| ▲ | candiddevmike a day ago |
| I can't run SLAAC and DHCPv6 at the same time without giving devices multiple addresses, and Android doesn't support DHCPv6, so I'd have to carve out a separate, SLAAC-based, android-only network. And then figure out firewall rules, multicast reflection, etc. |
|
| ▲ | justincormack a day ago | parent | next [-] |
| Why is giving multiple addresses a problem? |
| |
| ▲ | candiddevmike a day ago | parent [-] | | No control over which source address is used. I'm assigning a lot of clients DHCP reservations so I can use static addresses for monitoring and firewall rules. With multiple addresses on the same network, clients may use their SLAAC address which won't match the firewall rule. | | |
| ▲ | db48x a day ago | parent | next [-] | | That still doesn’t really make sense. Why not run SLAAC on one subnet and have a single firewall rule for the whole thing? You’re not running any major servers on an Android phone, so it won’t be anything complex. | | |
| ▲ | tsimionescu a day ago | parent [-] | | SLAAC can only run on a subnet that's larger than /64, which they might not have access to. | | |
| ▲ | db48x a day ago | parent [-] | | Strictly speaking it can and does run on subnets that are exactly /64. Does anyone actually hand out smaller delegations today? | | |
| ▲ | tsimionescu a day ago | parent [-] | | My point is that they might only be getting 1 /64 from their ISP; or getting a /62 or something small, and needing more subnets anyway. In these situations, you may not have an extra /64 to dedicate to SLAAC for certain devices. | | |
| ▲ | db48x a day ago | parent [-] | | Right. I was merely correcting your statement that SLAAC needs more than 64 bits to work with. But my question remains; do any ISPs hand out smaller delegations than a /64? |
|
|
|
| |
| ▲ | justincormack 21 hours ago | parent | prev | next [-] | | There are APIs in Linux to control source address selection but might be fiddly https://www.davidc.net/networking/ipv6-source-address-select... | |
| ▲ | franklyworks a day ago | parent | prev [-] | | Ah, this makes sense. |
|
|
|
| ▲ | gspr a day ago | parent | prev [-] |
| I thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else. Works great for me. |
| |
| ▲ | candiddevmike a day ago | parent [-] | | Don't you have problems with clients using the wrong source address and not matching firewall rules? | | |
| ▲ | kstrauser a day ago | parent | next [-] | | Different person here, but no. I never write firewall rules based on individual source addresses. They’re too easy to fake. And with IPv6’s privacy extensions, you never know what source address a given machine will have anyway. | | |
| ▲ | gspr 21 hours ago | parent [-] | | Interesting. How do you deal with destination addresses on your local network? DHCPv6 like the other poster and myself? | | |
| ▲ | kstrauser 15 hours ago | parent [-] | | I haven’t had a need for DHCPv6. I’d use DNS (or better, mDNS) to assign a hostname to the destination’s fixed IPv6 address or ULA, both of which are static. I don’t ever manually assign an IPv6 address to a host, though. I just let SLAAC do the thing it was designed for. |
|
| |
| ▲ | gspr a day ago | parent | prev [-] | | No. Admittedly, my firewall rules are all about granting something extra beyond the basics. I only do this for clients I care about anyway, so I can always tell them to use the right address. |
|
|
