Re: Link-local and ACLs
Brian E Carpenter wrote: > On 25/07/2017 19:07, Gert Doering wrote: > > So, to stay with Tore's example, if you want to make NDP work on an IXP, > > you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends > > up needing quite a number of lines to cover all cases > > Fair enough. IXPs are a bit of a special case, though. sorta and sorta not. An ACL appropriate for an IXP would provide a template to cover pretty much most use cases, which would then be directly relevant to other specific cases like having a point-to-point connection between router A and router B and so forth. Nick
Re: Link-local and ACLs
Hi, On Wed, Jul 26, 2017 at 08:48:43AM +1200, Brian E Carpenter wrote: > >> And why would ACLs be relevant for on-link traffic? > > > > Interface ACLs are relevant for all packets leaving or entering an > > interface, generally... > > Yes, but why are they relevant except for routers? I didn't see > anything in the original message that limited its scope to routers. > Most nodes aren't routers. I don't expect to see ACLs on normal > hosts. All my hosts that are in some way Internet exposed have ACLs of some sort - call it "Windows firewall" or "FreeBSD pf(4)". Usually these implicitly understand what is needed to make ND work, but I've heard more than once about cases where Linux people blocked "everything on input except tcp/80" with ip6tables, killing ND in the process -> bam, machine fell of the net, IPv6 gone. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature
Re: Link-local and ACLs
Hi, Thus wrote David Farmer (far...@umn.edu): > In practice Neighbor Discovery, and other critical protocols, need > link-local addresses to talk to other link-local addresses and some > multicast addresses. > > Also, in theory a link-local address could talk to a GUA or ULA address on > the same link. However, in practices does this really happen? If it does > happen in practice what are circumstances? a) be logged in to a system only having a link-local address b) access a service you know to be on-link by DNS name I expect that to work. I'm not sure what you win by preventing it from working. I usually try to have "same link, same administration", so we may have differing expectations on the trustworthiness of what is reachable via link-local. Also, "if it doesn't have a routable address its attack surface is drastically smaller". regards, spz -- s...@serpens.de (S.P.Zeidler)
Re: Link-local and ACLs
On 25/07/2017 19:07, Gert Doering wrote: > Hi, > > On Tue, Jul 25, 2017 at 10:41:06AM +1200, Brian E Carpenter wrote: >> Why would you ever do it for normal traffic? > > I'm not sure that was a question asked in this thread :-) > >> And why would ACLs be relevant for on-link traffic? > > Interface ACLs are relevant for all packets leaving or entering an > interface, generally... Yes, but why are they relevant except for routers? I didn't see anything in the original message that limited its scope to routers. Most nodes aren't routers. I don't expect to see ACLs on normal hosts. > So, to stay with Tore's example, if you want to make NDP work on an IXP, > you need to permit fe80->fe80, fe80->GUA, etc. in your ACLs - which ends > up needing quite a number of lines to cover all cases Fair enough. IXPs are a bit of a special case, though. Brian > > #sh access-lists ipv6 internet-ipv6-in | inc icmp > 20 permit icmpv6 fe80::/64 2001:7f8::/64 135 0 > 30 permit icmpv6 2001:7f8::/64 2001:7f8::/64 135 0 ttl eq 255 > 40 permit icmpv6 2001:7f8::/64 2001:7f8::/64 136 0 ttl eq 255 > 50 permit icmpv6 any ff02::/64 135 0 > 60 permit icmpv6 fe80::/64 fe80::/64 135 0 > 70 permit icmpv6 any fe80::/64 135 0 > 80 permit icmpv6 any fe80::/64 136 0 > 90 permit icmpv6 any host ff02::1 136 0 > 100 deny icmpv6 any any 135 log > 110 deny icmpv6 any any 136 log > > (Example for DECIX which uses 2001:7f8::/64 on-link) > > Gert Doering > -- NetMaster >
Re: Link-local and ACLs
On 25/07/2017 09:10, Tore Anderson wrote: > * Brian E Carpenter > >> So, I'm not aware of any realistic case where this happens, or any >> reason for it. > > As Gert already pointed out: Neighbour Discovery. Well yes, like ARP. But that's the exception that proves the rule - you do it when that is really what you mean *and* the target address is within an on-link prefix. I can do it too, even from Windows: ping -n 100 -S fe80::c0de:dead:beef:768e%11 2001:df0:0:2006:c0de:beef:dead:be83 Those addresses are obfuscated, but you get the idea, and I see the ICMPv6 packets with Wireshark, but get no replies. Why would you ever do it for normal traffic? And why would ACLs be relevant for on-link traffic? Brian > > A few examples from an IX near me: > > 23:06:11.020045 In IP6 fe80::8678:acff:fe66:80db > 2001:7f8:12:1::3:9029: > ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 > 23:06:11.563763 In IP6 fe80::aa0c:dff:fe71:5768 > 2001:7f8:12:1::3:9029: > ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 > 23:06:29.958824 In IP6 fe80::92e2:baff:fe3f:7665 > 2001:7f8:12:1::3:9029: > ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 > 23:06:34.239488 In IP6 fe80::523d:e5ff:fe89:4ec4 > 2001:7f8:12:1::3:9029: > ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 > 23:06:45.177659 In IP6 fe80::2c1:64ff:fe60:380 > 2001:7f8:12:1::3:9029: > ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 > > Tore > . >
Re: Link-local and ACLs
* Brian E Carpenter > So, I'm not aware of any realistic case where this happens, or any > reason for it. As Gert already pointed out: Neighbour Discovery. A few examples from an IX near me: 23:06:11.020045 In IP6 fe80::8678:acff:fe66:80db > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 23:06:11.563763 In IP6 fe80::aa0c:dff:fe71:5768 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 23:06:29.958824 In IP6 fe80::92e2:baff:fe3f:7665 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 23:06:34.239488 In IP6 fe80::523d:e5ff:fe89:4ec4 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 23:06:45.177659 In IP6 fe80::2c1:64ff:fe60:380 > 2001:7f8:12:1::3:9029: ICMP6, neighbor solicitation, who has 2001:7f8:12:1::3:9029, length 32 Tore
Re: Link-local and ACLs
Hi, On Mon, Jul 24, 2017 at 08:56:41PM +0100, Nick Hilliard wrote: > Gert Doering wrote: > > "on the same link"? > > return traffic. Not much good in having unidirectional data flow. Even return traffic "on the same link" shouldn't be subject to "packets with fe80 sources MUST NOT be routed"... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature
Re: Link-local and ACLs
Gert Doering wrote: > "on the same link"? return traffic. Not much good in having unidirectional data flow. Nick
Re: Link-local and ACLs
On Mon, Jul 24, 2017 at 12:46 PM, David Farmerwrote: > In practice Neighbor Discovery, and other critical protocols, need > link-local addresses to talk to other link-local addresses and some > multicast addresses. > > Also, in theory a link-local address could talk to a GUA or ULA address on > the same link. However, in practices does this really happen? If it does > happen in practice what are circumstances? > > Thanks > > -- > === > David Farmer Email:far...@umn.edu > Networking & Telecommunication Services > Office of Information Technology > University of Minnesota > 2218 University Ave SEPhone: 612-626-0815 <(612)%20626-0815> > Minneapolis, MN 55414-3029 Cell: 612-812-9952 <(612)%20812-9952> > === > Not quite 100% related, but I had an upstream provider put an artisanal handcrafted IPv6 BCP38 ACL that didn't allow link-locals to talk to the multicast range (or to the GUA on-link address possibly) on a port, and it caused problems after a reboot I believe only. Things were able to keep working for quite a while if I recall. Theodore Baschak - AS395089 - Hextet Systems https://bgp.guru/ - https://hextet.net/ http://mbix.ca/ - http://mbnog.ca/
Re: Link-local and ACLs
On Mon, Jul 24, 2017 at 05:51:37PM +, Goddess: Primal Chaos wrote: > ### Do not reply below this line ### > > - > Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100 > - > > Dear player, This has been remedied. You should see no further auto-replies from them. Best regards, Daniel (list admin)
Re: Link-local and ACLs
Hi, On Mon, Jul 24, 2017 at 06:50:57PM +0100, Nick Hilliard wrote: > David Farmer wrote: > > Also, in theory a link-local address could talk to a GUA or ULA address > > on the same link. However, in practices does this really happen? If it > > does happen in practice what are circumstances? > > will that packet not be dropped because a LL ipv6 packet won't be > routed? (MUST NOT in whatever rfc). "on the same link"? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: Link-local and ACLs
### Do not reply below this line ### - Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100 - Dear player, Thank you very much for contacting us by mail. As the language or region of your email can’t be automatically identified, we have to manually sort through each and every issue then send these on to the relevant GM. - If you are able to log in to the game, we recommend you send a message to us in-game via Settings-Account-Help. - If you can’t find your account, usually it means you’re using the wrong login method or server. Please confirm you’re using the same login method as before and have selected the correct server. Please note that even if have bound to your Facebook or Google account, if you are using "Sign In" to login, please login exactly as previously since data is not exchanged between the three different login methods. Please leave your correct server and character name (if you’re using any special symbols in your name, please ensure you’re continuing to do so) and we’ll check your login method as soon as possible for you to. Thanks for your support and cooperation! - Goddess: Primal Chaos | July 24, 2017 | 18:51 +0100 - Hi, thanks for contacting Customer Service. This is an automated reply, hope to help you solve common problems. Please tell me your server and character's name. Manual service will contact you as soon as possible! Thank you very much for the support and patience. If you have a problem with recharge, please leave us the necessary information. 1. the name of the character(IGN) 2. the server 3. the number of your order # via Google, we need the GPA.---X #via Apple, we need the number from the receipt and also a screenshot that you take from the Itunes of your computer. #other ways, please let us know the exact way of recharging and the number of it 4. the UID of this character (which you can see in the game, but if you cannot find it that will be fine ) We are really hope that we could help! If you want to report a BUG, please try to tell us more details, such as related character names and servers. The most important is the exact time (better with hour and minute), so that we locate and check the problem more quickly. Thank you in advance. - Nick Hilliard | July 24, 2017 | 18:51 +0100 - Link-local and ACLsDavid Farmer wrote: > Also, in theory a link-local address could talk to a GUA or ULA address > on the same link. However, in practices does this really happen? If it > does happen in practice what are circumstances? will that packet not be dropped because a LL ipv6 packet won't be routed? (MUST NOT in whatever rfc). Nick
Re: Link-local and ACLs
David Farmer wrote: > Also, in theory a link-local address could talk to a GUA or ULA address > on the same link. However, in practices does this really happen? If it > does happen in practice what are circumstances? will that packet not be dropped because a LL ipv6 packet won't be routed? (MUST NOT in whatever rfc). Nick