[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4DB72B7B.6060408@danjean.fr>
Date: Tue, 26 Apr 2011 22:30:51 +0200
From: Vincent Danjean <vincent@...jean.fr>
To: linux-kernel@...r.kernel.org
Subject: [IPv6] Proxy NDP for subnetwork (instead of host)
Hi,
First, the main question: I did not find a way to do proxy_ndp for
an entire network (instead of per host). Did I miss something ? Would
not it be useful for linux to allow it ? Is there something (a RFC, a
technical limitation) that forbid it ?
Then, a more detailed explanation.
I setup a IPv6 tunnel with Hurricane. Hurricane provides a tunnel endpoint
in which it routes another full /48 IPv6 network. This allow me to setup
my firewall with the rules I want and to have several IPv6 (sub)network at
home: at least one for the wifi and one for the wired-DMZ. All is good but
the fact that this is a tunneled IPv6 connection, not a native one.
My ISP also provides "native" IPv6 (in fact, this is 6rd). Their
router advices a /64 network (even if a /60 seems really routed).
The problem is that the ISP router is itself on this network (prefix::1)
and it thinks that all machines on this network is seen directly by it
(ie there is only a flat network).
However, what I would like is this kind of topology:
ISP router ----- firewall ----- internal hosts
But, for this to work, I need that the firewall do proxy NDP for all
internal hosts.
Currently, the only way to do this I found is to add *all* IP from
the internal network one by one to the firewall proxy NDP:
firewall> for IP in $all_IP_in_internal_network; do
ip neigh add proxy $IP dev eth0 ;
done
This is not very interesting. Each time someone connects to
my network (friends that come at home), I would need to reconfigure
the firewall. Moreover, this is not compatible with
net.ipv6.conf.default.use_tempaddr=2 that generate new IPv6 addresses
for each outbound connection.
This is why I stick to the Hurricane tunnel instead of using my
native IPv6 ISP connection for now.
So, I come back to my initial question: what do you think to
the possibility to do something like "ip neigh add proxy $IP/64 dev eth0"
so that the firewall do proxy NDP for the whole /64 network ?
Regards,
Vincent
PS: even if I read the list, I would welcome to be CC for answer.
--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@...ian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists