Making IPv6 NAT prefer privacy address

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Making IPv6 NAT prefer privacy address

Daniel Gillen
Hi

I currently have the following rule to nat traffic out to the internet:

match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext)

But this chooses from one of the configures addresses (using round-robin).

Is there a way I can configure pf to prefer the privacy address (the one
without my MAC in it)?

Thx in advance

Daniel

--
Unix _IS_ user friendly - it's just
selective about who its friends are!

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Giancarlo Razzolini-3
Em 22-09-2015 15:06, Daniel Gillen escreveu:

> Hi
>
> I currently have the following rule to nat traffic out to the internet:
>
> match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext)
>
> But this chooses from one of the configures addresses (using round-robin).
>
> Is there a way I can configure pf to prefer the privacy address (the one
> without my MAC in it)?
>
> Thx in advance
>
> Daniel
>
Nat on IPv6? Why? Also, if I'm not mistaken, if your card has a privacy
address, it will be the one used, but for connections originated from
the firewall itself. I'm not aware of any rule you could make that would
get you only privacy address. I didn't read the code, but ($if_ext)
would give you the first address, IIRC. Which, in your case, is not the
privacy address. Also, you could check if your CPE (router) answer to
DHCPv6 requests. If so, and if it follows RFC 7084, you could ask a
IA_NA from it, and you'd get an address which is not the privacy
address, but also is not based on your MAC address.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Stuart Henderson
In reply to this post by Daniel Gillen
On 2015-09-22, Daniel Gillen <[hidden email]> wrote:

> Hi
>
> I currently have the following rule to nat traffic out to the internet:
>
> match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext)
>
> But this chooses from one of the configures addresses (using round-robin).
>
> Is there a way I can configure pf to prefer the privacy address (the one
> without my MAC in it)?

Not at present.

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Stuart Henderson
In reply to this post by Giancarlo Razzolini-3
On 2015-09-22, Giancarlo Razzolini <[hidden email]> wrote:
> Nat on IPv6? Why?

Saves messing about with DHCPv6-PD ;)

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Giancarlo Razzolini-3
Em 23-09-2015 04:40, Stuart Henderson escreveu:
> Saves messing about with DHCPv6-PD

I see. So you translate from what exactly? Wouldn't it be better to use
af-to instead of nat? But I can relate to that, given that my CPE will
give me a PD, but won't route packets back because it thinks the prefix
is reachable using NDP. Hence the need for a proxy, which OpenBSD
currently doesn't have.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Marios Makassikis-2
On 23 September 2015 at 15:34, Giancarlo Razzolini <[hidden email]> wrote:
> Em 23-09-2015 04:40, Stuart Henderson escreveu:
>> Saves messing about with DHCPv6-PD
>
> I see. So you translate from what exactly? Wouldn't it be better to use
> af-to instead of nat?

Hello,

Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
from fd00::/8 and announce that on your network.
It is the equivalent to RFC1918 addresses, except it is for IPv6.
Therefore, it is
not routable and you need to perform NAT on it. The global address is the one
the router obtained via static configuration/SLAAC/DHCPv6, which will then be
used by all your clients.

> But I can relate to that, given that my CPE will
> give me a PD, but won't route packets back because it thinks the prefix
> is reachable using NDP. Hence the need for a proxy, which OpenBSD
> currently doesn't have.
>
> Cheers,
> Giancarlo Razzolini
>

Your CPE will see only the OpenBSD router's address so it should work.

Marios

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Stuart Henderson
On 2015/09/23 16:16, Marios Makassikis wrote:

> On 23 September 2015 at 15:34, Giancarlo Razzolini <[hidden email]> wrote:
> > Em 23-09-2015 04:40, Stuart Henderson escreveu:
> >> Saves messing about with DHCPv6-PD
> >
> > I see. So you translate from what exactly? Wouldn't it be better to use
> > af-to instead of nat?
>
> Hello,
>
> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
> from fd00::/8 and announce that on your network.
> It is the equivalent to RFC1918 addresses, except it is for IPv6.
> Therefore, it is
> not routable and you need to perform NAT on it. The global address is the one
> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
> used by all your clients.
>
> > But I can relate to that, given that my CPE will
> > give me a PD, but won't route packets back because it thinks the prefix
> > is reachable using NDP. Hence the need for a proxy, which OpenBSD
> > currently doesn't have.
> >
> > Cheers,
> > Giancarlo Razzolini
> >
>
> Your CPE will see only the OpenBSD router's address so it should work.

Exactly. It also makes it easier to handle multiple ISPs for load-balancing
or failover, which IPv6 handles poorly (short of using BGP).

Also it's good for winding up IPv6 purists :-)

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Giancarlo Razzolini-3
In reply to this post by Marios Makassikis-2
Em 23-09-2015 11:16, Marios Makassikis escreveu:
> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
> from fd00::/8 and announce that on your network.
> It is the equivalent to RFC1918 addresses, except it is for IPv6.

Figured it. These are ULA, right?

> Therefore, it is
> not routable and you need to perform NAT on it. The global address is the one
> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
> used by all your clients.

It kind of defeats the purpose of IPv6, doesn't it?

> Your CPE will see only the OpenBSD router's address so it should work.

I ended up setting up a bridge for that. It's harder to filter on them
though. I plan to port some NDP proxy to OpenBSD, but all of the
candidates looked very cumbersome to my taste. I'll have eventually to
do it, unless someone else beat me to it.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Giancarlo Razzolini-3
In reply to this post by Stuart Henderson
Em 23-09-2015 11:49, Stuart Henderson escreveu:
> Exactly. It also makes it easier to handle multiple ISPs for load-balancing
> or failover, which IPv6 handles poorly (short of using BGP).

Wouldn't multipath and properly constructed ifstated scripts be better
in this case? Like reloading dhcpv6 servers, rtadvd, and anchors, etc.

>
> Also it's good for winding up IPv6 purists :-)

Wound up me. :-)                  

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Sly Midnight
Giancarlo,

Why are you unable to route your DHCPv6-PD?  I ask because I have been
able to use OpenBSD as a typical IPv4 NAT type of router as well as a
pure IPv6 router (does use pf for firewalling the router and the PD
subnet, but no NAT on IPv6) all for my home network LAN.

I use a fair bit of custom scripts and a little known DHCPv6 client
software not available in OpenBSD ports (at least last time I checked)
to make it all work.  But I've been using this setup now for at least 2
or more years now successfully and it can sometimes run reliably for 6
months without a hiccup.

So maybe I can help.

Sly


On 09/23/2015 10:58 AM, Giancarlo Razzolini wrote:

> Em 23-09-2015 11:49, Stuart Henderson escreveu:
>> Exactly. It also makes it easier to handle multiple ISPs for load-balancing
>> or failover, which IPv6 handles poorly (short of using BGP).
> Wouldn't multipath and properly constructed ifstated scripts be better
> in this case? Like reloading dhcpv6 servers, rtadvd, and anchors, etc.
>
>> Also it's good for winding up IPv6 purists :-)
> Wound up me. :-)                  
>
> Cheers,
> Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Daniel Gillen
In reply to this post by Marios Makassikis-2
On 23/09/2015 16:16, Marios Makassikis wrote:

> On 23 September 2015 at 15:34, Giancarlo Razzolini <[hidden email]> wrote:
>> Em 23-09-2015 04:40, Stuart Henderson escreveu:
>>> Saves messing about with DHCPv6-PD
>>
>> I see. So you translate from what exactly? Wouldn't it be better to use
>> af-to instead of nat?
>
> Hello,
>
> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
> from fd00::/8 and announce that on your network.
> It is the equivalent to RFC1918 addresses, except it is for IPv6.
> Therefore, it is
> not routable and you need to perform NAT on it. The global address is the one
> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
> used by all your clients.
>
>> But I can relate to that, given that my CPE will
>> give me a PD, but won't route packets back because it thinks the prefix
>> is reachable using NDP. Hence the need for a proxy, which OpenBSD
>> currently doesn't have.
>>
>> Cheers,
>> Giancarlo Razzolini
>>
>
> Your CPE will see only the OpenBSD router's address so it should work.
>
> Marios
>

And that's exactly what I am doing. Well, I don't use DHCP but rather
assign the fd00::/8 addresses statically, but for the rest, it's the same.

Why NAT? I'm using pppoe to establish a connection to my ISP. And for
every new connection, I get new IPv4 and IPv6 addresses. This is at home
and I don't want my machines being accessible from the internet (except
for some specific ports to some specific machines). As the addresses
change all the time, firewalling would be quite difficult. SO NAT is
very useful here :)

But with that configuration, the problem is that all outgoing traffic
(after the NAT) will use the main IPv6 address of the external interface
(auto configured) or will pick one dynamically (auto configured /
privacy address) (depending on the match statement in pf.conf).

I think I will try to write a script to periodically check if the
privacy address has changed and then update my pf.conf for now.

But it would be a nice feature to be able to use something like
egress:privacy for example or make pf automagically prefer the privacy
addresses when natting:)

Daniel

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Delan Azabani
For the record, some ISPs offer both dynamic and static IPv6 subnets to
their clients, like Internode, which uses router advertisements for
dynamic subnets, and DHCPv6 IA_PD for static subnets.

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Stuart Henderson
In reply to this post by Giancarlo Razzolini-3
On 2015-09-23, Giancarlo Razzolini <[hidden email]> wrote:
> Em 23-09-2015 11:16, Marios Makassikis escreveu:
>> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
>> from fd00::/8 and announce that on your network.
>> It is the equivalent to RFC1918 addresses, except it is for IPv6.
>
> Figured it. These are ULA, right?

yep.

>> Therefore, it is
>> not routable and you need to perform NAT on it. The global address is the one
>> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
>> used by all your clients.
>
> It kind of defeats the purpose of IPv6, doesn't it?

What is the purpose of IPv6? The main purpose that I see is "ability to
continue getting internet addresses after v4 runout". (If it had been left
at that and didn't change a bunch of other things at the same time, perhaps
more people would be using it already).

And, like it or not, the majority of network admins have learned their
trade in a post-NAT world, and are relying on things which are difficult or
impossible to do without that...

>> Your CPE will see only the OpenBSD router's address so it should work.
>
> I ended up setting up a bridge for that. It's harder to filter on them
> though. I plan to port some NDP proxy to OpenBSD, but all of the
> candidates looked very cumbersome to my taste. I'll have eventually to
> do it, unless someone else beat me to it.

So you're relying on your ISPs CPE for network addressing and it doesn't
have a way to add a static route? It seems like you would have the same
problem with v4, doesn't it?

Can you terminate the session on the OpenBSD box instead?

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Stuart Henderson
In reply to this post by Giancarlo Razzolini-3
On 2015-09-23, Giancarlo Razzolini <[hidden email]> wrote:
> Em 23-09-2015 11:49, Stuart Henderson escreveu:
>> Exactly. It also makes it easier to handle multiple ISPs for load-balancing
>> or failover, which IPv6 handles poorly (short of using BGP).
>
> Wouldn't multipath and properly constructed ifstated scripts be better
> in this case? Like reloading dhcpv6 servers, rtadvd, and anchors, etc.

The problem is that you rely on the end host to make decisions about
which address to use etc. The router can only influence those decisions
(by choosing which networks to advertise) rather than force them.
This might be good enough for failover (though failover is likely to
be slower than doing it on the router) but isn't going to work at all
for the type of load-balancing that many people currently do across
multiple ISP connections (often built-in to small/home office routers,
and like the example in faq/pf/pools.html).

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Giancarlo Razzolini-3
In reply to this post by Stuart Henderson
Em 24-09-2015 08:36, Stuart Henderson escreveu:
> What is the purpose of IPv6? The main purpose that I see is "ability to
> continue getting internet addresses after v4 runout". (If it had been left
> at that and didn't change a bunch of other things at the same time, perhaps
> more people would be using it already).

This sure is the purpose now. Short term. But one of the main reasons
the address space is so large, is for every connected device be
accessible from every other.

>
> And, like it or not, the majority of network admins have learned their
> trade in a post-NAT world, and are relying on things which are difficult or
> impossible to do without that...

Yes. I got that. But I prefer to learn to do things properly, even if it
means it's more difficult.

> So you're relying on your ISPs CPE for network addressing and it doesn't
> have a way to add a static route? It seems like you would have the same
> problem with v4, doesn't it?

I can add a static route, yes. And it answers to IA_PD requests, and
also IA_NA. So I've managed to get it working for my internal machines.
The only issue is that the CPE wont try to route the prefix it delegated
to me. What it does instead, is to keep asking, using NDP, who has the
address. Hence the need for a NDP proxy.

>
> Can you terminate the session on the OpenBSD box instead?

If you mean a pppoe or other way to get the IPv6 directly on the OpenBSD
box, then no. My CPE is only routed, unfortunately. But this discussion
gave me the idea of making a bridge for my dmz and using ULA with nat on
my internal networks, that don't need much external connectivity. This
also solve my problem of having only one /64 prefix.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Devin Reade
> On Sep 24, 2015, at 07:49, Giancarlo Razzolini <[hidden email]> wrote:
>
> Em 24-09-2015 08:36, Stuart Henderson escreveu:
>> What is the purpose of IPv6? The main purpose that I see is "ability to
>> continue getting internet addresses after v4 runout". (If it had been left
>> at that and didn't change a bunch of other things at the same time, perhaps
>> more people would be using it already).
>
> This sure is the purpose now. Short term. But one of the main reasons
> the address space is so large, is for every connected device be
> accessible from every other.

Another consideration that has entered the picture since that idea came out, though, is how much easier it will be in the non-NAT world for advertisers or whomever to track individuals' behaviour. Not everyone likes that.

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Giancarlo Razzolini-3
Em 24-09-2015 16:51, Devin Reade escreveu:
> Another consideration that has entered the picture since that idea came out, though, is how much easier it will be in the non-NAT world for advertisers or whomever to track individuals' behaviour. Not everyone likes that.

    Hence privacy addresses extensions and non-temporary address
associations. In hindsight, it was a poor choice to make IPv6 addresses
based on MAC addresses, given the advancements on pseudo-random number
generation. The fact is, that OpenBSD and the other OS's should prefer
privacy address for everything (even pf itself). This already happens on
some linux configurations, where you have a semi stable privacy address
any given time on a interface, and only that kind of address, not the
MAC address based form.

    Anyway, this ULA natted will sure have it's uses, specially now in
the beginning of the IPv4 to IPv6 migration. What Stuart mentioned that
most of network administrators where born in a world already needing
nat, has a big impact on this. Still it's not substitute to proper
implementation and might even slow IPv6 deployment for a while. But with
the advent of more devices in the IPv6 world, the so called internet of
things, nat will have a performance hit on that, so it will eventually
fade away, hopefully.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Stefan Sperling-5
On Thu, Sep 24, 2015 at 05:25:31PM -0300, Giancarlo Razzolini wrote:
> The fact is, that OpenBSD and the other OS's should prefer
> privacy address for everything (even pf itself). This already happens on
> some linux configurations, where you have a semi stable privacy address
> any given time on a interface, and only that kind of address, not the
> MAC address based form.

OpenBSD has been defaulting to autoconfprivacy addresses as
source address for outgoing connections since 2012.
http://marc.info/?l=openbsd-cvs&m=134557868416796&w=2

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Fernando Gont-2
In reply to this post by Marios Makassikis-2
On 09/23/2015 11:16 PM, Marios Makassikis wrote:

> On 23 September 2015 at 15:34, Giancarlo Razzolini <[hidden email]> wrote:
>> Em 23-09-2015 04:40, Stuart Henderson escreveu:
>>> Saves messing about with DHCPv6-PD
>>
>> I see. So you translate from what exactly? Wouldn't it be better to use
>> af-to instead of nat?
>
> Hello,
>
> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
> from fd00::/8 and announce that on your network.
> It is the equivalent to RFC1918 addresses, except it is for IPv6.
> Therefore, it is
> not routable and you need to perform NAT on it. The global address is the one
> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
> used by all your clients.
>
>> But I can relate to that, given that my CPE will
>> give me a PD, but won't route packets back because it thinks the prefix
>> is reachable using NDP. Hence the need for a proxy, which OpenBSD
>> currently doesn't have.
>>
>> Cheers,
>> Giancarlo Razzolini
>>
>
> Your CPE will see only the OpenBSD router's address so it should work.

... as long as IPv6 addresses are not embedded in the app protocol.

FWIW, I wouldn't go this way. ULAs (fd00::/8) erver a different purpose:
e.g., still be able to communicate within your network if global
connectivity/addressing fails.

Thanks,
--
Fernando Gont
e-mail: [hidden email] || [hidden email]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Reply | Threaded
Open this post in threaded view
|

Re: Making IPv6 NAT prefer privacy address

Fernando Gont-2
In reply to this post by Devin Reade
On 09/25/2015 04:51 AM, Devin Reade wrote:

>> On Sep 24, 2015, at 07:49, Giancarlo Razzolini
>> <[hidden email]> wrote:
>>
>> Em 24-09-2015 08:36, Stuart Henderson escreveu:
>>> What is the purpose of IPv6? The main purpose that I see is
>>> "ability to continue getting internet addresses after v4 runout".
>>> (If it had been left at that and didn't change a bunch of other
>>> things at the same time, perhaps more people would be using it
>>> already).
>>
>> This sure is the purpose now. Short term. But one of the main
>> reasons the address space is so large, is for every connected
>> device be accessible from every other.
>
> Another consideration that has entered the picture since that idea
> came out, though, is how much easier it will be in the non-NAT world
> for advertisers or whomever to track individuals' behaviour. Not
> everyone likes that.

Please see this:
*
<https://www.ietf.org/internet-drafts/draft-ietf-6man-ipv6-address-generation-privacy-08.txt>

* RFC7217

* <https://tools.ietf.org/html/draft-ietf-6man-default-iids-08>


Thanks,
--
Fernando Gont
e-mail: [hidden email] || [hidden email]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

12