I am a bit late to the party, but some more comments below.
On Sun, Jul 09, 2023 at 11:27:20PM -0400, Anthony Coulter wrote:
> Summary of this email:
>
> 1. I respond to a couple of specific points made by other folks in this
>thread to clarify what I'm trying to accomplish (set up a couple
Stuart Henderson wrote:
> Currently iked (and isakmpd) use flows, not routes. These use messages
> on the PF_KEY socket not the route socket. (If I watch route -nv monitor
> while iked starts and brings up tunnels, I don't see any messages).
>
> IIUC the parts you found which currently exist are
I'm sure this is obvious to people, but just in case it is not:
I pay $25/month for my VPS, and I think I could bring that down to $10
or $15 if I wanted. My VPS routes me a /48 IPv6 network...
I clearly meant "My VPS _provider_ routes me...".
Before I essentially echo back what Stuart said, let me clarify
something. I don't really recommend NAT over NDP proxying more than the
other way around. I was merely stating that a hack is a hack is a hack.
If you are forced to use a hack, then insisting on one over the other
is bizarre unless
On 2023-07-10, Anthony Coulter wrote:
> 2. I abandon my quest to get NDP proxying added to iked and instead ask
>if we can add a "rtlabel" keyword to iked.conf to make it easier for
>me to write a separate process that monitors the routing table to
>detect when the tunnel gets set up.
Summary of this email:
1. I respond to a couple of specific points made by other folks in this
thread to clarify what I'm trying to accomplish (set up a couple of
ad hoc link-local routes without having to ask my ISP for a larger
subnet) and to acknowledge that I said something stupid
Thus said Anthony Coulter on Thu, 06 Jul 2023 21:52:54 -0400:
> I would also suggest comparing the "hackiness" of NDP proxying to the
> hackiness of NAT, which is how we solve this same problem in IPv4.
I realize I'm coming in late to this discussion, and may not actually
have anything of
> veering slightly from the topic (typical setup for a server host would
> not be to use DHCPv6 but just statically route another block - usually a
> /56 or /48), but...
I don't doubt this is typical for serious network operators. But I
would counter that for every user who is in a position to
Yeah, I don't have the interest to get into it about this; but I find
it (informally) inconsistent to take an ideological stance against NAT
and not have a similar stance against NDP proxying. Networking is a lot
cleaner when it can be reasoned about with a rudimentary grasp of graph
theory where
veering slightly from the topic (typical setup for a server host would
not be to use DHCPv6 but just statically route another block - usually a
/56 or /48), but...
On 2023-07-07, Anthony Coulter wrote:
> The trouble with subnets is that they have to be configured. I would
> have to install a
Summary of this email: I repeat my argument that automatic NDP
proxying is the right way to handle the "road warrior" use case for
IPv6. The reasons I'm pushing this so hard are that (1) including this
functionality in iked would be much more robust than any hacky script I
could write that tries
First, thank you! The "ndp -s" trick does exactly what I need. (I did
not need to consider ndp-reflector.) The rest of this email could be
summarized as "That works so perfectly I would pay for someone to make
it automatic; meanwhile the other things I asked about were in fact
bad ideas and I
While I suppose the /64 your VPS provider gives you is "enormous"
compared to IPv4, I don't find such a comparison relevant since IPv6
and IPv4 are entirely different protocols. In fact I actually think it
is small. Why? RFC 6177 (https://datatracker.ietf.org/doc/html/rfc6177)
recommends that /48
On 2023-07-05, Anthony Coulter wrote:
> OK, I've sorted out my network issues server but it turns out that I
> was misinterpreting the tcpdump output on my VPS. When an external
> computer tries to ping my client's virtual IP address, the VPS's
> gateway router is *not* forwarding the pings to my
OK, I've sorted out my network issues server but it turns out that I
was misinterpreting the tcpdump output on my VPS. When an external
computer tries to ping my client's virtual IP address, the VPS's
gateway router is *not* forwarding the pings to my server where they
can be shoved into the IPsec
On July 5, 2023 4:35:30 AM GMT+03:00, Anthony Coulter
wrote:
>Short version:
>
>I'm trying to set up a "road warrior"-style VPN like the one described
>at https://www.openbsd.org/faq/faq17.html but I'm trying to use IPv6 so
>I can have globally-routable addresses (so I'm not using NAT). So
Short version:
I'm trying to set up a "road warrior"-style VPN like the one described
at https://www.openbsd.org/faq/faq17.html but I'm trying to use IPv6 so
I can have globally-routable addresses (so I'm not using NAT). So far
I've gotten the initiator and the responder to set up a security
17 matches
Mail list logo
