• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Globally unidentifiable intranet users with ipv6 based access restrictions

Scheduled Pinned Locked Moved DHCP and DNS
25 Posts 4 Posters 2.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    girtsd
    last edited by Jul 17, 2017, 12:52 PM

    @johnpoz:

    "I could have the same network (LAN), have both ULAs and GUAs"

    So you want to run multiple Layer 3s on the same layer 2?  What?  That is also just plain Borked!!

    What is actually you concern here, why can a client not talk to the internet via is address?  Normally this would be temporary address it would use for that, it will change it in a bit and when it talks to somewhere else it will use a different one, etc.  For you to talk to it you would use is assigned ipv6 address.  Which you would assign via dhcpv6, this is the perm address.

    Ok, so: I want to have addresses from 2 different networks on the same interface for all my hosts. I need to control what resources the hosts access and I do it via IP based firewall rules. If I write up rules based on the host addresses and they just change their address (hosts will almost always use privacy addresses as source) the rules are lost in vain.
    If I want the hosts to access inside resources (lets say time capsule for MACos backups) I want to control who can access them. Lets say writing a firewall rule that allows all MACs to that server, but deny access to all Windows and Linux hosts. If they change their addresses, then this rule is useless. The only way to force this rule is to only let the hosts have one static address for the network which is used for inside communications since otherwise the hosts will just use privacy addresses and bypass all my rules.
    The GUA prefix on the other hand is for global communications. For that the hosts will generate their privacy addresses and rotate them protecting themselves from identification from the global network.

    Don`t assume! VERIFY!

    1 Reply Last reply Reply Quote 0
    • A
      awebster
      last edited by Jul 17, 2017, 1:38 PM

      So you want to run multiple Layer 3s on the same layer 2?  What?  That is also just plain Borked!!

      I'm unsure why you think this is not a good idea?  RFC6724 specifically addresses the case where an IPv6 host is multi-homed, with multiple prefixes on an interface.  Whether the prefixes are ULA or GUA doesn't really matter, just the fact that there is more than one address, and semantically it is no different than the link-local address fe80::.
      Admittedly multiple L3s, on the surface, sounds confusing, but the specs deal with this. 
      Don't forget that one of the main reasons why we think multiple L3s is a "bad idea" is that in an IPv4 network there is no source address selection mechanism, making it a shot in the dark at best.
      After 25 years, our brains are so hard-wired with IPv4 techniques and "best-practices", it is hard to adapt to some of the radically different underpinnings of IPv6, but this is the challenge we face.

      Ultimately the host has to decide which address to use when speaking to a client, and if RFC6724 is TL;DR, then if nothing else, just look at section 10.

      –A.

      1 Reply Last reply Reply Quote 0
      • J
        JKnott
        last edited by Jul 17, 2017, 2:21 PM

        So you want to run multiple Layer 3s on the same layer 2?  What?  That is also just plain Borked!!

        Actually, no.  A couple of weeks back I enabled a Unique Local Address prefix on my network, so I now have 2 prefixes on my devices, in addition to link local.  Even with IPv4, it was possible to have an alias address on an interface.  IPv6 is designed to support this properly.  You could even have multiple routers advertising different prefixes and it will all work.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Jul 17, 2017, 3:23 PM

          While I will be first to admit to the point of having to forget ipv4 when thinking about ipv6.. It really is a whole new ball game.  But to me a ULA is not same as link local, link local does not route across L2 boundaries, while a ULA can.. ULA is more like ipv4 rfc1918 address.  You can route it across your local private network all you want - but the addresses do not route across the global network.

          And I will also admit I have not spent much time working/playing or even investigating ULA.. Will for sure take a look at the rfc linked too.  How does the device determine that it should use its global vs its ULA address.  I assume it could think well the dest address is global so use a global address, oh the address is ula so use my ula address would be my guess at it.  But again will admit I have not investigated that sort of scenario.  This points directly to your good statement of

          "IPv4 network there is no source address selection mechanism"

          I had not run into a scenario where you could just not use your global IPv6 address across the board..  Both for internal local networks and global access..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • J
            JKnott
            last edited by Jul 17, 2017, 3:38 PM

            @johnpoz:

            While I will be first to admit to the point of having to forget ipv4 when thinking about ipv6.. It really is a whole new ball game.  But to me a ULA is not same as link local, link local does not route across L2 boundaries, while a ULA can.. ULA is more like ipv4 rfc1918 address.  You can route it across your local private network all you want - but the addresses do not route across the global network.

            And I will also admit I have not spent much time working/playing or even investigating ULA.. Will for sure take a look at the rfc linked too.  How does the device determine that it should use its global vs its ULA address.  I assume it could think well the dest address is global so use a global address, oh the address is ula so use my ula address would be my guess at it.  But again will admit I have not investigated that sort of scenario.  This points directly to your good statement of

            "IPv4 network there is no source address selection mechanism"

            I had not run into a scenario where you could just not use your global IPv6 address across the board..  Both for internal local networks and global access..

            ULAs are used pretty much the same as RFC1918 addresses and, as you say, they're routeable but not to the Internet.  One thing I spend a lot of time doing is using Wireshark to see exactly what's happening on the wire.  When choosing between GUA and ULA, if you provide a ULA address, then that's what will be used.  Basic routing rules etc.  IPv4 and IPv6 link local addresses are similar in that they are confined to the local link (I guess that's why they're called "link local".  ;) )

            While I have experimented with IPv4 link local, the only use I've ever had for it is with my TP Link switch I mentioned in the other thread.  I configured it with a static link local address (yeah, I know that violates the RFC) so that when I use the switch to monitor a circuit, it won't send out frames that might interfere with the network.  The computer runs duplicate address detection when first connected to the switch and keeps quiet after that.  So, I connect to the switch first and then connect the switch into the circuit. I also have TP Link's version of spanning tree turned off, for the same reason.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            25 out of 25
            • First post
              25/25
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received