From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from chi.subsignal.org (cxd-2-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:ed::2]) by huchra.bufferbloat.net (Postfix) with ESMTP id 34BAF21F12A for ; Mon, 10 Dec 2012 03:53:48 -0800 (PST) Received: from [192.168.178.21] (unknown [212.255.243.50]) by chi.subsignal.org (Postfix) with ESMTPSA id E6904126176; Mon, 10 Dec 2012 12:54:07 +0100 (CET) Message-ID: <50C5CD4A.8070303@openwrt.org> Date: Mon, 10 Dec 2012 12:53:46 +0100 From: Steven Barth User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Dave Taht References: <50C5C705.3060108@openwrt.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] Current state of ipv6 in openwrt barrier breaker X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Dec 2012 11:53:48 -0000 On 10.12.2012 12:40, Dave Taht wrote: > Well, I abhor bridging 2.4 and 5 ghz wireless together, and then there > is the ever more popular concept of a "guest" network... Yes I'm talking about the default setup of OpenWrt here which does not have a guest-interface etc. though I agree in general we will all have the problem. Though we might not want to do bridging by default we might want to think about a solution using relaying (NDP-Proxying etc.) if the /64-problem becomes critical. > >> This is how the prefix distribution works either for the ULA or the public >> prefixes. I've implemented this straight forward not looking at any >> specification as the local prefix distribution should not be mandated imo by >> any RFC. > > Heh. > >> >> * For ULA fd00::/48, the first /64 would be fd00::/64, the 2nd >> fd00:0:0:1::/64 etc. > > It would be my hope to not standardize on fd00::whatever, but to > actually generate random ones. Doing vpns between your standardized > 192.168.0.1 addresses is painful.... and with better naming, the pain > of having to remember these large numbers goes away (a bit.) Yes we do generate random ones. The first time any interfaces comes up a random ula address is generated. I just used fd00:: in this example because its the shortest one to write to demonstrate the splitting of prefixes. > >> * Padding (unused adress-space) is added if the alignment cannot be >> satisfied (e.g. one interface wants a /64, the second a /62, then there will >> be a padding or 1 /64 and 1 /63 in between). >> * If a downstream-interface goes down, its assigned prefix is preserved in >> case it later comes up again. >> * Assignments for a public prefixes are forgotten once the prefix is removed >> (e.g. wan goes down). > > My understanding is that public prefixes can be kept until the wan comes up. > That said, I'd argue in favor of expiring them as fast as possible if > ula's already exist. Sorry I don't get what you mean, maybe a misunderstanding. What I was talking about is when you have an ULA or a public prefix, lets use 2001:DB80::/48 here than e.g. your ethernet-lan gets 2001:DB80:0:1/64, wifi gets 2001:DB80:0:2/64 etc. If you then do an ifdown lan and ifup lan, the ethernet interface still still get 2001:DB80:0:1/64 and not 2001:DB80:0:3/64 etc. This apply also when other interfaces were brought up or down in between, except when the interface that provided the prefix (e.g. wan) goes down. In this case all current assignments an the prefix itself will be forgotten. In the NPT-scenario these rules will apply to the ULA-addresses, so once an interface got a part of the ULA-prefix, it will keep that prefix even if it goes down and up again. > I think randomizing would help against attacks, yes. > > Somewhat related, you could do something SLAAC-like on the inner > interface's /64. In prior versions of linux using a dhcp-like address > assignment strategy hashed badly. > > (I note that I'm more of a fan of slaac than dhcpv6)