lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 30 Nov 2011 01:21:56 +0100
From:	Krzysztof Olędzki <ole@....pl>
To:	Jan Engelhardt <jengelh@...ozas.de>
CC:	Ulrich Weber <ulrich.weber@...hos.com>,
	Amos Jeffries <squid3@...enet.co.nz>,
	"sclark46@...thlink.net" <sclark46@...thlink.net>,
	"kaber@...sh.net" <kaber@...sh.net>,
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [RFC PATCH 00/18] netfilter: IPv6 NAT

On 2011-11-29 23:21, Jan Engelhardt wrote:
>
> On Tuesday 2011-11-29 22:38, Krzysztof Olędzki wrote:
>>>
>>> Same network prefix, some cookies, or a login form. Blam, identified,
>>> or at least (Almost-)Uniquely Identified Visitor tagging.
>>
>> But without NAT you have pretty big chance to have the same IPv6 *suffix*
>> everywhere, based on you MAC address.
>
> Everywhere? No, one small village of indomitable Gauls.^^^^^^^^W
>
> $ ip a
> 2: eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>  mtu 1500 qdisc mq state UP qlen 1000
>      link/ether 00:0d:93:9e:08:78 brd ff:ff:ff:ff:ff:ff
>      inet6 2001:638:600:8810:d070:3a36:464e:b3db/64 scope global temporary dynamic
>         valid_lft 583732sec preferred_lft 64732sec
>      inet6 2001:638:600:8810:d9f5:18f5:4fc1:9a20/64 scope global temporary deprecated dynamic
>         valid_lft 497938sec preferred_lft 0sec
>      [...]
>
> Same suffix? Certainly not with contemporary configurations (and
> Linux did this quite on its own there). In fact, now that there is
> almost v6-NAT in the kernel, I fear that users who are blinded by NAT
> now make the problem worse by actually feeding perfectly good Privacy
> Extension Addresses into a n:1-configured SNAT/MASQUERADE target
> instead of a NETMAP.

What if:

1. You or your users don't have modern OS on your device so there is no 
DHCPv6 or rfc3041/4941 support?

2. It is not enabled by default and you are not aware of this?

3. You need to have static addresses in your network for access control?

Best regards,

			Krzysztof Olędzki
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ