lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 01 Dec 2011 08:01:54 +0100
From:	Krzysztof Olędzki <ole@....pl>
To:	Jan Engelhardt <jengelh@...ozas.de>
CC:	Ulrich Weber <ulrich.weber@...hos.com>,
	Amos Jeffries <squid3@...enet.co.nz>,
	"sclark46@...thlink.net" <sclark46@...thlink.net>,
	"kaber@...sh.net" <kaber@...sh.net>,
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [RFC PATCH 00/18] netfilter: IPv6 NAT

On 2011-11-30 11:07, Jan Engelhardt wrote:
>
> On Wednesday 2011-11-30 01:21, Krzysztof Olędzki wrote:
>>>>
>>>>>> However with NAT you could get some kind of anonymity.
>>>>
>>>> But without NAT you have pretty big chance to have the same IPv6
>>>> *suffix* everywhere, based on you MAC address. without NAT you have
>>>> pretty big chance to have the same IPv6 *suffix* everywhere, based on
>>>> you MAC address.
>>>
>>> Same suffix? Certainly not with [PrivExt...]
>>
>> What if:
>>
>> 1. You or your users don't have modern OS on your device so there is no
>> DHCPv6 or rfc3041/4941 support?
>
> Dedicated separate program (that's what you would probably do on
> Windows XP which lacks DHCPv6, PrivExt and also does not even allow
> manually setting an address via GUI).

Too much effort. Really.

>> 3. You need to have static addresses in your network for access control?
>
> Access control can be done based on MAC within a broadcast domain so
> you don't have to eschew Privacy Extensions if you can do so.

Maybe if you have a very small network - just one or two subnets, one 
router... Again - maybe. It is definitely not going to work on a large, 
multisite network with many intermediate routers.

All you can do on edge devices is checking client's MAC, requring 802.1X 
and making sure that IP matches MAC (and possibly DHCP lease) and 
similar things.

Best regards,

				Krzysztof Olędzki
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ