Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Filtering fe80::/10
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Mon Jun 18, 2012 4:45 am    Post subject: Filtering fe80::/10 Reply with quote

What are the link-local addresses used for? I prefer to keep tight firewall restrictions on both IPv4 and IPv6 stacks. IPv4 is straightforward, but IPv6 introduces some peculiar features.
Back to top
View user's profile Send private message
ali3nx
l33t
l33t


Joined: 21 Sep 2003
Posts: 676
Location: Winnipeg, Canada

PostPosted: Mon Jun 18, 2012 6:34 am    Post subject: Reply with quote

i'll start by admitting i'm yet to master ipv6 but i was an early adopter of it using ipv6 to ipv4 tunnels and had my own assigned /64 subnet on my internal lan at some time several years ago.

Despite that it's still a learning process as I was never a stalwart mathematician and subnetting in cisco class gave me headaches :lol:

I did manage to find a few references for you that state that link local ipv6 is a non routable /64 subnet used only by non routable network communications for router discovery. with that in mind fe80:: link local is required but not used for routable ipv6.

Essentially fe80::/64 is the ipv6 equivalent of 169.254.1.0/24

any router designed to adhere to the ipv6 RFC should not pass fe80::/64 across the edge router.

https://en.wikipedia.org/wiki/Link-local_address#IPv6

https://tools.ietf.org/html/rfc4291#section-2.5.6
_________________
Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper!
Back to top
View user's profile Send private message
mtfj
n00b
n00b


Joined: 17 Jun 2012
Posts: 8

PostPosted: Mon Jun 18, 2012 1:49 pm    Post subject: Re: Filtering fe80::/10 Reply with quote

wswartzendruber wrote:
What are the link-local addresses used for? I prefer to keep tight firewall restrictions on both IPv4 and IPv6 stacks. IPv4 is straightforward, but IPv6 introduces some peculiar features.


As I look at my network traffic, they are used for
- router advertisement
- DHCPv6
_________________
Masatsugu FUJINAKA
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA

PostPosted: Mon Jun 18, 2012 5:12 pm    Post subject: Reply with quote

I suppose I should put tcpdump on the router.

EDIT: Can anyone think of any reason to filter it?
Back to top
View user's profile Send private message
ali3nx
l33t
l33t


Joined: 21 Sep 2003
Posts: 676
Location: Winnipeg, Canada

PostPosted: Tue Jun 19, 2012 11:45 am    Post subject: Reply with quote

Based on the RFC and the design of link-local any router should inherently filter fe80:: by default. It would be an interesting test to confirm this for a lesson in ipv6 :)
_________________
Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper!
Back to top
View user's profile Send private message
mtfj
n00b
n00b


Joined: 17 Jun 2012
Posts: 8

PostPosted: Wed Jun 20, 2012 2:06 pm    Post subject: Reply with quote

ali3nx wrote:
Based on the RFC and the design of link-local any router should inherently filter fe80:: by default. It would be an interesting test to confirm this for a lesson in ipv6 :)

Just to add this line, right?
Code:

ip6tables -A FORWARD -o ppp1 -s fe80::/10 -j DROP

_________________
Masatsugu FUJINAKA
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum