue with privacy enhancement is how not to choose "private"
address (let's even forget for a moment about fc00::/7) when connecting to
certain hosts or networks. For example I would like to hide MAC adresses of my
client machines when connecting to some foreign servers but I want to see
permanent addresses in the logfiles of my servers. Maybe even use them to
create som ACLs. This is an interesting case.
Kind regards,
--
Było mi bardzo miło. Czwarta pospolita klęska, [...]
>Łukasz< Już nie katolicka lecz złodziejska. (c)PP
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 254 bytes --]
next prev parent reply other threads:[~2006-06-21 22:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-20 21:38 ipv6 source address selection in addrconf.c (2.6.17) Lukasz Stelmach
2006-06-21 13:42 ` [patch] " Lukasz Stelmach
2006-06-21 15:12 ` YOSHIFUJI Hideaki / 吉藤英明
2006-06-21 16:05 ` Lukasz Stelmach
2006-06-21 22:57 ` Lukasz Stelmach [this message]
2006-06-22 0:26 ` YOSHIFUJI Hideaki / 吉藤英明
2006-06-22 11:04 ` Lukasz Stelmach
2006-06-21 14:02 ` YOSHIFUJI Hideaki / 吉藤英明
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4499CEF4.2050308@poczta.fm \
--to=stlman@poczta.fm \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).