> On 09/05/2011 12:51, Arnd Hannemann wrote: >> Hi, >> >> Am 09.05.2011 11:34, schrieb Vincent Danjean: >>> RFC 4941 is a problem if you want to use to use IPv6 and proxy NDP, >>> at least until the kernel allow to proxy a network instead of hosts. >>> This does not seem for now: >>> http://marc.info/?l=linux-kernel&m=130385156131530&w=2 >> >> But if anoyone has enough knowledge to setup proxy NDP he should >> be able to disable the privacy extension on its client hosts, too. > > It is not the problem of knowing how to do it. It is the problem of > doing it by default. And I do not have strong opinion on the > problem. For info, I setup privacy extension on my laptop but > I use a (Hurricane) IPv6 tunnel instead of using the /64 given > by my ISP. > >> Also, wouldn't using DHCPv6 solve this problem as well? > > DHCPv6 is useful when you do not want to you auto-configuration. > It can be the case if you would like several networks with > auto-configuration in a /64: DHCPv6 seems the only way to go in > this case. if you want only one subnetwork with autoconfiguration > and you have only a /64, you whould be able to create a correct > routing table on your firewall. > > It does not solve the proxy NDP (here, the problem is for the > ISP gateway that makes false assumption about the network layout, > not for the other host that can easily be instructed to have > a default route the the good host) > > I just realized that, perhaps, you want to says that privacy > extension is disabled when you are using DHCPv6 ? I did not > test it, so I do not know if this is right or not.
Yes thats exactly what I wanted to say here: if the gateway requires control about the address assignment one probably should use DHCPv6 instead of relying on Stateless Autoconfiguration. >> Its really good to know that there exists such a problem with Privacy >> Extension >> and Linux gateways, but in IMO it shouldn't hinder the deployment >> of privacy extensions as default for for wheezy. > > An another problem is for firewalls that wants to do strict > controls (ie also filtering out-going connections). But here > again, there will be default rules for all client. Or, if > special rules are required for a client, the client can be > reconfigured to avoid using Privacy Extension. Yeah, or use DHCPv6 to have more control about address assignment. Best regards Arnd > PS: no need to CC me But please CC: me, I'm not (yet) on the list. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc7fc40.8080...@arndnet.de