FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 05-08-2011, 03:33 PM
Martin Zobel-Helas
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

Hi,

i currently wonder if Debian should implement RFC 4941 as default for
wheezy.


Background: IPv6 configured via router advertisement will use the
hardware address of the ethernet card to encode the IPv6 address. This
raises privacy issues, such as being able to track each single device.

I therefor wonder, if Debian should be shipped with the privacy
extensions for stateless address autoconfiguration on IPv6 per default
starting with wheezy.

I would like to hear other developers meanings to this issue, before
proposing this as release goal for wheezy.


Cheers,
Martin
--
Martin Zobel-Helas <zobel@debian.org> | Debian System Administrator
Debian & GNU/Linux Developer | Debian Listmaster
GPG key http://go.debian.net/B11B627B |
GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110508153342.GE9801@ftbfs.de">http://lists.debian.org/20110508153342.GE9801@ftbfs.de
 
Old 05-09-2011, 09:34 AM
Vincent Danjean
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

On 08/05/2011 17:33, Martin Zobel-Helas wrote:
> i currently wonder if Debian should implement RFC 4941 as default for
> wheezy.
[...]
> I would like to hear other developers meanings to this issue, before
> proposing this as release goal for wheezy.

RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP,
at least until the kernel allow to proxy a network instead of hosts.
This does not seem for now:
http://marc.info/?l=linux-kernel&m=130385156131530&w=2


Note: proxy NDP is required when your provider gives you a flat /64
(ie its router is in your /64, generally prefix::1 and it tries to talk
directly to any host of your /64 network)
and you want to have subnetworks (one for wifi, one for your DMZ, ...)

Regards,
Vincent

>
>
> Cheers,
> Martin


--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://people.debian.org/~vdanjean/debian unstable main


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DC7B53C.9010101@free.fr">http://lists.debian.org/4DC7B53C.9010101@free.fr
 
Old 05-09-2011, 09:53 AM
Henrique de Moraes Holschuh
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

On Mon, 09 May 2011, Vincent Danjean wrote:
> On 08/05/2011 17:33, Martin Zobel-Helas wrote:
> > i currently wonder if Debian should implement RFC 4941 as default for
> > wheezy.
> [...]
> > I would like to hear other developers meanings to this issue, before
> > proposing this as release goal for wheezy.
>
> RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP,
> at least until the kernel allow to proxy a network instead of hosts.
> This does not seem for now:
> http://marc.info/?l=linux-kernel&m=130385156131530&w=2
>
>
> Note: proxy NDP is required when your provider gives you a flat /64
> (ie its router is in your /64, generally prefix::1 and it tries to talk
> directly to any host of your /64 network)
> and you want to have subnetworks (one for wifi, one for your DMZ, ...)

We've been trying to avoid that kind of bad practice here in Brazil,
through an effort to get ISPs to undertand you do NOT issue /64 to
clients in the various NANOG-like (locally called "GTER") encounters
throughout the year.

It is an uphill battle. Time for an informational RFC, perhaps? It
does help to point people at a RFC, where all technical arguments are
fully written down and explained.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110509095317.GA21471@khazad-dum.debian.net">http://lists.debian.org/20110509095317.GA21471@khazad-dum.debian.net
 
Old 05-09-2011, 10:51 AM
Arnd Hannemann
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

Hi,

Am 09.05.2011 11:34, schrieb Vincent Danjean:
> On 08/05/2011 17:33, Martin Zobel-Helas wrote:
>> i currently wonder if Debian should implement RFC 4941 as default for
>> wheezy.
> [...]
>> I would like to hear other developers meanings to this issue, before
>> proposing this as release goal for wheezy.
>
> RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP,
> at least until the kernel allow to proxy a network instead of hosts.
> This does not seem for now:
> http://marc.info/?l=linux-kernel&m=130385156131530&w=2

But if anoyone has enough knowledge to setup proxy NDP he should
be able to disable the privacy extension on its client hosts, too.
Also, wouldn't using DHCPv6 solve this problem as well?

Its really good to know that there exists such a problem with Privacy Extension
and Linux gateways, but in IMO it shouldn't hinder the deployment
of privacy extensions as default for for wheezy.

Best regards
Arnd


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DC7C732.1020801@arndnet.de">http://lists.debian.org/4DC7C732.1020801@arndnet.de
 
Old 05-09-2011, 11:19 AM
Vincent Danjean
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

On 09/05/2011 12:51, Arnd Hannemann wrote:
> Hi,
>
> Am 09.05.2011 11:34, schrieb Vincent Danjean:
>> RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP,
>> at least until the kernel allow to proxy a network instead of hosts.
>> This does not seem for now:
>> http://marc.info/?l=linux-kernel&m=130385156131530&w=2
>
> But if anoyone has enough knowledge to setup proxy NDP he should
> be able to disable the privacy extension on its client hosts, too.

It is not the problem of knowing how to do it. It is the problem of
doing it by default. And I do not have strong opinion on the
problem. For info, I setup privacy extension on my laptop but
I use a (Hurricane) IPv6 tunnel instead of using the /64 given
by my ISP.

> Also, wouldn't using DHCPv6 solve this problem as well?

DHCPv6 is useful when you do not want to you auto-configuration.
It can be the case if you would like several networks with
auto-configuration in a /64: DHCPv6 seems the only way to go in
this case. if you want only one subnetwork with autoconfiguration
and you have only a /64, you whould be able to create a correct
routing table on your firewall.

It does not solve the proxy NDP (here, the problem is for the
ISP gateway that makes false assumption about the network layout,
not for the other host that can easily be instructed to have
a default route the the good host)

I just realized that, perhaps, you want to says that privacy
extension is disabled when you are using DHCPv6 ? I did not
test it, so I do not know if this is right or not.

> Its really good to know that there exists such a problem with Privacy Extension
> and Linux gateways, but in IMO it shouldn't hinder the deployment
> of privacy extensions as default for for wheezy.

An another problem is for firewalls that wants to do strict
controls (ie also filtering out-going connections). But here
again, there will be default rules for all client. Or, if
special rules are required for a client, the client can be
reconfigured to avoid using Privacy Extension.

But I repeat, I just want to talk about these issues. I'm not
convinced myself they should block privacy extensions enabled
by default.

Regards,
Vincent

> Best regards
> Arnd
>

PS: no need to CC me

--
Vincent Danjean Adresse: Laboratoire d'Informatique de Grenoble
Téléphone: +33 4 76 61 20 11 ENSIMAG - antenne de Montbonnot
Fax: +33 4 76 61 20 99 ZIRST 51, avenue Jean Kuntzmann
Email: Vincent.Danjean@imag.fr 38330 Montbonnot Saint Martin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DC7CDC7.6030304@free.fr">http://lists.debian.org/4DC7CDC7.6030304@free.fr
 
Old 05-09-2011, 11:24 AM
Vincent Danjean
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

On 09/05/2011 11:53, Henrique de Moraes Holschuh wrote:
> On Mon, 09 May 2011, Vincent Danjean wrote:
>> On 08/05/2011 17:33, Martin Zobel-Helas wrote:
>> Note: proxy NDP is required when your provider gives you a flat /64
>> (ie its router is in your /64, generally prefix::1 and it tries to talk
>> directly to any host of your /64 network)
>> and you want to have subnetworks (one for wifi, one for your DMZ, ...)
>
> We've been trying to avoid that kind of bad practice here in Brazil,
> through an effort to get ISPs to undertand you do NOT issue /64 to
> clients in the various NANOG-like (locally called "GTER") encounters
> throughout the year.
>
> It is an uphill battle. Time for an informational RFC, perhaps? It
> does help to point people at a RFC, where all technical arguments are
> fully written down and explained.

Given the fact that the provider is the French ISP Free/Proxad (the
one that invent the 6rd technique), I really doubt that this is not
a deliberate choice on their part. But if anything can convince them
to modify their practice, it would be a very good thing.

Regards,
Vincent

PS: no need to CC me


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DC7CEE8.5080006@free.fr">http://lists.debian.org/4DC7CEE8.5080006@free.fr
 
Old 05-09-2011, 12:34 PM
Bastian Blank
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

On Mon, May 09, 2011 at 12:51:30PM +0200, Arnd Hannemann wrote:
> Also, wouldn't using DHCPv6 solve this problem as well?

The way to go is DHCPv6-PD.

Bastian

--
Our missions are peaceful -- not for conquest. When we do battle, it
is only because we have no choice.
-- Kirk, "The Squire of Gothos", stardate 2124.5


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110509123436.GA4342@wavehammer.waldi.eu.org">htt p://lists.debian.org/20110509123436.GA4342@wavehammer.waldi.eu.org
 
Old 05-09-2011, 02:51 PM
Henrique de Moraes Holschuh
 
Default Privacy Extensions for Stateless Address Autoconfiguration in IPv6 in wheezy as default?

On Mon, 09 May 2011, Bjørn Mork wrote:
> Henrique de Moraes Holschuh <hmh@debian.org> writes:
> > We've been trying to avoid that kind of bad practice here in Brazil,
> > through an effort to get ISPs to undertand you do NOT issue /64 to
> > clients in the various NANOG-like (locally called "GTER") encounters
> > throughout the year.
> >
> > It is an uphill battle. Time for an informational RFC, perhaps? It
> > does help to point people at a RFC, where all technical arguments are
> > fully written down and explained.
>
> Allocating /48, /56 or /64 for end users is not a technical discussion.
> The arguments may be pseudo-techincal, but that's only an attempt to
> obscure the the real issue: market segmentation.

I assure you that is not what I heard from the big operators and
not-so-big ISPs enabling experimental IPv6 access to their users. They
did not want to 'waste IPv6' (IPv4-shortage-induced paranoia), and some
were also worried that it would force users to have IPv6 routers if they
got anything bigger than a /64, etc.

Might not always be the case, obviously. But it often is IME.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110509145111.GC13275@khazad-dum.debian.net">http://lists.debian.org/20110509145111.GC13275@khazad-dum.debian.net
 

Thread Tools




All times are GMT. The time now is 05:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org