IPv6, firewall issues and numbering schemes

Michael Kjorling michael@kjorling.com
Wed, 5 Dec 2001 10:43:50 +0100 (CET)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Dec 5 2001 09:52 +0100, Francis Dupont wrote:

>  In your previous mail you wrote:
>
>    Is it possible to set up at least an IPv4 tunnel so that I can gain
>    external IPv6 connectivity, with this firewall still in place? Or will
>    I have to bitch at the manufacturer, or even ditch that box it for
>    something more flexible?
>
> => I believe the best solution is to run PPP over UDP. I asked some
> months ago if this has to be standardized (for the port number or
> access control for instance)... PPP over UDP is very common on
> Unixes (this is a standard feature of user mode PPP on FreeBSDs)
> and/or is very easy to implement with a tunnel interface/device.

This sounds very interesting. Filtering at the tunnel endpoint is
hardly a problem; I just want to have _some_ filtering on IPv6. Also I
could try allowing all traffic from the other end of the tunnel to my
end, as Flavio Villanustre suggested. Also, another person suggested
that I just allow protocol 41 (SIP); however, the firewall won't let
me do this. I've been facing that very same obstacle when trying to
set up IPsec, but then there are not two clearly defined endpoints
which makes it a lot harder to do in a secure fashion.


>    Also if someone would care to point me to some documents specifying a
>    common or recommended IPv6 numbering scheme, that would be great.
>
> => just use the standard MAC to interface ID stuff or (if you don't
> use names which always are a better way) a small counter.
>
>    I have been thinking about using the 64-bit local part as 48 bit MAC
>    address + 16 bit counter,
>
> => I don't understand why you need something so complex...

Well, I did point it out in the next few words - the addresses do get
complicated and hard to remember.


>    but this would mean addresses that are even
>    harder to remember than usual, and may have security implications as
>    well (publishing local addresses in global DNS).
>
> => ???

I assume you mean the latter part - well, I am not sure I want my
local Ethernet addresses available to anyone capable of using
nslookup.


>    Suggestions or pointers on this topic are also greatly appreciated!
>
> => read a good book about DNS?

Actually I have read through "DNS and BIND", 4th edition, cover to
cover. And it covers very little on IPv6-in-IPv4 tunnels. None that I
have seen, in fact.

I will look, and try to learn. I tried searching the list archives for
"ppp over udp" as well but got an error message saying that htdig
could not open the configuration file. If anyone has got any good
pointers in the archive, please let me know.

Thanks everyone for your input - it is appreciated!


Michael Kjörling

- -- 
Michael Kjörling  --  Programmer/Network administrator  ^..^
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e   \/
Internet: michael@kjorling.com -- FidoNet: 2:204/254.4

"There is something to be said about not trying to be glamorous
and popular and cool. Just be real -- and life will be real."
(Joyce Sequichie Hifler, September 13 2001, www.hifler.com)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html

iD8DBQE8DexZKqN7/Ypw4z4RAsxHAJ4k3CFTLQlcRChemtOxvbNJwbdpJwCfca/3
0arz6yg69xe3SzYktxwra/8=
=huOi
-----END PGP SIGNATURE-----