[opensuse-factory] 12.1 IPv6 addressing issue
Hi Folks, I installed RC2 last week on a desktop just for the fun of it. There were a few glitches during the install process but overall it went well. But I'm having an issue with IPv6 addressing. The install is on a large network that runs both IPv4 and IPv6. Something like 96% of the six-thousand or so hosts are fully IPv6 enabled. openSuSE has always worked well enough in this environment. But 12.1 RC2 kicks off an infrastructure warning that the host is running a "private" address. The network has a policy that prohibits private addresses and so this new install will be blocked soon. Ifconfig shows that none of the inet6 address have the lower half of the MAC address as is usual. Did the policy regarding IPv6 private addressing change in 12.1? If so, how can we return to the old policy? I'll include obfuscated ifconfig outputs below. Thanks, Lew Wolfgang Not working 12.1 RC2: eth0 Link encap:Ethernet HWaddr 00:xx:E8:08:00:43 inet addr:xxx.yy.77.50 Bcast:xxx.yy.79.255 Mask:255.255.252.0 inet6 addr: xxxx:yyy:zz:76:224:e8ff:fe08:43/64 Scope:Global inet6 addr: fe80::xxx:e8ff:fe08:43/64 Scope:Link inet6 addr: xxxx:yyy:zz:76:54d2:36fb:2fd5:56b6/64 Scope:Global A working 11.4 system shows: eth0 Link encap:Ethernet HWaddr 70:xx:BC:46:7B:A9 inet addr:xxx.yy.10.73 Bcast:xxx.yy.15.255 Mask:255.255.248.0 inet6 addr: xxxx:yyy:zz:8:7271:bcff:fe46:7ba9/64 Scope:Global inet6 addr: fe80::xxxx:bcff:fe46:7ba9/64 Scope:Link -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Nov 15, 2011 at 6:12 PM, Lew Wolfgang
Hi Folks,
I installed RC2 last week on a desktop just for the fun of it. There were a few glitches during the install process but overall it went well.
But I'm having an issue with IPv6 addressing. The install is on a large network that runs both IPv4 and IPv6. Something like 96% of the six-thousand or so hosts are fully IPv6 enabled. openSuSE has always worked well enough in this environment.
Check /etc/sysctl.conf for net.ipv6.conf.default.use_tempaddr = 2 (or any value?) and report back. -- Jon -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/15/2011 04:14 PM, Jon Nelson wrote:
On Tue, Nov 15, 2011 at 6:12 PM, Lew Wolfgang
wrote: Hi Folks,
I installed RC2 last week on a desktop just for the fun of it. There were a few glitches during the install process but overall it went well.
But I'm having an issue with IPv6 addressing. The install is on a large network that runs both IPv4 and IPv6. Something like 96% of the six-thousand or so hosts are fully IPv6 enabled. openSuSE has always worked well enough in this environment. Check /etc/sysctl.conf for net.ipv6.conf.default.use_tempaddr = 2
(or any value?) and report back.
I added the line, and it did change the ifconfig output, but I don't think it's working yet. First, why are there two address with the first 4 fields being identical? The working system had only one. Notice that the second entry has a fe08:43 as the last part of the address. The 08 and 43 are in the last part of the MAC address, but where's the 00? I think the infrastructure scanner here looks for a match and if it doesn't find it assumes a private address? Regards, Lew eth0 Link encap:Ethernet HWaddr 00:xx:E8:08:00:43 inet addr:xxx.yy.77.50 Bcast:xxx.yy.79.255 Mask:255.255.252.0 inet6 addr: xxxx:yyy:zz:76:55c:3a7:c833:270f/64 Scope:Global inet6 addr: xxxx:yyy:zzz:76:224:e8ff:fe08:43/64 Scope:Global inet6 addr: fe80::xxx:e8ff:fe08:43/64 Scope:Link -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 16 November 2011, Lew Wolfgang wrote:
First, why are there two address with the first 4 fields being identical? The working system had only one.
Why you get a non link local address at all? DHCP, avahi ...? The usual case would be that you have nothing than one local fe80::/64 addess per NIC.
Notice that the second entry has a fe08:43 as the last part of the address. The 08 and 43 are in the last part of the MAC address, but where's the 00?
Link local address is not "equal" mac adress. http://www.ipv6news.info/2007/07/25/how-to-form-a-link-local-address-from-ma... cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/15/2011 05:03 PM, Rüdiger Meier wrote:
On Wednesday 16 November 2011, Lew Wolfgang wrote:
First, why are there two address with the first 4 fields being identical? The working system had only one. Why you get a non link local address at all? DHCP, avahi ...? The usual case would be that you have nothing than one local fe80::/64 addess per NIC.
Hi Rudi I'm certainly not a IPv6 expert, but doesn't a host negotiate with the nearest router for non-link local addresses? There is dhcp, but IIRC it's only IPv4. Microsoft products and Apple don't work well with dhcpd-ipv6, IIRC.
Notice that the second entry has a fe08:43 as the last part of the address. The 08 and 43 are in the last part of the MAC address, but where's the 00? Link local address is not "equal" mac adress. http://www.ipv6news.info/2007/07/25/how-to-form-a-link-local-address-from-ma...
Right. Here's the ifconfig output from the not-working RC2 system: eth0 Link encap:Ethernet HWaddr 00:xx:E8:08:00:43 inet addr:xxx.yy.77.50 Bcast:xxx.yy.79.255 Mask:255.255.252.0 inet6 addr: xxxx:yyy:zz:76:224:e8ff:fe08:43/64 Scope:Global inet6 addr: fe80::xxx:e8ff:fe08:43/64 Scope:Link inet6 addr: xxxx:yyy:zz:76:54d2:36fb:2fd5:56b6/64 Scope:Global As you can see, the link-local address is malformed given the ipv6news information. Should be: fe80::xxx:e8ff:fe08:00:43/64 Is: fe80::xxx:e8ff:fe08:43/64 I added the "xxx") Notice that the first "global" address has the same problem. Could this failure to transcribe the lower 24-bits of MAC addy? Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 16 November 2011, Lew Wolfgang wrote:
On 11/15/2011 05:03 PM, Rüdiger Meier wrote:
On Wednesday 16 November 2011, Lew Wolfgang wrote:
First, why are there two address with the first 4 fields being identical? The working system had only one.
Why you get a non link local address at all? DHCP, avahi ...? The usual case would be that you have nothing than one local fe80::/64 addess per NIC.
Hi Rudi
I'm certainly not a IPv6 expert,
Me neither :) BTW there is a really nice IPv6 certification program for free http://ipv6.he.net/certification/ It includes many multiple choice questionnaires and practical tests at different levels. It's real fun and instructive to progress that step by step.
but doesn't a host negotiate with the nearest router for non-link local addresses? There is dhcp, but IIRC it's only IPv4. Microsoft products and Apple don't work well with dhcpd-ipv6, IIRC.
I don't see why you get 2 global addresses within the same /64 net. Just mentioned that you should find out somehow where from you get them.
As you can see, the link-local address is malformed given the ipv6news information.
Should be: fe80::xxx:e8ff:fe08:00:43/64 Is: fe80::xxx:e8ff:fe08:43/64
Actually the "missing" 00 belongs to the last block so it should be fe80::xxx:e8ff:fe08:0043/64 which is the same as it is. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/16/2011 02:15 AM, Ruediger Meier wrote:
but doesn't a host negotiate with
the nearest router for non-link local addresses? There is dhcp, but IIRC it's only IPv4. Microsoft products and Apple don't work well with dhcpd-ipv6, IIRC. I don't see why you get 2 global addresses within the same /64 net. Just mentioned that you should find out somehow where from you get them.
Sorry, I've been busy and haven't been able to reply. Yes, that seems to be a question. Why two global addresses in 12.1, one in 11.4.
As you can see, the link-local address is malformed given the ipv6news information.
Should be: fe80::xxx:e8ff:fe08:00:43/64 Is: fe80::xxx:e8ff:fe08:43/64 Actually the "missing" 00 belongs to the last block so it should be fe80::xxx:e8ff:fe08:0043/64 which is the same as it is.
Ah, thanks for that factoid! Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
I'm certainly not a IPv6 expert, but doesn't a host negotiate with the nearest router for non-link local addresses? There is dhcp, but IIRC it's only IPv4. Microsoft products and Apple don't work well with dhcpd-ipv6, IIRC.
The host negotiates with the router(s) for the subnet portion of the address. The rest is derived from the MAC. Other methods are DHCP, random number and manual configuration. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday 15 Nov 2011 16:40:08 Lew Wolfgang wrote:
On 11/15/2011 04:14 PM, Jon Nelson wrote:
On Tue, Nov 15, 2011 at 6:12 PM, Lew Wolfgang
wrote: Hi Folks,
I installed RC2 last week on a desktop just for the fun of it. There were a few glitches during the install process but overall it went well.
But I'm having an issue with IPv6 addressing. The install is on a large network that runs both IPv4 and IPv6. Something like 96% of the six-thousand or so hosts are fully IPv6 enabled. openSuSE has always worked well enough in this environment.
Check /etc/sysctl.conf for net.ipv6.conf.default.use_tempaddr = 2
(or any value?) and report back.
I added the line, and it did change the ifconfig output, but I don't think it's working yet.
Previous to 12.1 the default stateless auto configuration setup was to use the mac address to generate the last part of the IPv6 address for global scope addresses. It was possible to instead (for privacy reasons) use a randomly generated IPv6 address via /etc/sysctl.conf and setting either net.ipv6.conf.default.use_tempaddr = 2 (or 1) In 12.1 the default IPv6 setup is to use a random temporary address as a preference, so you don't need to set the above line in /etc/sysctl.conf. You should note that when using a random address instead of a mac generated one, it is normal to have _both_ the random address and the mac generated one as global scope addresses. The random address is simply used in preference to the mac generated one.
First, why are there two address with the first 4 fields being identical? The working system had only one.
See above.
Notice that the second entry has a fe08:43 as the last part of the address. The 08 and 43 are in the last part of the MAC address, but where's the 00?
It is common practice to squash leading zeros or blocks of all zeros when displaying Ipv6 addresses, in fact your link scope address fe80::xxxx (note the position of the double colons) is actually fe80:0000:0000:0000:xxxx The zeroe are just squashed. Similarly a block with leading zeros e.g. 0043 can just be represented as 43 In short, your IPv6 addressing in 12.1 looks just fine.
I think the infrastructure scanner here looks for a match and if it doesn't find it assumes a private address?
You say the previous working setup you had only one IPv6 address, that very much sounds like it *wasn't* using random generated addresses and using only mac generated addresses. I suspect this is also how the infrastructure scanner works, it propably expects the addresses to match the mac. try net.ipv6.conf.default.use_tempaddr = 0 in /etc/sysctl.conf to turn off random address generation. Cheers the noo, Graham -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/16/2011 03:31 AM, Graham Anderson wrote:
In 12.1 the default IPv6 setup is to use a random temporary address as a preference, so you don't need to set the above line in /etc/sysctl.conf. You should note that when using a random address instead of a mac generated one, it is normal to have_both_ the random address and the mac generated one as global scope addresses. The random address is simply used in preference to the mac generated one. Ah, that explains the two addresses. So how do I change the preferences to favor the mac generated addy?
Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 16 Nov 2011 15:10:08 Lew Wolfgang wrote:
Ah, that explains the two addresses. So how do I change the preferences to favor the mac generated addy?
try net.ipv6.conf.default.use_tempaddr = 0 This should stop the creation of a random generated address. try net.ipv6.conf.default.use_tempaddr = 1 This *should* create a random generated address, but prefer the mac generated one. try net.ipv6.conf.default.use_tempaddr = 2 Creates random address and uses it in preference. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/16/2011 03:20 PM, Graham Anderson wrote:
Ah, that explains the two addresses. So how do I change the preferences to favor the mac generated addy?
On Wednesday 16 Nov 2011 15:10:08 Lew Wolfgang wrote: try net.ipv6.conf.default.use_tempaddr = 0
This should stop the creation of a random generated address.
try net.ipv6.conf.default.use_tempaddr = 1
This *should* create a random generated address, but prefer the mac generated one.
try net.ipv6.conf.default.use_tempaddr = 2
Creates random address and uses it in preference.
I tried all these to no avail. I'm guessing that the issue is with the second global private address that's being generated in 12.1. The host is reachable via ipv6 from other hosts on the network, which proves that the public address is working, right? The scanner must be choking on the private one that also shows up. I'm going to run this by the infrastructure gurus here, I'll post what happens here. Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
The scanner must be choking on the private one that also shows up.
If the 2nd address has the same network ID as the first, differing only in the last 64 bits, it is not a "private IP". Private IPs are addresses that are not supposed to be routed, such as those starting with fe80 in IPv6 or any included in RFC1918 in IPv4.
I'm going to run this by the infrastructure gurus here, I'll post what happens here.
Please also mention that they can expect similar with Windows 7, so they won't try to blame it on Linux. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
On 11/15/2011 04:14 PM, Jon Nelson wrote:
On Tue, Nov 15, 2011 at 6:12 PM, Lew Wolfgang
wrote: Hi Folks,
I installed RC2 last week on a desktop just for the fun of it. There were a few glitches during the install process but overall it went well.
But I'm having an issue with IPv6 addressing. The install is on a large network that runs both IPv4 and IPv6. Something like 96% of the six-thousand or so hosts are fully IPv6 enabled. openSuSE has always worked well enough in this environment. Check /etc/sysctl.conf for net.ipv6.conf.default.use_tempaddr = 2
(or any value?) and report back.
I added the line, and it did change the ifconfig output, but I don't think it's working yet.
First, why are there two address with the first 4 fields being identical? The working system had only one.
As I mentioned in another note, multiple IPv6 addresses are to be expected. If your network can't deal with it, that's where the problem lies. You'll have the same issues with Windows 7. The first 4 fields reflect your subnetwork address. With IPv6 it is possible to be on more than one subnet at the same time.
Notice that the second entry has a fe08:43 as the last part of the address. The 08 and 43 are in the last part of the MAC address, but where's the 00?
The last 64 bits of any address derived from the MAC address contain 24 bits from the MAC (the manufacturer ID), fffe, and then the remaining 24 bits of the MAC. The first 64 bits of an IPv6 address denote your subnet address or, in the case of link local addresses, start with feff. There are other special address ranges.
I think the infrastructure scanner here looks for a match and if it doesn't find it assumes a private address?
That's what I suspect. Your network admin will have to fix that or expect a lot of problems in the future. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 16 November 2011, James Knott wrote:
With IPv6 it is possible to be on more than one subnet at the same time.
Beside this it's also true for ipv4. On the other hand both of Lew's public ipv6 IPs are from the _same_ subnet.
The first 64 bits of an IPv6 address denote your subnet address
Only if you have /64 mask.
or, in the case of link local addresses, start with feff. There are other special address ranges.
You mean fe80 right? Even more precisely it's fe80::/10 (fe80 - febf).
I think the infrastructure scanner here looks for a match and if it doesn't find it assumes a private address?
That's what I suspect. Your network admin will have to fix that or expect a lot of problems in the future.
I'don't believe that the network staff of that 6000 nodes is completely wrong here. Before asking the admin about _fixing_ his network I would ask him about how your client should be configured. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ruediger Meier wrote:
On Wednesday 16 November 2011, James Knott wrote:
With IPv6 it is possible to be on more than one subnet at the same time.
Beside this it's also true for ipv4. On the other hand both of Lew's public ipv6 IPs are from the _same_ subnet.
While you can certainly add additional addresses in IPv4, it's not quite as easy as IPv6.
The first 64 bits of an IPv6 address denote your subnet address
Only if you have /64 mask.
Subnets need at least 64 bits, because of the way the MAC address is used. If you had a smaller subnet (greater mask) you'd have to use some other method to create the address.
or, in the case of link local addresses, start with feff. There are other special address ranges.
You mean fe80 right? Even more precisely it's fe80::/10 (fe80 - febf).
Yep, typo. I haven't had my morning beer yet. ;-)
I think the infrastructure scanner here looks for a match and if it doesn't find it assumes a private address?
That's what I suspect. Your network admin will have to fix that or expect a lot of problems in the future.
I'don't believe that the network staff of that 6000 nodes is completely wrong here. Before asking the admin about _fixing_ his network I would ask him about how your client should be configured.
As shown here, openSUSE 12.1 does this, as does Windows 7. So, yes there's going to be a lot of problems, if the network continues to do that. The alternative is to reconfigure all 6000 nodes. Which is the bigger problem? The history of the computer industry shows plenty of examples where something chokes on something that's normal, because it wasn't allowed for. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 16 November 2011, James Knott wrote:
While you can certainly add additional addresses in IPv4, it's not quite as easy as IPv6.
Hm, it's not really a problem: ip address add 1.1.1.1/24 dev eth0 ip address add 1.1.2.1/24 dev eth0 Exact the same way you would do for IPv6.
As shown here, openSUSE 12.1 does this, as does Windows 7. So, yes there's going to be a lot of problems, if the network continues to do that. The alternative is to reconfigure all 6000 nodes. Which is the bigger problem?
I can't follow you. The network admin makes the routing rules not the client admin. As others have mentioned already the network staff probably wants to track what _your_ machine is doing within the network thus they don't allow you to use randomized addresses for a good reason. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ruediger Meier wrote:
On Wednesday 16 November 2011, James Knott wrote:
While you can certainly add additional addresses in IPv4, it's not quite as easy as IPv6.
Hm, it's not really a problem: ip address add 1.1.1.1/24 dev eth0 ip address add 1.1.2.1/24 dev eth0
Exact the same way you would do for IPv6.
Your example requires manual configuration. With IPv6, it happens automagically.
As shown here, openSUSE 12.1 does this, as does Windows 7. So, yes
there's going to be a lot of problems, if the network continues to do that. The alternative is to reconfigure all 6000 nodes. Which is the bigger problem?
I can't follow you. The network admin makes the routing rules not the client admin.
As others have mentioned already the network staff probably wants to track what_your_ machine is doing within the network thus they don't allow you to use randomized addresses for a good reason.
"Out of the box" computers will be getting both addresses. This means something has to be done to prevent the network from choking on all those addresses, either change the network or change all the computers. As for knowing what's happening, the hosts advertise their presence to the entire local network, so it wouldn't be terribly difficult to match IP addresses to MAC addresses. Some people are worried about their MAC derived IP address identifying a particular computer. On the other hand, if you want to be able to reach that computer, you need a consistent IP address. Having both types addresses (sorry <g>) both situations. Use the random address for outgoing connections and the static IP for incoming. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott wrote:
the hosts advertise their presence to the entire local network
Here's some info on how this works: https://secure.wikimedia.org/wikipedia/en/wiki/Neighbor_Discovery_Protocol -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/16/2011 08:34 AM, Ruediger Meier wrote:
As others have mentioned already the network staff probably wants to track what_your_ machine is doing within the network thus they don't allow you to use randomized addresses for a good reason.
Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address. If your MAC isn't registered you get placed into an isolated "rogue" VLAN. Once registered and connected, the devices are remotely scanned on a regular basis to insure security compliance and for billing purposes. There is apparently a way to configure Windows 7 to not use private addresses, since those devices are in use on the network. I hope someone can figure out how to do the same with openSuSE 12.1! BTW, I can't use Arch Linux here either, for reasons I'd rather not go into. But Ubutu apparently works... Regards. Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address. If your MAC isn't registered you get placed into an isolated "rogue" VLAN.
Regardless of how the IPv6 address is configured, the MAC address doesn't change and is included in every packet sent from a host. Compare this with IPv4, where there's no mapping between IP & MAC addresses, unless specifically configured. So, if they're filtering on MAC address, then this shouldn't be an issue. I get the impression this may be caused by someone trying a bit to hard to control everything and not understanding the implications. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On donderdag 17 november 2011 00:55:33 James Knott wrote:
Lew Wolfgang wrote:
Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address. If your MAC isn't registered you get placed into an isolated "rogue" VLAN.
Regardless of how the IPv6 address is configured, the MAC address doesn't change and is included in every packet sent from a host.
No, the IPv6 address is not included in every packet sent, it depends on the settings, as has been discussed before. Unfortunately you can't set it with YaST, so you need to set it in the mentioned file. -- fr.gr. Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Freek de Kruijf wrote:
Regardless of how the IPv6 address is configured, the MAC address
doesn't change and is included in every packet sent from a host.
No, the IPv6 address is not included in every packet sent, it depends on the settings, as has been discussed before. Unfortunately you can't set it with YaST, so you need to set it in the mentioned file.
I did not say IPv6 address. I said MAC address, which every Ethernet packet requires, whether it's carrying IPv4, IPv6 or other. Without MAC addresses, your network will fail. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Lew Wolfgang wrote:
Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address. If your MAC isn't registered you get placed into an isolated "rogue" VLAN.
Regardless of how the IPv6 address is configured, the MAC address doesn't change and is included in every packet sent from a host. Compare this with IPv4, where there's no mapping between IP & MAC addresses, unless specifically configured. So, if they're filtering on MAC address, then this shouldn't be an issue. I get the impression this may be caused by someone trying a bit to hard to control everything and not understanding the implications.
So, what am *I* (the user of a network) expected to do about it? Teach the network admins how they could have done it? I don't think you see the point, your Windows 7 example is the perfect counterexample. Windows 7 EXACTLY knows how to deal with this, automagically. It sets up both addresses, prefers the one obtained using privacy extensions, then, after a while when it notices there's no incoming global traffic, it falls back to the link local address. So the question here is, how to mimic that behaviour in 12.1, and *not* how to be an extra-smart egghead? The former will grant you access, the latter probably won't. Sebastian -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
James Knott
writes: Lew Wolfgang wrote:
Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address. If your MAC isn't registered you get placed into an isolated "rogue" VLAN.
Regardless of how the IPv6 address is configured, the MAC address doesn't change and is included in every packet sent from a host. Compare this with IPv4, where there's no mapping between IP& MAC addresses, unless specifically configured. So, if they're filtering on MAC address, then this shouldn't be an issue. I get the impression this may be caused by someone trying a bit to hard to control everything and not understanding the implications.
So, what am *I* (the user of a network) expected to do about it? Teach the network admins how they could have done it? I don't think you see the point, your Windows 7 example is the perfect counterexample. Windows 7 EXACTLY knows how to deal with this, automagically. It sets up both addresses, prefers the one obtained using privacy extensions, then, after a while when it notices there's no incoming global traffic, it falls back to the link local address.
So the question here is, how to mimic that behaviour in 12.1, and *not* how to be an extra-smart egghead? The former will grant you access, the latter probably won't.
Sebastian
I have a computer here with both openSUSE 12.1 and Windows 7 on it. Both provide a MAC based address and a random number based address, in addition to the link local address. So, in this respect, they behave the same. While it may be possible to change the configuration for either, to provide only a MAC based address, by default, both Linux and Windows provide both. So, yes, you talk to the network admins about this because their overly restrictive policy will cause problems because multiple IPv6 addresses are to be expected. By all means, filter on a MAC, but don't try to limit which address, provided it's valid for the subnet(s)*, is used. Those admins have to realize that every IPv6 device will have a minimum of 2 addresses and will often have 3 or more. If they don't understand that, they are incompetent. *It is entirely possible for a computer to be on multiple subnets with IPv6. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
James Knott
writes: Lew Wolfgang wrote:
Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address. If your MAC isn't registered you get placed into an isolated "rogue" VLAN.
Regardless of how the IPv6 address is configured, the MAC address doesn't change and is included in every packet sent from a host. Compare this with IPv4, where there's no mapping between IP& MAC addresses, unless specifically configured. So, if they're filtering on MAC address, then this shouldn't be an issue. I get the impression this may be caused by someone trying a bit to hard to control everything and not understanding the implications.
So, what am *I* (the user of a network) expected to do about it? Teach the network admins how they could have done it? I don't think you see the point, your Windows 7 example is the perfect counterexample. Windows 7 EXACTLY knows how to deal with this, automagically. It sets up both addresses, prefers the one obtained using privacy extensions, then, after a while when it notices there's no incoming global traffic, it falls back to the link local address.
So the question here is, how to mimic that behaviour in 12.1, and *not* how to be an extra-smart egghead? The former will grant you access, the latter probably won't.
Sebastian
I have a computer here with both openSUSE 12.1 and Windows 7 on it. Both provide a MAC based address and a random number based address, in addition to the link local address. So, in this respect, they behave the same. While it may be possible to change the configuration for either, to provide only a MAC based address, by default, both Linux and Windows provide both. So, yes, you talk to the network admins
Windows 7 automatically deactivates those `networks' where no packets seem to come in (or go out). I quite have the opposite problem with my Win7 setup, I want to *keep* those addresses but I have yet to find a way to convince windows of doing that.
about this because their overly restrictive policy will cause problems because multiple IPv6 addresses are to be expected. By all means, filter on a MAC, but don't try to limit which address, provided it's valid for the subnet(s)*, is used. Those admins have to realize that
See PS.
every IPv6 device will have a minimum of 2 addresses and will often have 3 or more. If they don't understand that, they are incompetent.
*It is entirely possible for a computer to be on multiple subnets with IPv6.
I'm not arguing against that, don't get me wrong. Of course they are incompetent or ignorant or paranoid or simply inexperienced but we have to ask ourselves the question why it took so long for v6 to be widely adopted, because the learning curve is steep, for developers, for hardware vendors and for network admins. What I can't accept (and you seem to imply that) is that said parties confront the *actual* user with this learning curve. The protocol doesn't require (as in RFC 2119 [1]) a router to accept and route multiple unicast addresses from one link, it *allows* it (prove me wrong on this one), and for the same reasons I, as a network admin, am not obliged to comply with best practices for any reason there may be. But I, as a network admin, can expect my users to comply with the rules I've set up for the network, so it's their problem, either they want access or they don't. Now wouldn't it be greatly helpful if you/your system could *easily* adapt to these rules? PS: Oh, and if you could please have a word with my ISP and convince them that they're incompetent and their network setup must be changed, here's their support team: http://www.easynet.com/gb/en/support/ They limit me on ONE address in my /64 of which all my traffic has to come from. [1]: http://tools.ietf.org/html/rfc2119 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
I have a computer here with both openSUSE 12.1 and Windows 7 on it.
Both provide a MAC based address and a random number based address, in addition to the link local address. So, in this respect, they behave the same. While it may be possible to change the configuration for either, to provide only a MAC based address, by default, both Linux and Windows provide both. So, yes, you talk to the network admins
Windows 7 automatically deactivates those `networks' where no packets seem to come in (or go out). I quite have the opposite problem with my Win7 setup, I want to*keep* those addresses but I have yet to find a way to convince windows of doing that.
The Windows 7 computer I have here has 3 IPv6 addresses, one based on the MAC, one random number and also the link local address. The MAC and random addresses are both valid addresses on my subnet, with the first 64 bits identical. There is no other "network" to be deactivated. With Windows, there may also be a Teredo tunnel, which allows IPv6 tunnelling via IPv4. You probably want to turn that off, unless you have a need for it.
What I can't accept (and you seem to imply that) is that said parties confront the*actual* user with this learning curve. The protocol doesn't require (as in RFC 2119 [1]) a router to accept and route multiple unicast addresses from one link, it*allows* it (prove me wrong on this one), and for the same reasons I, as a network admin, am not obliged to comply with best practices for any reason there may be.
???? That RFC is about defining words in RFCs and has nothing to do with IPv6. What I am saying is those admins appear to have created the problem, by being overly restrictive. I am not saying they confront the user with the problem, only that they fix the problem they created. Also, a router normally passes all valid addresses from a subnet, unless specifically configured not to. As an example, my firewall/router here is a Linux box. For me to limit what addresses can pass through it, I'd have to use the iptables rules to block some addresses.
But I, as a network admin, can expect my users to comply with the rules I've set up for the network, so it's their problem, either they want access or they don't. Now wouldn't it be greatly helpful if you/your system could*easily* adapt to these rules?
If your rules don't allow normal, out of the box, behaviour, then your rules are wrong, unless you're prepared to configure every computer to comply with them. This is most definitely not a user issue as most users wouldn't have a clue about it. As a network admin, I'd expect you to know the implications of what you do. Blocking addresses that are not based on the MAC is not a suitable policy, in that, by default, later versions of Linux & Windows provide both MAC based and random IP addresses.. Blocking unrecognized MACs, no matter what the IP address, is a suitable policy. I can tell you that if I were to plug my computer into that network and booted into either Linux or Windows, I would have that problem, because either way, I would have both MAC and random addresses.
PS: Oh, and if you could please have a word with my ISP and convince them that they're incompetent and their network setup must be changed, here's their support team:http://www.easynet.com/gb/en/support/ They limit me on ONE address in my /64 of which all my traffic has to come from.
Are you saying you can only use one address in your subnet? Also, if you've been following the discussion, you'd realize that only the random number based address is used for outgoing traffic. The MAC based address would normally only be used if you want to reach a computer from outside. i.e. the DNS would point to it, rather than the random address. Also, how would your ISP know whether that traffic is from one computer or not, given that as soon as a packet passes through a router, the computer's MAC address is discarded and replaced by the router's MAC address for the port facing the ISP. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote: [snip]
What I can't accept (and you seem to imply that) is that said parties confront the*actual* user with this learning curve. The protocol doesn't require (as in RFC 2119 [1]) a router to accept and route multiple unicast addresses from one link, it*allows* it (prove me wrong on this one), and for the same reasons I, as a network admin, am not obliged to comply with best practices for any reason there may be.
????
That RFC is about defining words in RFCs and has nothing to do with IPv6.
What I am saying is those admins appear to have created the problem, by being overly restrictive. I am not saying they confront the user with the problem, only that they fix the problem they created. Also, a router normally passes all valid addresses from a subnet, unless specifically configured not to. As an example, my firewall/router here is a Linux box. For me to limit what addresses can pass through it, I'd have to use the iptables rules to block some addresses.
Exactly, the protocol doesn't REQUIRE as in make it mandatory for a router to route all addresses from the subnet, hence it's completely compliant not to, and that's my point, I could argue your network setup is completely wrong just the way you argue theirs is `wrong'.
But I, as a network admin, can expect my users to comply with the rules I've set up for the network, so it's their problem, either they want access or they don't. Now wouldn't it be greatly helpful if you/your system could*easily* adapt to these rules?
If your rules don't allow normal, out of the box, behaviour, then your rules are wrong, unless you're prepared to configure every computer to comply with them. This is most definitely not a user issue as most users wouldn't have a clue about it.
Or, you could say, the out of the box behaviour is wrong, because their network rules are fine, after all they comply with the standard, don't they? This discussion leads nowhere does it?
As a network admin, I'd expect you to know the implications of what you do. Blocking addresses that are not based on the MAC is not a suitable policy, in that, by default, later versions of Linux & Windows provide both MAC based and random IP addresses.. Blocking unrecognized MACs, no matter what the IP address, is a suitable policy.
Nope, it doesn't matter what you think is suitable or not, my point is that it must be just as easy to adapt to the one situation as to the other.
I can tell you that if I were to plug my computer into that network and booted into either Linux or Windows, I would have that problem, because either way, I would have both MAC and random addresses.
Yes, I know, me too actually. Still, as a network admin, I wouldn't change my network policies just because some devices can't use my network out of the box. And you should be more specific, Ubuntu 11.10 CAN access the network in question out of the box, it's just SuSE 12.1 that can't.
PS: Oh, and if you could please have a word with my ISP and convince them that they're incompetent and their network setup must be changed, here's their support team:http://www.easynet.com/gb/en/support/ They limit me on ONE address in my /64 of which all my traffic has to come from.
Are you saying you can only use one address in your subnet? Also, if
Yes. I'm saying that.
you've been following the discussion, you'd realize that only the random number based address is used for outgoing traffic. The MAC based address would normally only be used if you want to reach a computer from outside. i.e. the DNS would point to it, rather than the random address. Also, how would your ISP know whether that traffic is from one computer or not, given that as soon as a packet passes through a router, the computer's MAC address is discarded and replaced by the router's MAC address for the port facing the ISP.
I was making a more general point, you insist that everyone's wrong but you whereas in fact there are many scenarios in the real world that need adapting, and those adaptions must be easy, or maybe even automatic. My ISP doesn't care about MAC addresses, all they want is all traffic to come from exactly one address they've given me (ending in ::2). I can't use privacy extensions nor can I use a MAC-based autoconfig'd address. And don't get me wrong, I'm fully aware that this is stupid, not modern and can be improved massively, but do you *really* think they will change their set up just because it's inconvenient for me? If so, you're still invited to convince them otherwise. PS: I have been talking to them, and they do offer a fully routed /64, and even a /48, alas they expect me to pay a lot more dosh for that. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
Nope, it doesn't matter what you think is suitable or not, my point is that it must be just as easy to adapt to the one situation as to the other.
I can tell you that if I were to plug my computer into that network and booted into either Linux or Windows, I would have that problem, because either way, I would have both MAC and random addresses.
Yes, I know, me too actually. Still, as a network admin, I wouldn't change my network policies just because some devices can't use my network out of the box. And you should be more specific, Ubuntu 11.10 CAN access the network in question out of the box, it's just SuSE 12.1 that can't.
OK, get a new computer with Windows 7 on it. What will happen? This is the situation that most networks will face soon if not already. What will you do about it? You'll have to do exactly the same thing to accomodate 12.1. BTW, if you run ipconfig in Windows 7, you will see a line with IPv6 address, which lists the MAC based address and another "Temporary IPv6 address", which has the random generated address.
I was making a more general point, you insist that everyone's wrong but you whereas in fact there are many scenarios in the real world that need adapting, and those adaptions must be easy, or maybe even automatic.
My ISP doesn't care about MAC addresses, all they want is all traffic to come from exactly one address they've given me (ending in ::2). I can't use privacy extensions nor can I use a MAC-based autoconfig'd address. And don't get me wrong, I'm fully aware that this is stupid, not modern and can be improved massively, but do you*really* think they will change their set up just because it's inconvenient for me? If so, you're still invited to convince them otherwise.
PS: I have been talking to them, and they do offer a fully routed /64, and even a /48, alas they expect me to pay a lot more dosh for that.
You may want to refer them to the IETF guidelines on this. http://www.eu.ipv6tf.org/PublicDocuments/guidelines_for_isp_on_ipv6_assignme... However, this is an example of someone being stuck on IPv4 methods. With IPv4, the shortage of addresses limited what an ISP could offer. With IPv6, there's absolutely no valid reason for not offering at least a /64 subnet. I get my IPv6 subnet from a tunnel broker and it's a /56 (256 /64 subnets). Others offer /48. With the tunnel broker I use, I can configure for either a single address or a subnet, but it's entirely my choice and not theirs. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, James Knott wrote:
However, this is an example of someone being stuck on IPv4 methods. With IPv4, the shortage of addresses limited what an ISP could offer. With IPv6, there's absolutely no valid reason for not offering at least a /64 subnet.
Of course there are valid reasons for this...
I get my IPv6 subnet from a tunnel broker and it's a /56 (256 /64 subnets).
If you want to setup your net for more than 256 users then you as their ISP would not give everybody a ::/64 net. Of course you are a bad ISP with only such a ::/56 net almost as bad as Lew's ISP with only ::/64 for 6000 users. The reason to "not offering at least a ::/64 subnet" for everybody is still _valid_. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rüdiger Meier wrote:
On Thursday 17 November 2011, James Knott wrote:
However, this is an example of someone being stuck on IPv4 methods. With IPv4, the shortage of addresses limited what an ISP could offer. With IPv6, there's absolutely no valid reason for not offering at least a /64 subnet.
Of course there are valid reasons for this...
Such as??? As I mentioned, I can configure my tunnel for a subnet or single address, but that's my choice.
I get my IPv6 subnet from a tunnel broker and it's a /56 (256 /64 subnets).
If you want to setup your net for more than 256 users then you as their ISP would not give everybody a ::/64 net.
256 users???? A /56 subnet can support up to a trillion times the entire IPv4 address space. A /64 subnet allows 18.4 quintillion addresses. The IPv6 address space is huge. I've heard of comparisons such as the number of grains of sand on earth or the number of atoms in a ton of carbon. Another was if a 2"square represented the IPv4 address space, then IPv6 would be represented by the area of the solar system. Tell me again why an ISP should limit a customer to only one address.
Of course you are a bad ISP with only such a ::/56 net almost as bad as Lew's ISP with only ::/64 for 6000 users. The reason to "not offering at least a ::/64 subnet" for everybody is still_valid_.
I'm not sure you understand what you're implying here. a /56 network means that 56 of 128 address bits are used for the network address and the remaining 72 bits are used for local subnetting and host addresses. With a /56, you can have 256 subnets, each supporting 18.4 quintillion addresses. As for an ISP offering /64 subnets, that's the minimum size that allows using the MAC address to form the host address, using the current methods, where the 48 bit MAC is padded out to 64 bits. There is no shortage of /64 subnets. In fact, there are 2^64 or 18.4 quintillion of them. Even if an ISP is handing out /48 subnets (2^80 addresses each), the number of subnets is 65K times the entire IPv4 address space (2^16 x 2^32). -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/17/2011 09:47 AM, James Knott wrote:
256 users???? A /56 subnet can support up to a trillion times the entire IPv4 address space. A /64 subnet allows 18.4 quintillion addresses. The IPv6 address space is huge. I've heard of comparisons such as the number of grains of sand on earth or the number of atoms in a ton of carbon. Another was if a 2"square represented the IPv4 address space, then IPv6 would be represented by the area of the solar system. Tell me again why an ISP should limit a customer to only one address.
This may be offtopic, but how about this: Currently, email spam suppression relies heavily upon DNS RBL checks of the last relay's IPv4 address. I believe that IPv6 breaks this method in that a spammer can send out billions of individual spams, each one coming from a different address. Blocking an entire /64 subnet may introduce false-positive issues. I've heard some talk of keeping main-line MTA servers on IPv4 forever because of this. Go figure... Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
On 11/17/2011 09:47 AM, James Knott wrote:
256 users???? A /56 subnet can support up to a trillion times the entire IPv4 address space. A /64 subnet allows 18.4 quintillion addresses. The IPv6 address space is huge. I've heard of comparisons such as the number of grains of sand on earth or the number of atoms in a ton of carbon. Another was if a 2"square represented the IPv4 address space, then IPv6 would be represented by the area of the solar system. Tell me again why an ISP should limit a customer to only one address.
This may be offtopic, but how about this:
Currently, email spam suppression relies heavily upon DNS RBL checks of the last relay's IPv4 address. I believe that IPv6 breaks this method in that a spammer can send out billions of individual spams, each one coming from a different address. Blocking an entire /64 subnet may introduce false-positive issues.
That problem already exists in IPv4 in that some ISPs are blacklisted as a result of spam coming from some of their customers. As for subnets, the same issues exist in both IPv4 & IPv6. The difference is in the size of the subnet. As I mentioned earlier, my own personal subnet is a trillion times the entire IPv4 address space.
I've heard some talk of keeping main-line MTA servers on IPv4 forever because of this. Go figure...
Regards, Lew
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
[1. text/plain]
Rüdiger Meier wrote:
On Thursday 17 November 2011, James Knott wrote:
However, this is an example of someone being stuck on IPv4 methods. With IPv4, the shortage of addresses limited what an ISP could offer. With IPv6, there's absolutely no valid reason for not offering at least a /64 subnet.
Of course there are valid reasons for this...
Such as??? As I mentioned, I can configure my tunnel for a subnet or single address, but that's my choice.
They grant you the right to do so, but they have no obligation, that's two very different things. Valid reasons? Sure: In Germany every network operator has to maintain a database of *all* connections from within this networks to the outside for 6 months, let me take your numbers from below: For a new outbound connection, I have the freedom to use the current epoch time (as in the original definition) makes up 32 bits, then the process id, 48 bits, then I have 16 bits to spare. Assume I just enumerate my connection, the first connection is 1, the second 2, and so on. Focus on the getaddrinfo(3) call and assume there's no nscd, or the names to be resolved are changing constantly (reverse lookups in spamfilter software for instance). I am actually monitoring my dns traffic, and I think I have some 20000 lookups per day. That's 20000 different addresses I used for getaddrinfo(3) alone. Take other stuff into consideration you use up 30000 addresses per day, on one host. Add your torrent mad brother or sister on their computer, 60000. That's a staggering 1.8 million addresses per month, 11 million addresses in 6 months. And that's just one customer. Take the largest German ISP, t-online, with around 15 million subscribers, that makes roughly 167 trillion entries in their database. Quite a bit. I imagine that would be reason enough to limit the number of addresses routed in a /64 to 1 or 2 or maybe 10.
I get my IPv6 subnet from a tunnel broker and it's a /56 (256 /64 subnets).
If you want to setup your net for more than 256 users then you as their ISP would not give everybody a ::/64 net.
256 users???? A /56 subnet can support up to a trillion times the entire IPv4 address space. A /64 subnet allows 18.4 quintillion addresses. The IPv6 address space is huge. I've heard of comparisons such as the number of grains of sand on earth or the number of atoms in a ton of carbon. Another was if a 2"square represented the IPv4 address space, then IPv6 would be represented by the area of the solar system. Tell me again why an ISP should limit a customer to only one address.
See above. Another would be if they happen to be on a fragile end of the BGP tree and have to change their routes frequently, STP propagation might be fast, but to propagate a changed route if there's millions of entries in the arp table could take a while.
Of course you are a bad ISP with only such a ::/56 net almost as bad as Lew's ISP with only ::/64 for 6000 users. The reason to "not offering at least a ::/64 subnet" for everybody is still_valid_.
I'm not sure you understand what you're implying here. a /56 network means that 56 of 128 address bits are used for the network address and the remaining 72 bits are used for local subnetting and host addresses. With a /56, you can have 256 subnets, each supporting 18.4 quintillion addresses. As for an ISP offering /64 subnets, that's the minimum size that allows using the MAC address to form the host address, using the current methods, where the 48 bit MAC is padded out to 64 bits. There is no shortage of /64 subnets. In fact, there are 2^64 or 18.4 quintillion of them. Even if an ISP is handing out /48 subnets (2^80 addresses each), the number of subnets is 65K times the entire IPv4 address space (2^16 x 2^32).
So? What are you implying here? That all routers on the internet magically had a RAM update and now can hold billions of addresses? It's good to have plenty of space left for the future, but it's not wise to go and waste that space immediately, or calling setups that won't cope with what you imagine broken or wrong? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
Valid reasons? Sure: In Germany every network operator has to maintain a database of*all* connections from within this networks to the outside for 6 months, let me take your numbers from below: For a new outbound connection, I have the freedom to use the current epoch time (as in the original definition) makes up 32 bits, then the process id, 48 bits, then I have 16 bits to spare. Assume I just enumerate my connection, the first connection is 1, the second 2, and so on.
Many people and businesses currently use NAT to share a single IP address by more than one computer. The ISP only sees what is connected to them, and not what's behind the NAT. How does this differ from monitoring everything that passes through an IPv6 router?
Another would be if they happen to be on a fragile end of the BGP tree and have to change their routes frequently, STP propagation might be fast, but to propagate a changed route if there's millions of entries in the arp table could take a while.
Routing tables are based on network, not individual host addresses. This means that the number of computers or addresses you use is irrelevant, so long as they all belong to your network or subnet.
So? What are you implying here? That all routers on the internet magically had a RAM update and now can hold billions of addresses? It's good to have plenty of space left for the future, but it's not wise to go and waste that space immediately, or calling setups that won't cope with what you imagine broken or wrong?
One of the advantages of IPv6 is that it reduces the size of routing tables. The tables contain only network addresses and are done in a hierarchical manner, so that the most significant bits are sorted first then lesser ones, as you get closer to the destination. You will not find individual computers in a routing table. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
Valid reasons? Sure: In Germany every network operator has to maintain a database of*all* connections from within this networks to the outside for 6 months, let me take your numbers from below: For a new outbound connection, I have the freedom to use the current epoch time (as in the original definition) makes up 32 bits, then the process id, 48 bits, then I have 16 bits to spare. Assume I just enumerate my connection, the first connection is 1, the second 2, and so on.
Many people and businesses currently use NAT to share a single IP address by more than one computer. The ISP only sees what is connected to them, and not what's behind the NAT. How does this differ from monitoring everything that passes through an IPv6 router?
There's several answers, from very low-level tech talk to legal issues. I pick a mixture, imagine someone `uses' (read forges) one of your addresses inside your /64 (choose a different prefix if you want, the idea is that /x is assigned to you in a bigger network /y (y < x)), say they use 2001:db8:0:0::4 and their `assigned' network is actually 2001:db8:0:1::/64, now since you insist that they must route ALL traffic inside your network, they will certainly route that address, and since you have no designated router in the 2001:db8:0:0 network (you haven't named one, there's no BGP entry either), they will start an ndp request if noone had used the 0::4 before. Imagine the box that you declared as your router (but the ISP doesn't know about that) is busy/slow/off, it doesn't send a negative reply fast enough, the other guy's router had already ack'd the ndp. Now, their MAC address is in the neighbourhood table, they can now constantly keep it updated by ping6ing the router (a unicast address of the router was in the ndp packet). Long story short, there's a host in `your' /64 you don't know about and there's nothing you can do about it. Now they start serving child porn (or think of something illegal in your country) with that address. Naturally, the ISP will be asked to block traffic to that host, you lose your connectivity, well you go to gaol in my country for that. How do you prove you're innocent? With the liberal setup you're suggesting and just monitoring what goes over the router it's impossible. With a NAT setup as in the v4 world it's entirely different, there is a *designated* host, and from the ISP's point of view, that's all their concerned about. Any forged traffic goes to *your* box and you can happily throw it away if you don't think it's yours. You seem to be quite confused about the concepts of IPv6, IPv6 is not the same as a 64bit version of v4 where you have another 64bit for your own personal use which happen to be globally routed. BTW, don't tell me to tell the network team to fix their network, we DID that to no avail, if you want to see it yourself, email me, I give you the name and details and instructions on how to set it up.
Another would be if they happen to be on a fragile end of the BGP tree and have to change their routes frequently, STP propagation might be fast, but to propagate a changed route if there's millions of entries in the arp table could take a while.
Routing tables are based on network, not individual host addresses. This means that the number of computers or addresses you use is irrelevant, so long as they all belong to your network or subnet.
That's incorrect. Many routing table implementations allow a short cut notation if you want to route a whole network, cisco IOS allows that, linux too. Apparently, if the ISP was in their right mind, they would just route the whole /64 if their hardware supports it. If not, well, you could use STP to generate routes, or you do it the hard way, as the NOC team in our university and enter them one by one, also entering the MAC address associated with the IP into the MAC filter. How would you do that?
So? What are you implying here? That all routers on the internet magically had a RAM update and now can hold billions of addresses? It's good to have plenty of space left for the future, but it's not wise to go and waste that space immediately, or calling setups that won't cope with what you imagine broken or wrong?
One of the advantages of IPv6 is that it reduces the size of routing tables. The tables contain only network addresses and are done in a hierarchical manner, so that the most significant bits are sorted first then lesser ones, as you get closer to the destination. You will not find individual computers in a routing table.
Nope, incorrect. Don't claim stuff you're not sure about, at least use phrases like `I think' or so, others may get a completely wrong impression if they read your postings. freundt@segen:pts/19:~> sudo ip -6 route add 2001:db8::1 dev aarnet freundt@segen:pts/19:~> ip -6 route show | grep db8 2001:db8::1 dev aarnet metric 1024 mtu 1472 advmss 1412 hoplimit 0 You can argue that it's a /128 network, ok. But I've actually seen hosts where there's thousands of entries like that. I think HE even provides (read/show-only) access to their BGP routers via telnet, you can see it yourself. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
I pick a mixture, imagine someone `uses' (read forges) one of your addresses inside your /64 (choose a different prefix if you want, the idea is that /x is assigned to you in a bigger network /y (y< x)), say they use 2001:db8:0:0::4 and their `assigned' network is actually 2001:db8:0:1::/64, now since you insist that they must route ALL traffic inside your network, they will certainly route that address, and since you have no designated router in the 2001:db8:0:0 network (you haven't named one, there's no BGP entry either), they will start an ndp request if noone had used the 0::4 before. Imagine the box that you declared as your router (but the ISP doesn't know about that) is busy/slow/off, it doesn't send a negative reply fast enough, the other guy's router had already ack'd the ndp. Now, their MAC address is in the neighbourhood table, they can now constantly keep it updated by ping6ing the router (a unicast address of the router was in the ndp packet). Long story short, there's a host in `your' /64 you don't know about and there's nothing you can do about it.
I am struggling to make sense of this. First, the ISP does not route anything within my network, only traffic to or from it, from the rest of the world. There is no routing within a local network, as all traffic is managed by MAC address. It is entirely possible to run a local network without a router, if you don't want to be able to reach elsewhere. Also, if they spoof an address on my subnet from elsewhere, then there's no way their MAC address will be recorded anywhere other than their network, as MAC addresses are stripped off when a packet passes through a router and replaced by one for the router port. That is, if you send an IP packet from a computer on your network to one on mine, I will not see your MAC address, but your IP packet will be carried by an Ethernet frame bearing my router's local MAC address. This means your MAC address will never, ever appear on my network or any other than your own. It's simply not possible.
Routing tables are based on network, not individual host addresses.
This means that the number of computers or addresses you use is irrelevant, so long as they all belong to your network or subnet.
That's incorrect. Many routing table implementations allow a short cut notation if you want to route a whole network, cisco IOS allows that, linux too. Apparently, if the ISP was in their right mind, they would just route the whole /64 if their hardware supports it. If not, well, you could use STP to generate routes, or you do it the hard way, as the NOC team in our university and enter them one by one, also entering the MAC address associated with the IP into the MAC filter. How would you do that?
It is possible to list a route to a single host, but not that hosts specific address. When you set up a route, each end of the route is in a different subnet. For example, if we were configuring a route between our networks, I'd have an address in my subnet range e.g. 192.168.1.1 on my end and you'd have one for your end e.g. 172.16.3.1. Any traffic for your network would be sent via my 192.168.1.1 address, even though your addresses never appear on my end. I do not know if the address on your end is a router or a computer and I don't have to know.
One of the advantages of IPv6 is that it reduces the size of routing
tables. The tables contain only network addresses and are done in a hierarchical manner, so that the most significant bits are sorted first then lesser ones, as you get closer to the destination. You will not find individual computers in a routing table.
Nope, incorrect. Don't claim stuff you're not sure about, at least use phrases like `I think' or so, others may get a completely wrong impression if they read your postings.
Actually, what I stated is correct. From http://www.tech-faq.com/understanding-ipv6.html "An efficient hierarchical addressing and routing infrastructure: The IPv6 global addresses are designed to create an efficient routing infrastructure. The backbone routers of an IPv6 Internet have small routing tables. This is in line with the routing infrastructure of global ISPs." Or from http://ezinearticles.com/?IPv4-Vs-IPv6-%28Advantages-and-Disadvantages%29&id=5160096 "Addressing and Routing Infrastructure Efficiency in IPv6 IPv6 designed to create an efficient, hierarchical, and summarize able routing infrastructure that is based on the common occurrence of multiple levels of Internet Service Providers. It reduce the size of routing table of backbone routers. Which is can cause of efficient internet experience." There are many other sources on the Internet and in books that say the same thing. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
I pick a mixture, imagine someone `uses' (read forges) one of your addresses inside your /64 (choose a different prefix if you want, the idea is that /x is assigned to you in a bigger network /y (y< x)), say they use 2001:db8:0:0::4 and their `assigned' network is actually 2001:db8:0:1::/64, now since you insist that they must route ALL traffic inside your network, they will certainly route that address, and since you have no designated router in the 2001:db8:0:0 network (you haven't named one, there's no BGP entry either), they will start an ndp request if noone had used the 0::4 before. Imagine the box that you declared as your router (but the ISP doesn't know about that) is busy/slow/off, it doesn't send a negative reply fast enough, the other guy's router had already ack'd the ndp. Now, their MAC address is in the neighbourhood table, they can now constantly keep it updated by ping6ing the router (a unicast address of the router was in the ndp packet). Long story short, there's a host in `your' /64 you don't know about and there's nothing you can do about it.
I am struggling to make sense of this. First, the ISP does not route anything within my network, only traffic to or from it, from the rest of the world. There is no routing within a local network, as all
Exactly. Keep that in mind. No routing within a local network.
traffic is managed by MAC address. It is entirely possible to run a local network without a router, if you don't want to be able to reach elsewhere. Also, if they spoof an address on my subnet from elsewhere, then there's no way their MAC address will be recorded anywhere other than their network, as MAC addresses are stripped off when a packet passes through a router and replaced by one for the
Nope, there is no routing within a local network you said that just 6 lines ago.
router port. That is, if you send an IP packet from a computer on your network to one on mine, I will not see your MAC address, but your IP packet will be carried by an Ethernet frame bearing my router's local MAC address. This means your MAC address will never, ever appear on my network or any other than your own. It's simply not possible.
You didn't understand the scenario at all. +------------------+-------------------+-------------+ | Your network /64 | Neighbour A /64 | ... +------------------+-------------------+-------------+ +----------------------------------------------------+ | router /48 | +----------------------------------------------------+ Yours is 2001:db8:0:0::/64 Neighbour A's is 2001:db8:0:1::/64 You have a router 2001:db8:0::/48 Traffic is coming in to a previously not known (or stale) address 2001:db8:0:0::4 The router issues an NDP for ::4, there is no router in your network in this example (you said that, see above). Neighbour A is clever and replies to the NDP before you can send an icmp6-unreachable.
From now on the router thinks ::4 is in your /64 but you have no control over that machine nor do you have a possibility to convince the router otherwise nor do you know where that machine is coming from.
Now it's your task to convince the court (or jury) that you did NOT possess ::4 at the time in question. Or that you didn't possess a node with MAC address x:y:z.
This means that the number of computers or addresses you use is irrelevant, so long as they all belong to your network or subnet. That's incorrect. Many routing table implementations allow a short cut notation if you want to route a whole network, cisco IOS allows that,
Routing tables are based on network, not individual host addresses. linux too. Apparently, if the ISP was in their right mind, they would just route the whole /64 if their hardware supports it. If not, well, you could use STP to generate routes, or you do it the hard way, as the NOC team in our university and enter them one by one, also entering the MAC address associated with the IP into the MAC filter. How would you do that?
It is possible to list a route to a single host, but not that hosts specific address. When you set up a route, each end of the route is in a different subnet. For example, if we were configuring a route between our networks, I'd have an address in my subnet range e.g. 192.168.1.1 on my end and you'd have one for your end e.g. 172.16.3.1. Any traffic for your network would be sent via my 192.168.1.1 address, even though your addresses never appear on my end. I do not know if the address on your end is a router or a computer and I don't have to know.
So why do you throw in v4 now? I tell you that my main router is 2001:db8::1 if you want to communicate with 2001:db8:2::/48, you need a route to that computer THEN you will have a route to the :2::/48 network, so the task is down to finding a route to 2001:db8::1, and so on. If I don't happen to have 2001:db8::1 as my main router, and you don't and we want two of our computers to communicate, well, then we'll have to find a route ourselves. And that's all I'm saying. You have to put two routing rules on EVERY hop inbetween our networks. It is fun, I think everybody should have done that once in their life :)
tables. The tables contain only network addresses and are done in a hierarchical manner, so that the most significant bits are sorted first then lesser ones, as you get closer to the destination. You will not find individual computers in a routing table. Nope, incorrect. Don't claim stuff you're not sure about, at least use
One of the advantages of IPv6 is that it reduces the size of routing phrases like `I think' or so, others may get a completely wrong impression if they read your postings.
Actually, what I stated is correct. From http://www.tech-faq.com/understanding-ipv6.html
"An efficient hierarchical addressing and routing infrastructure: The IPv6 global addresses are designed to create an efficient routing infrastructure. The backbone routers of an IPv6 Internet have small routing tables. This is in line with the routing infrastructure of global ISPs."
So we were talking about the backbone routers all of a sudden? Who talked me out of talking about BGP? ;) The key idea is the hierarchy, and that facilitates smaller routing tables, but it's still wrong and wild interpretation to claim there are no individual computers in a routing table. I proved you wrong, I have more at least one in mine. And besides, what I have in my routing table has got nothing to do with the protocol itself, the protocol doesn't tell me how to organise my network.
Or from http://ezinearticles.com/?IPv4-Vs-IPv6-%28Advantages-and-Disadvantages%29&id=5160096
"Addressing and Routing Infrastructure Efficiency in IPv6
IPv6 designed to create an efficient, hierarchical, and summarize able routing infrastructure that is based on the common occurrence of multiple levels of Internet Service Providers. It reduce the size of routing table of backbone routers. Which is can cause of efficient internet experience."
There are many other sources on the Internet and in books that say the same thing.
None of your sources states that there won't be any individual nodes in the routing table. That was just fantasy and isn't true. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
I am struggling to make sense of this. First, the ISP does not route
anything within my network, only traffic to or from it, from the rest of the world. There is no routing within a local network, as all
Exactly. Keep that in mind. No routing within a local network.
traffic is managed by MAC address. It is entirely possible to run a local network without a router, if you don't want to be able to reach elsewhere. Also, if they spoof an address on my subnet from elsewhere, then there's no way their MAC address will be recorded anywhere other than their network, as MAC addresses are stripped off when a packet passes through a router and replaced by one for the
Nope, there is no routing within a local network you said that just 6 lines ago.
You seem to be making a habit of twisting what I say.
router port. That is, if you send an IP packet from a computer on your network to one on mine, I will not see your MAC address, but your IP packet will be carried by an Ethernet frame bearing my router's local MAC address. This means your MAC address will never, ever appear on my network or any other than your own. It's simply not possible.
You didn't understand the scenario at all.
I find much of what you say difficult to understand.
+------------------+-------------------+-------------+ | Your network /64 | Neighbour A /64 | ... +------------------+-------------------+-------------+ +----------------------------------------------------+ | router /48 | +----------------------------------------------------+
Yours is 2001:db8:0:0::/64 Neighbour A's is 2001:db8:0:1::/64
You have a router 2001:db8:0::/48
Traffic is coming in to a previously not known (or stale) address 2001:db8:0:0::4
The router issues an NDP for ::4, there is no router in your network in this example (you said that, see above). Neighbour A is clever and replies to the NDP before you can send an icmp6-unreachable.
From now on the router thinks ::4 is in your /64 but you have no control over that machine nor do you have a possibility to convince the router otherwise nor do you know where that machine is coming from.
The router should know what port contains what subnet. It should only ask for the MAC (NDP) on the appropriate network. You're asking it to accept that MAC from a network where it didn't ask and the IP address does not match the network it appears on. Do you have proof of that happening. Cache poisoning requires a host on the local network to do that. Also, if the router sends out a request for what appears to be a valid address, but for which there is no host, there will be no response. Also, in order for there to be any traffic between me and a neighbour with a different subnet there has to be a router, so "The router issues an NDP for ::4, there is no router in your network in this example (you said that, see above)." doesn't apply. What I was referring to is the situation where one host is talking to another host on the same network. A host on the other subnet does not use that method.
So why do you throw in v4 now?
To simply the example (less typing). Functionally, there's no difference between IPv6 and IPv4 in this regard.
The key idea is the hierarchy, and that facilitates smaller routing tables, but it's still wrong and wild interpretation to claim there are no individual computers in a routing table. I proved you wrong, I have more at least one in mine. And besides, what I have in my routing table has got nothing to do with the protocol itself, the protocol doesn't tell me
Much B.S. deleted. Please do yourself a favour and do some research on this topic.
how to organise my network.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
I am struggling to make sense of this. First, the ISP does not route
anything within my network, only traffic to or from it, from the rest of the world. There is no routing within a local network, as all
Exactly. Keep that in mind. No routing within a local network.
traffic is managed by MAC address. It is entirely possible to run a local network without a router, if you don't want to be able to reach elsewhere. Also, if they spoof an address on my subnet from elsewhere, then there's no way their MAC address will be recorded anywhere other than their network, as MAC addresses are stripped off when a packet passes through a router and replaced by one for the
Nope, there is no routing within a local network you said that just 6 lines ago.
You seem to be making a habit of twisting what I say.
I'm just stopping you, pointing out EXACTLY what YOU said. You said it's not necessary to have a router WITHIN a local network, correct, and you said it's necessary in order to connect that network with another network you need a router, correct. Then reread what I said, look at every step and point out where I'm wrong.
router port. That is, if you send an IP packet from a computer on your network to one on mine, I will not see your MAC address, but your IP packet will be carried by an Ethernet frame bearing my router's local MAC address. This means your MAC address will never, ever appear on my network or any other than your own. It's simply not possible.
You didn't understand the scenario at all.
I find much of what you say difficult to understand.
+------------------+-------------------+-------------+ | Your network /64 | Neighbour A /64 | ... +------------------+-------------------+-------------+ +----------------------------------------------------+ | router /48 | +----------------------------------------------------+
Yours is 2001:db8:0:0::/64 Neighbour A's is 2001:db8:0:1::/64
You have a router 2001:db8:0::/48
Traffic is coming in to a previously not known (or stale) address 2001:db8:0:0::4
The router issues an NDP for ::4, there is no router in your network in this example (you said that, see above). Neighbour A is clever and replies to the NDP before you can send an icmp6-unreachable.
From now on the router thinks ::4 is in your /64 but you have no control over that machine nor do you have a possibility to convince the router otherwise nor do you know where that machine is coming from.
The router should know what port contains what subnet. It should only
Wrong, that's what NDP is for. In this role the router is just like any other box. Anyone can ask anyone else connected link-locally for addresses. No protocol states that the router must know which subnet is on which port. Prove me wrong.
ask for the MAC (NDP) on the appropriate network. You're asking it to
Yes, the appropriate network according to RFC 4861 (NDP) is to use link local multicast. That's a very appropriate network, don't you think?
accept that MAC from a network where it didn't ask and the IP address does not match the network it appears on. Do you have proof of that
You don't know how NDP works. And yes, I have proof, I can show you the implementation in the linux kernel for instance. Also, I can give you full tcpdumps and the name of the provider. They do have a solution for the arp injection attack by now, the `solution' is that you can talk to the router ONLY via its fe80:: address and obviously you must use your fe80 address for that and that one has to be centrally registered via web-interface, tedious!
happening. Cache poisoning requires a host on the local network to do
That was my scenario to begin with. Reread my posting.
that. Also, if the router sends out a request for what appears to be a valid address, but for which there is no host, there will be no response. Also, in order for there to be any traffic between me and a
I can always send out a response that I possess ::4 in your network, after all it's link-local multicast, so why can't I? What mechanism exactly is stopping that?
neighbour with a different subnet there has to be a router, so "The router issues an NDP for ::4, there is no router in your network in this example (you said that, see above)." doesn't apply. What I was referring to is the situation where one host is talking to another host on the same network. A host on the other subnet does not use that method.
Oh, what do they use then? JKFP, James Knott Fantasy Protocol? The router was just the critical machine in that scenario because it now happily routes outside traffic meant for your subnet to my box. Other than that, it's just a normal host asking for its neighbours.
So why do you throw in v4 now?
To simply the example (less typing). Functionally, there's no difference between IPv6 and IPv4 in this regard.
The key idea is the hierarchy, and that facilitates smaller routing tables, but it's still wrong and wild interpretation to claim there are no individual computers in a routing table. I proved you wrong, I have more at least one in mine. And besides, what I have in my routing table has got nothing to do with the protocol itself, the protocol doesn't tell me
Much B.S. deleted.
I'm happy you deleted your bullshit, and kept mine :)
Please do yourself a favour and do some research on this topic.
Please do yourself a favour and do some research on this topic. Where exactly in the protocols does it say that no routing table must contain individual hosts? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Another would be if they happen to be on a fragile end of the BGP tree and have to change their routes frequently, STP propagation might be fast, but to propagate a changed route if there's millions of entries in the arp table could take a while.
Routing tables are based on network, not individual host addresses. This means that the number of computers or addresses you use is irrelevant, so long as they all belong to your network or subnet.
I don't know why I picked up your routing table argument, I was originally talking about the neighbourhood table, aka arp6. freundt@qaos:pts/2:~> ip -6 neigh | wc -l 3863 freundt@qaos:pts/2:~> ip -6 neigh | grep STALE wc -l grep: wc: No such file or directory freundt@qaos:pts/2:~> ip -6 neigh | grep STALE | wc -l 1649 As you can see, more than half the entries have to go STALE first before a new route is picked up. I know there's ip neigh flush but do I want to do that on 4000+ computers just because I changed a route? Ok, I won't change a route willy-nilly but if someone else came along with their 4000+ computers using *my* address space there will be trouble, it's inevitable. And that's exactly one of my points actually: v6 migration needs coordination! And consideration, people jumped at the first transition suggestion there was, and now we have teredo/miredo routing, gone in software, but still cast in hardware. I for one prefer working with conservative and modest people who think before they implement their ideas, restricting a /64 to 1 host or restricting a link to one address (on the router side) is not the worst idea, if you *really* think about it. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
I don't know why I picked up your routing table argument, I was originally talking about the neighbourhood table, aka arp6.
freundt@qaos:pts/2:~> ip -6 neigh | wc -l 3863 freundt@qaos:pts/2:~> ip -6 neigh | grep STALE wc -l grep: wc: No such file or directory freundt@qaos:pts/2:~> ip -6 neigh | grep STALE | wc -l 1649
Unless statically configured, those tables are temporary and expire after a short period of time and they are filled automatically via arp in IPv4 or neighbour discovery in IPv6. Unless you are changing IP address extremely frequently, it shouldn't be an issue. Also, how do you know it searches the stale addresses first? It seems to me that if the computer knows the addresses are stale, the active one would be checked first.
Ok, I won't change a route willy-nilly but if someone else came along with their 4000+ computers using*my* address space there will be trouble, it's inevitable.
With IPv4, each of those 4000+ computers will have one address. With IPv6, they'd have 2 or 3 with the random address changing occasionally. How is that a significantly greater problem? Also, you don't route to computers on your local network. All addressing there is by MAC address. Routing is used when you go to other networks via the router. But again, the other routers only have to know the route to your network. Then when the packet gets to your network does your router match up the IP address with the MAC address and pass the packet to the final destination.
I for one prefer working with conservative and modest people who think before they implement their ideas, restricting a /64 to 1 host or restricting a link to one address (on the router side) is not the worst idea, if you*really* think about it.
At the basic level, there's not a lot of difference between IPv4 & IPv6. Most of what applies to IPv4 also does to IPv6. Using a single address & NAT is more complex than simply routing a block of addresses. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
I don't know why I picked up your routing table argument, I was originally talking about the neighbourhood table, aka arp6.
freundt@qaos:pts/2:~> ip -6 neigh | wc -l 3863 freundt@qaos:pts/2:~> ip -6 neigh | grep STALE wc -l grep: wc: No such file or directory freundt@qaos:pts/2:~> ip -6 neigh | grep STALE | wc -l 1649
Unless statically configured, those tables are temporary and expire after a short period of time and they are filled automatically via arp in IPv4 or neighbour discovery in IPv6. Unless you are changing IP address extremely frequently, it shouldn't be an issue. Also, how do
Define extremely frequently. On a network with 3600 nodes changing their randomised IPs every hour for some reason, the router has to send on average one icmp6 packet per second just to keep up with address changes.
you know it searches the stale addresses first? It seems to me that if the computer knows the addresses are stale, the active one would be checked first.
Because last time I checked Linux, BSD and IOS complied to RFC 4861, sections 7.2.2 and 7.3.2 clearly state when, why and how neighbour solicitations are sent.
Ok, I won't change a route willy-nilly but if someone else came along with their 4000+ computers using*my* address space there will be trouble, it's inevitable.
With IPv4, each of those 4000+ computers will have one address. With IPv6, they'd have 2 or 3 with the random address changing occasionally. How is that a significantly greater problem? Also, you
Because you're not living in the real world :) When we had a v4 network the computers were hierarchised, every working group had their 100 to 200 computers on a private net, with about 10 of them having globally routable unicast addresses. Then came IPv6, everyone was excited (well I think of it as overzealous) and it was considered a good idea to make them all globally routable. Someone read it was bad practice to split up the assigned /64 even further and so the decision was made to line them all up in one gigantic network. Daft, I know, because little did we know about *efficient* routing policies, NDP, multicast, and whatnot. Now 4 years later, we have the same hardware (on the network side) to back our decision but the clients have changed a lot, motherboards come with two NICs by default and, oh joy, there's an IPMI jack as well, lucky we are that we have so many addresses, let's wire it all up, this is gonna give us the most fail-safe network ever. Having to cope with more than 10000 addresses (and that translates to 10000 A4 sheets of paper(!) our students and professors had to sign) already--I really feel for that poor router--someone decided it would be more `private' to assign another address per NIC per day/hour/dont-care, BRILLIANT! Twice the amount, no papers signed for the extra addresses, we lost track anyway, ... Oh wait, there's more, and noone really considered that, expired addresses don't just disappear from NIC, they're just flagged `invalid' which means new sockets won't/can't use them, long standing data connections be thanked you can occasionally find up to 20, but at least one *additional* *expired* address on the NICs. Where are we, right, a neighbourhood table of more than 100000 addresses, constantly icmp'd for. Did you expect this? See that's why I don't take advice from you :P
don't route to computers on your local network. All addressing there is by MAC address. Routing is used when you go to other networks via the router. But again, the other routers only have to know the route
Yes, so? I was talking about the neigh table. There is just one router on our network.
to your network. Then when the packet gets to your network does your router match up the IP address with the MAC address and pass the packet to the final destination.
Nicely explained, but that's my point, the ONE router does have to keep up with all the different neighbours.
I for one prefer working with conservative and modest people who think before they implement their ideas, restricting a /64 to 1 host or restricting a link to one address (on the router side) is not the worst idea, if you*really* think about it.
At the basic level, there's not a lot of difference between IPv4 & IPv6. Most of what applies to IPv4 also does to IPv6. Using a single address & NAT is more complex than simply routing a block of addresses.
Ah, you would have been on the side of the overexcited/underinformed (yes those are synonyms to me) people on our NOC team 4 years ago then. You don't know how much you remind me of them :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
you know it searches the stale addresses first? It seems to me that
if the computer knows the addresses are stale, the active one would be checked first.
Because last time I checked Linux, BSD and IOS complied to RFC 4861, sections 7.2.2 and 7.3.2 clearly state when, why and how neighbour solicitations are sent.
After glancing through that RFC, I get the impression that "stale" is not relevant here. It appears to be related to different MAC addresses for an IP address or whether an IPv6 address is still valid. One thing to bear in mind is that IPv6 supports deprecated addresses so that an old IP address is still valid for a period of time after a new one is available.
Ok, I won't change a route willy-nilly but if someone else came along with their 4000+ computers using*my* address space there will be trouble, it's inevitable.
With IPv4, each of those 4000+ computers will have one address. With IPv6, they'd have 2 or 3 with the random address changing occasionally. How is that a significantly greater problem? Also, you
Because you're not living in the real world:) When we had a v4 network the computers were hierarchised, every working group had their 100 to 200 computers on a private net, with about 10 of them having globally routable unicast addresses.
Originally, there was no such thing as NAT and all hosts were globally routable. NAT was created to share IP addresses. There are limited scope IPv6 addresses that can be used to keep computers off the global network.
Then came IPv6, everyone was excited (well I think of it as overzealous) and it was considered a good idea to make them all globally routable. Someone read it was bad practice to split up the assigned /64 even further and so the decision was made to line them all up in one gigantic network. Daft, I know, because little did we know about*efficient* routing
The /64 subnets are required to support EUI-64 MAC addresses. EUI-48 bit MACs are extended to 64 bits by inserting FEFF in the middle. Using MAC addresses to form IPv6 addresses was around before random address generation. The other alternatives would be DHCP or manual configuration.
Oh wait, there's more, and noone really considered that, expired addresses don't just disappear from NIC, they're just flagged `invalid' which means new sockets won't/can't use them, long standing data connections be thanked you can occasionally find up to 20, but at least one*additional* *expired* address on the NICs. Where are we, right, a neighbourhood table of more than 100000 addresses, constantly icmp'd for.
If a NIC stops using an address, it will shortly disappear from the caches in the other computers & switches in the network, just like in IPv4.
don't route to computers on your local network. All addressing there
is by MAC address. Routing is used when you go to other networks via the router. But again, the other routers only have to know the route
Yes, so? I was talking about the neigh table. There is just one router on our network.
Ummm... The post I was referring to said: " As you can see, more than half the entries have to go STALE first before a new route is picked up. I know there's ip neigh flush but do I want to do that on 4000+ computers just because I changed a route? Ok, I won't change a route willy-nilly but if someone else came along with their 4000+ computers using*my* address space there will be trouble, it's inevitable." It sure sounds like you were talking about routing to me, not the neighbour table. The neighbour table or arp cache is used to match IP addresses to MAC address and is only used for hosts on the local network. Routing tables are used to determine how to reach a different network.
to your network. Then when the packet gets to your network does your
router match up the IP address with the MAC address and pass the packet to the final destination.
Nicely explained, but that's my point, the ONE router does have to keep up with all the different neighbours.
It keeps track of the MAC addresses only on the local network(s) that it's connected to. It doesn't keep track of MACs at the remote networks. You will never see a MAC from a remote network on your network, unless you have some sort of bridge between them. In that case you wouldn't need a router.
At the basic level, there's not a lot of difference between IPv4&
IPv6. Most of what applies to IPv4 also does to IPv6. Using a single address& NAT is more complex than simply routing a block of addresses.
Ah, you would have been on the side of the overexcited/underinformed (yes those are synonyms to me) people on our NOC team 4 years ago then. You don't know how much you remind me of them Please explain how NAT is simpler that just routing, when you have to add the translation to the routing. Don't forget you have to include special rules for some protocols and hosts.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
you know it searches the stale addresses first? It seems to me that
if the computer knows the addresses are stale, the active one would be checked first.
Because last time I checked Linux, BSD and IOS complied to RFC 4861, sections 7.2.2 and 7.3.2 clearly state when, why and how neighbour solicitations are sent.
After glancing through that RFC, I get the impression that "stale" is not relevant here. It appears to be related to different MAC addresses for an IP address or whether an IPv6 address is still valid.
That's wrong. Read the whole document.
One thing to bear in mind is that IPv6 supports deprecated addresses so that an old IP address is still valid for a period of time after a new one is available.
Yes.
Ok, I won't change a route willy-nilly but if someone else came along with their 4000+ computers using*my* address space there will be trouble, it's inevitable.
With IPv4, each of those 4000+ computers will have one address. With IPv6, they'd have 2 or 3 with the random address changing occasionally. How is that a significantly greater problem? Also, you
Because you're not living in the real world:) When we had a v4 network the computers were hierarchised, every working group had their 100 to 200 computers on a private net, with about 10 of them having globally routable unicast addresses.
Originally, there was no such thing as NAT and all hosts were globally routable. NAT was created to share IP addresses. There are limited scope IPv6 addresses that can be used to keep computers off the global network.
I was for that approach actually, so yes, I second that.
Then came IPv6, everyone was excited (well I think of it as overzealous) and it was considered a good idea to make them all globally routable. Someone read it was bad practice to split up the assigned /64 even further and so the decision was made to line them all up in one gigantic network. Daft, I know, because little did we know about*efficient* routing
The /64 subnets are required to support EUI-64 MAC addresses. EUI-48 bit MACs are extended to 64 bits by inserting FEFF in the middle. Using MAC addresses to form IPv6 addresses was around before random address generation. The other alternatives would be DHCP or manual configuration.
Yep, it's all manual configuration, well, until recently where magically more addresses appear out of nowhere.
Oh wait, there's more, and noone really considered that, expired addresses don't just disappear from NIC, they're just flagged `invalid' which means new sockets won't/can't use them, long standing data connections be thanked you can occasionally find up to 20, but at least one*additional* *expired* address on the NICs. Where are we, right, a neighbourhood table of more than 100000 addresses, constantly icmp'd for.
If a NIC stops using an address, it will shortly disappear from the caches in the other computers & switches in the network, just like in IPv4.
That makes no sense, a NIC never `stops using an address', define what you mean by that. An expired address cannot be bound by bind(3), of course you can still reach it, and of course it's in other computers' neighbour tables and stored in the switches. ip a a 2001:db8::dead:beef/64 dev eth0 preferred_lft 20 Open a socket use it, and look what happens after the expiry.
don't route to computers on your local network. All addressing there
is by MAC address. Routing is used when you go to other networks via the router. But again, the other routers only have to know the route Yes, so? I was talking about the neigh table. There is just one router on our network.
Ummm... The post I was referring to said:
"
As you can see, more than half the entries have to go STALE first before a new route is picked up. I know there's ip neigh flush but do I want to do that on 4000+ computers just because I changed a route?
Ok, I won't change a route willy-nilly but if someone else came along with their 4000+ computers using*my* address space there will be trouble, it's inevitable."
It sure sounds like you were talking about routing to me, not the neighbour table. The neighbour table or arp cache is used to match IP addresses to MAC address and is only used for hosts on the local network. Routing tables are used to determine how to reach a different network.
to your network. Then when the packet gets to your network does your
router match up the IP address with the MAC address and pass the packet to the final destination. Nicely explained, but that's my point, the ONE router does have to keep up with all the different neighbours.
It keeps track of the MAC addresses only on the local network(s) that it's connected to. It doesn't keep track of MACs at the remote
It's just one big local network. What are you trying to say? And of course it's only STALE addresses that need re-NDP'ing, FAILED addresses are known to be unreachable, DELAY'd addresses are forcedly considered reachable for a moment, PROBEs are soon to be probed as reachability is unknown and INCOMPLETEs are currently in the process of solicitataion. Read RFC 4661 again.
networks. You will never see a MAC from a remote network on your network, unless you have some sort of bridge between them. In that case you wouldn't need a router.
Never said that. It's just one local network. One router. You are the one to imagine wild things. Reread my posting, I said several times it's just one router, and one big v6 network. In v4 times we had a cascade of routers but those times are long gone.
IPv6. Most of what applies to IPv4 also does to IPv6. Using a single address& NAT is more complex than simply routing a block of addresses. Ah, you would have been on the side of the overexcited/underinformed (yes
At the basic level, there's not a lot of difference between IPv4& those are synonyms to me) people on our NOC team 4 years ago then. You don't know how much you remind me of them Please explain how NAT is simpler that just routing, when you have to add the translation to the routing. Don't forget you have to include special rules for some protocols and hosts.
You don't seem to see the problem, the problem is we are assigned a /64 and we can't split it into smaller blocks, as you stated correctly because EUI64 assignment wouldn't be possible. So you take 5 to 8 year old hardware and expect it to run in 2011 coping with more addresses on a SINGLE hop than the entire uni had in v4 times. The result, fun :) I'd say the last time I've seen more infrastructure packets (icmp6) was when someone tried an arp attack against one of our routers. Sure, you say what's the problem, we need new hardware. I absolutely agree. What I wanted to show you with this anecdote is how combining `not so different', highly praised technologies and unexperienced administrators (well I was unexperienced back then too, I should admit) can result in a disaster. I'm *SURE* other NOC guys will tell you exactly the same and probably have a similar story for you. And what I'm also trying to say is that the NOC team is always grateful for advice from unexperienced overzealous users </sarcasm> :) Am I right NOCers? Anyone following this? :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, James Knott wrote:
Rüdiger Meier wrote:
On Thursday 17 November 2011, James Knott wrote:
However, this is an example of someone being stuck on IPv4 methods. With IPv4, the shortage of addresses limited what an ISP could offer. With IPv6, there's absolutely no valid reason for not offering at least a /64 subnet.
Of course there are valid reasons for this...
Such as??? As I mentioned, I can configure my tunnel for a subnet or single address, but that's my choice.
I get my IPv6 subnet from a tunnel broker and it's a /56 (256 /64 subnets).
If you want to setup your net for more than 256 users then you as their ISP would not give everybody a ::/64 net.
256 users???? A /56 subnet can support up to a trillion times the entire IPv4 address space. A /64 subnet allows 18.4 quintillion addresses.
WTF The point was that you have only 256 ::/64 subnets. If you have 6000 users you can't give every user a whole ::/64. This fact would be even more than just a valid reason to give each of them less than ::/64. And if you still don't got the point... If you provide internet access to 6000 users then YOU are their ISP namely one with a "valid reason for not offering at least a /64 subnet" to each user. And morever if you can't give everybody a whole subnet then you probably want to restrict every user to a single IP because you as the ISP have to log the user/IP/time map. (At least in Germany you have to do this). Logging this map would be much harder if these 6000 users are using random adresses from the shared subnet. And all this seems to be the situation at Lew's network. But I guess you still know better about the situation there and how it should be and how it should not be and how about Windows 7 at all and abusing the other admins of being incompetent. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rüdiger Meier wrote:
WTF The point was that you have only 256 ::/64 subnets. If you have 6000 users you can't give every user a whole ::/64. This fact would be even more than just a valid reason to give each of them less than ::/64.
The IPv4 Internet manages to get by with only 2^32 or about 4 billion addresses and some of those are reserved and not available for ISPs to hand out. If every ISP handed out /64 subnets, then there would be enough for 2^61 subnets (only 1/8 of the IPv6 address space is currently allocated for public unicast addresses). That's 2^29 or 537 million times the entire IPv4 address range. That should be sufficient for quite some time. Even if /48 subnets are issued, there's still 2^45 or 2.5 x 10^13 of them. Thats 8192 times the number of IPv4 addresses. So, don't worry about running out of address space, if /64 subnets are handed out.
And morever if you can't give everybody a whole subnet then you probably want to restrict every user to a single IP because you as the ISP have to log the user/IP/time map. (At least in Germany you have to do this). Logging this map would be much harder if these 6000 users are using random adresses from the shared subnet.
Compare that to what happens now with IPv4 and NAT. The ISP cannot monitor each individual computer behind the NAT router, only the aggregate traffic from the router. Same thing with IPv6, just monitor all the traffic coming from the customer's router. I have a cable modem here. It has it's own IP address and a MAC address that's visible to my ISP. Either could be used for traffic monitoring in the same manner as currently done when someone uses NAT on IPv4. Further, giving a customer, who has more than one computer, a single address will require them to use NAT, which is not supported in IPv6.
But I guess you still know better about the situation there and how it should be and how it should not be and how about Windows 7 at all and
Based on another note from Lew, it appears I was correct on that matter.
abusing the other admins of being incompetent.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
[1. text/plain]
Rüdiger Meier wrote:
WTF The point was that you have only 256 ::/64 subnets. If you have 6000 users you can't give every user a whole ::/64. This fact would be even more than just a valid reason to give each of them less than ::/64.
The IPv4 Internet manages to get by with only 2^32 or about 4 billion addresses and some of those are reserved and not available for ISPs to hand out. If every ISP handed out /64 subnets, then there would be enough for 2^61 subnets (only 1/8 of the IPv6 address space is currently allocated for public unicast addresses). That's 2^29 or 537 million times the entire IPv4 address range. That should be sufficient for quite some time. Even if /48 subnets are issued, there's still 2^45 or 2.5 x 10^13 of them. Thats 8192 times the number of IPv4 addresses. So, don't worry about running out of address space, if /64 subnets are handed out.
Are you IANA? So tell me, how would you split your /56 amongst 6000 users so that each and every one of them gets a /64?
And morever if you can't give everybody a whole subnet then you probably want to restrict every user to a single IP because you as the ISP have to log the user/IP/time map. (At least in Germany you have to do this). Logging this map would be much harder if these 6000 users are using random adresses from the shared subnet.
Compare that to what happens now with IPv4 and NAT. The ISP cannot monitor each individual computer behind the NAT router, only the aggregate traffic from the router. Same thing with IPv6, just monitor all the traffic coming from the customer's router. I have a cable
You obviously haven't had the joy of working in a network where the use of _every_ IP address (even temporary ones and 192.168. private ones) require prior written permission. Technically there is no problem (just effort) to keep track of users, noone is doubting that. Red-tape is the problem, and you're not exactly helping with claims like `just monitor all traffic' You seem to forget that this has to be configured, a BGP route to your AS (or a part of it) has to be established, paperwork has to be done if that part of the AS is to be routed differently, etc. Again, what works for you in your 10-100 hosts network within seconds takes hours/days/weeks in a larger network, and more importantly coordination. Honestly, how many network operator monitoring setups have you transitioned to fully support IPv6 of late? I know people who have, and they assured me it's more than `just monitor a mac address'.
modem here. It has it's own IP address and a MAC address that's visible to my ISP. Either could be used for traffic monitoring in the same manner as currently done when someone uses NAT on IPv4. Further, giving a customer, who has more than one computer, a single address will require them to use NAT, which is not supported in IPv6.
You still seem to get the wrong end of the stick, you're lending your customer a part of *your* network address space, NAT is different of course, because NAT is usually performed in address space that doesn't belong to the ISP/network operator and so, naturally, they don't have or claim control over what you do in *your* network. Again, whois(1) your /56 and tell me who owns it, and then tell me again who should have the right to control that part of the v6 internet. They may grant you the right, temporarily or permanently, but no ISP is obliged to grant you a fully routed /64. ASNs are the *only* way to legally enforce your rights and transit to ASNs (along with the BGP entries and whatnot) isn't cheap. Also, you haven't surveyed your local ISPs about native v6 connectivity lately, have you? A customer with more than one computer is happily encouraged to buy the fully routed /64 package. Or a /48. Or buy transit to your own AS. Not the cheapest options these days :( but competition will mitigate that I hope. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
Are you IANA? So tell me, how would you split your /56 amongst 6000 users so that each and every one of them gets a /64?
I have never said that every user (just me, my dog & cat :-) on my local network gets a /64 subnet. I said I get a /56 subnet that can be split into 256 /64 subnets, each of which could have up to 2^64 hosts. I wish you would stop trying to put words in my mouth.
Compare that to what happens now with IPv4 and NAT. The ISP cannot
monitor each individual computer behind the NAT router, only the aggregate traffic from the router. Same thing with IPv6, just monitor all the traffic coming from the customer's router. I have a cable
You obviously haven't had the joy of working in a network where the use of _every_ IP address (even temporary ones and 192.168. private ones) require prior written permission. Technically there is no problem (just effort) to keep track of users, noone is doubting that. Red-tape is the problem, and you're not exactly helping with claims like `just monitor all traffic'
You were referring to an ISP having to monitor subscriber traffic. That has nothing to do with getting permission to use an RFC1918 address on the local network. Does your ISP see that 192.168.x.y address? Not if you're behind your NAT router. Is the ISP providing that subnet?
You seem to forget that this has to be configured, a BGP route to your AS (or a part of it) has to be established, paperwork has to be done if that part of the AS is to be routed differently, etc.
Why do you keep dragging BGP in, when it has nothing to do with the discussion? Use of a subnet does not require BGP. BGP is only used for automous networks, with multiple routes. That does not descripe the typical subscriber, business or home, user.
Also, you haven't surveyed your local ISPs about native v6 connectivity lately, have you? A customer with more than one computer is happily encouraged to buy the fully routed /64 package. Or a /48. Or buy transit to your own AS. Not the cheapest options these days:( but competition will mitigate that I hope.
With IPv4, addresses are scare. With IPv6, they are extremely plentiful, so there's no need to ration or charge for them. I get my /56 subnet from a tunnel broker for absolutely no cost. Others hand out /48 subnets, again at no cost. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
Are you IANA? So tell me, how would you split your /56 amongst 6000 users so that each and every one of them gets a /64?
I have never said that every user (just me, my dog & cat :-) on my local network gets a /64 subnet. I said I get a /56 subnet that can be split into 256 /64 subnets, each of which could have up to 2^64 hosts. I wish you would stop trying to put words in my mouth.
monitor each individual computer behind the NAT router, only the aggregate traffic from the router. Same thing with IPv6, just monitor all the traffic coming from the customer's router. I have a cable You obviously haven't had the joy of working in a network where
Compare that to what happens now with IPv4 and NAT. The ISP cannot the use of _every_ IP address (even temporary ones and 192.168. private ones) require prior written permission. Technically there is no problem (just effort) to keep track of users, noone is doubting that. Red-tape is the problem, and you're not exactly helping with claims like `just monitor all traffic'
You were referring to an ISP having to monitor subscriber traffic. That has nothing to do with getting permission to use an RFC1918 address on the local network. Does your ISP see that 192.168.x.y address? Not if you're behind your NAT router. Is the ISP providing that subnet?
Nope, and nope. They do see traffic I happen to route to the routers address (::1 in my /64 here) from addresses other than my assigned one (::2 in my /64 here). And even though technically it's possible to route that traffic, they don't, because I don't give them enough money. So what's the problem again?
You seem to forget that this has to be configured, a BGP route to your AS (or a part of it) has to be established, paperwork has to be done if that part of the AS is to be routed differently, etc.
Why do you keep dragging BGP in, when it has nothing to do with the discussion? Use of a subnet does not require BGP. BGP is only used for automous networks, with multiple routes. That does not descripe the typical subscriber, business or home, user.
Well because if you insist on configuring *your* network it requires you to set up BGP and talk to other carriers, how would they know about *your* network otherwise? From your statement below I get the impression you confuse tunnel'd 6-in-4 traffic (where there IS a BGP entry to `your' (read your tunnelbroker's) network actually you just didn't bother thinking about it) with a native setup where you get your /64, an *assigned* static address within that /64 (mostly ::2), a router address (there's experiments to propagate that through ppp, but for now it's mostly in your /64 the ::1) and that's all you have. Did you overlook the fact that you have NO control over the remote side's router? Or are you talking about something completely different, see below.
Also, you haven't surveyed your local ISPs about native v6 connectivity lately, have you? A customer with more than one computer is happily encouraged to buy the fully routed /64 package. Or a /48. Or buy transit to your own AS. Not the cheapest options these days:( but competition will mitigate that I hope.
With IPv4, addresses are scare. With IPv6, they are extremely plentiful, so there's no need to ration or charge for them. I get my /56 subnet from a tunnel broker for absolutely no cost. Others hand out /48 subnets, again at no cost.
What do you mean by tunnel then? I thought tunnelbrokers are part of the transition plan and give you a v4 address that you can send 6-in-4 traffic to. Well native connectivity costs money here, what can I do about it? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
You were referring to an ISP having to monitor subscriber traffic.
That has nothing to do with getting permission to use an RFC1918 address on the local network. Does your ISP see that 192.168.x.y address? Not if you're behind your NAT router. Is the ISP providing that subnet?
Nope, and nope. They do see traffic I happen to route to the routers address (::1 in my /64 here) from addresses other than my assigned one (::2 in my /64 here). And even though technically it's possible to route that traffic, they don't, because I don't give them enough money. So what's the problem again?
I'm not sure what you have there. You say you have a single address. How many computers do you have? If more than one, how are they connected to your ISP? Also, ::1 is an address with a string of 127 "0" bits and one "1". It seems very strange to have that sort of address, unless you're referring to a router on your local network, in which case it should be <your network address>::1. For example, on my network, my routers address on my network is the subnet address provided to me followed by ::1. All the computers have the same network address followed my the MAC derived or random portion. An address that's simply ::1 or ::2 is outside of the allocated unicast address range.
Why do you keep dragging BGP in, when it has nothing to do with the
discussion? Use of a subnet does not require BGP. BGP is only used for automous networks, with multiple routes. That does not descripe the typical subscriber, business or home, user.
Well because if you insist on configuring*your* network it requires you to set up BGP and talk to other carriers, how would they know about*your* network otherwise? From your statement below I get the impression you confuse tunnel'd 6-in-4 traffic (where there IS a BGP entry to `your' (read your tunnelbroker's) network actually you just didn't bother thinking about it) with a native setup where you get your /64, an *assigned* static address within that /64 (mostly ::2), a router address (there's experiments to propagate that through ppp, but for now it's mostly in your /64 the ::1) and that's all you have.
Did you overlook the fact that you have NO control over the remote side's router? Or are you talking about something completely different, see below.
Once again. BGP is not applicable because I do not have an autonomous network. I get a single subnet from the tunnel broker and it is they who would use BGP and not me. For my subnet, they'd be using something like RIP or OSPF, as there is no need for the function that BGP provides. Please look up interior and exterior routing protocols to understand the difference.
With IPv4, addresses are scare. With IPv6, they are extremely
plentiful, so there's no need to ration or charge for them. I get my /56 subnet from a tunnel broker for absolutely no cost. Others hand out /48 subnets, again at no cost.
What do you mean by tunnel then? I thought tunnelbrokers are part of the transition plan and give you a v4 address that you can send 6-in-4 traffic to
I use a 6in4 tunnel to transport IPv6 over IPv4. It does this by placing a 20 byte IP protocol 41 header in front of the IPv6 packet. Tunnel brokers are the organizations who offer this service. They convert the packets to/from 6in4 tunnels to the IPv6 internet.
Well native connectivity costs money here, what can I do about it?
The connection is what costs. It doesn't cost any more to carry more than one address as it is all data over the link. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
You were referring to an ISP having to monitor subscriber traffic.
That has nothing to do with getting permission to use an RFC1918 address on the local network. Does your ISP see that 192.168.x.y address? Not if you're behind your NAT router. Is the ISP providing that subnet?
Nope, and nope. They do see traffic I happen to route to the routers address (::1 in my /64 here) from addresses other than my assigned one (::2 in my /64 here). And even though technically it's possible to route that traffic, they don't, because I don't give them enough money. So what's the problem again?
I'm not sure what you have there. You say you have a single address. How many computers do you have? If more than one, how are they connected to your ISP? Also, ::1 is an address with a string of 127
It's a colo setup, there's just one computer.
"0" bits and one "1". It seems very strange to have that sort of address, unless you're referring to a router on your local network, in which case it should be <your network address>::1. For example, on my network, my routers address on my network is the subnet address provided to me followed by ::1. All the computers have the same network address followed my the MAC derived or random portion. An address that's simply ::1 or ::2 is outside of the allocated unicast address range.
Yes that's what I mean, 2001:db8::1 is theirs, 2001:db8::2 is mine, well, just an example. However, I can't just occupy and use 2001:db8::3, that's what I mean. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Did you overlook the fact that you have NO control over the remote side's router? Or are you talking about something completely different, see below.
Once again. BGP is not applicable because I do not have an autonomous network. I get a single subnet from the tunnel broker and it is they who would use BGP and not me. For my subnet, they'd be using something like RIP or OSPF, as there is no need for the function that BGP provides. Please look up interior and exterior routing protocols to understand the difference.
Yes, that was my point initially, it's *not* your network and hence you're not free to do whatever you want. As for the routing protocol, I was thinking of AS transits and specifically HE's services. Pretty much the only acceptable business solution two years ago. And personally I think ASNs make a lot more sense in v6 space and everybody should have their own. Anyway, regardless what routing protocol they use, the fact remains, you can't control their router. You're lucky that they route everything you chuck at them. It's however a privilege you're not entitled to, and if they did it differently, arguing that it's their cock-up won't get you anywhere.
plentiful, so there's no need to ration or charge for them. I get my /56 subnet from a tunnel broker for absolutely no cost. Others hand out /48 subnets, again at no cost. What do you mean by tunnel then? I thought tunnelbrokers are
With IPv4, addresses are scare. With IPv6, they are extremely part of the transition plan and give you a v4 address that you can send 6-in-4 traffic to
I use a 6in4 tunnel to transport IPv6 over IPv4. It does this by placing a 20 byte IP protocol 41 header in front of the IPv6 packet. Tunnel brokers are the organizations who offer this service. They convert the packets to/from 6in4 tunnels to the IPv6 internet.
Well native connectivity costs money here, what can I do about it?
The connection is what costs. It doesn't cost any more to carry more than one address as it is all data over the link.
Again, you're not living in the real world. It's the software development phase that costs. It doesn't cost any more to give you another licence as it is just generating another licence key. Doesn't really work in the open-source world but you get the idea :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
Yes, that was my point initially, it's*not* your network and hence you're not free to do whatever you want.
As for the routing protocol, I was thinking of AS transits and specifically HE's services. Pretty much the only acceptable business solution two years ago. And personally I think ASNs make a lot more sense in v6 space and everybody should have their own. Anyway, regardless what routing protocol they use, the fact remains, you can't control their router. You're lucky that they route everything you chuck at them. It's however a privilege you're not entitled to, and if they did it differently, arguing that it's their cock-up won't get you anywhere.
Why do you keep dragging this in??? It's not relevant!!! I control only my own network. I simply get the subnet from someone else who worries about what's beyond. I am not trying to control their routers.
The connection is what costs. It doesn't cost any more to carry more
than one address as it is all data over the link.
Again, you're not living in the real world. It's the software development phase that costs. It doesn't cost any more to give you another licence as it is just generating another licence key. Doesn't really work in the open-source world but you get the idea:)
Please explain what the cost difference is given there's no difference in transport cost and it takes just as much effort to configure a router for a small subnet as large. There's no significant cost to IPv6 addresses, because there are so many of them, unlike IPv4 where there's not enough to support the demand. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
Yes, that was my point initially, it's*not* your network and hence you're not free to do whatever you want.
As for the routing protocol, I was thinking of AS transits and specifically HE's services. Pretty much the only acceptable business solution two years ago. And personally I think ASNs make a lot more sense in v6 space and everybody should have their own. Anyway, regardless what routing protocol they use, the fact remains, you can't control their router. You're lucky that they route everything you chuck at them. It's however a privilege you're not entitled to, and if they did it differently, arguing that it's their cock-up won't get you anywhere.
Why do you keep dragging this in??? It's not relevant!!! I control only my own network. I simply get the subnet from someone else who worries about what's beyond. I am not trying to control their routers.
You were the one to complain that it's highly unusual that they block all traffic in a /64. They can do whatever they feel like.
than one address as it is all data over the link. Again, you're not living in the real world. It's the software development
The connection is what costs. It doesn't cost any more to carry more phase that costs. It doesn't cost any more to give you another licence as it is just generating another licence key. Doesn't really work in the open-source world but you get the idea:)
Please explain what the cost difference is given there's no difference in transport cost and it takes just as much effort to configure a router for a small subnet as large. There's no significant cost to IPv6 addresses, because there are so many of them, unlike IPv4 where there's not enough to support the demand.
No, I leave that to you. Talk to my ISP, convince them to give me the fully routed /64 for free. Please explain to them how it costs exactly the same, if they give me a /64 or /48, it shouldn't matter to them. I'm VERY looking forward to reading those conversations. I've had them not long ago. It's not that I'm saying I can't follow you, I'm on your side and I want a fully routed /64, and yes it shouldn't be more than a generalised route add ... but somehow they want to earn money, because they are something called a business, and they do know about the principle of supply and demand. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On vrijdag 18 november 2011 01:17:47 James Knott wrote:
Sebastian Freundt wrote:
Dear James and Sebastian, this discussion is becoming completely off-topic. This list is now about openSUSE 12.2. So please discuss what features this version should have considering IPv6 and be brief. And please split the discussion in what is needed in small home/business environments and large network environments. -- fr.gr. Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, James Knott wrote:
Rüdiger Meier wrote:
WTF The point was that you have only 256 ::/64 subnets. If you have 6000 users you can't give every user a whole ::/64. This fact would be even more than just a valid reason to give each of them less than ::/64.
The IPv4 Internet manages to get by with only 2^32 or about 4 billion addresses and some of those are reserved and not available for ISPs
Ok, I give up. Still don't know how you would do it but now I believe you could manage to give me /48 as a subnet of your /56.
to hand out. If every ISP handed out /64 subnets, then there would be enough for 2^61 subnets (only 1/8 of the IPv6 address space is currently allocated for public unicast addresses). That's 2^29 or 537 million times the entire IPv4 address range. That should be sufficient for quite some time. Even if /48 subnets are issued, there's still 2^45 or 2.5 x 10^13 of them.
Thanks for figuring out how to deal with powers 2! BTW have you known that there are only 12 mersenne primes within the entire IPv6 range? But 8 of them are already within the small IPv4 range! Amazing isn't it?
Thats 8192 times the number of IPv4 addresses. So, don't worry about running out of address space, if /64 subnets are handed out./56.
And morever if you can't give everybody a whole subnet then you probably want to restrict every user to a single IP because you as the ISP have to log the user/IP/time map. (At least in Germany you have to do this). Logging this map would be much harder if these 6000 users are using random adresses from the shared subnet.
Compare that to what happens now with IPv4 and NAT. The ISP cannot monitor each individual computer behind the NAT router, only the aggregate traffic from the router.
That's why they give different IPs to each customer and don't NAT you at all. You are NATing your machines. And you are responsible for everything your machines did on the net unless you can proof that it was your grandma.
Same thing with IPv6, just monitor all the traffic coming from the customer's router. I have a cable modem here. It has it's own IP address and a MAC address that's visible to my ISP. Either could be used for traffic monitoring in the same manner as currently done when someone uses NAT on IPv4. Further, giving a customer, who has more than one computer, a single address will require them to use NAT, which is not supported in IPv6.
Maybe your rubbish Windows 7 or Suse can't do that out of the box. But there is also NAT with IPv6 and there are even reasons why some people need it.
But I guess you still know better about the situation there and how it should be and how it should not be and how about Windows 7 at all and
Based on another note from Lew, it appears I was correct on that matter.
Lol, that's what I've expected to hear.
abusing the other admins of being incompetent.
cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rüdiger Meier wrote:
Ok, I give up. Still don't know how you would do it but now I believe you could manage to give me /48 as a subnet of your /56.
When have I ever claimed that? I have said that ISPs can hand out lots of /48, /56 or /64 subnets, without danger of running out of address space in the foreseeable future.
And morever if you can't give everybody a whole subnet then you
probably want to restrict every user to a single IP because you as the ISP have to log the user/IP/time map. (At least in Germany you have to do this). Logging this map would be much harder if these 6000 users are using random adresses from the shared subnet.
Compare that to what happens now with IPv4 and NAT. The ISP cannot monitor each individual computer behind the NAT router, only the aggregate traffic from the router.
That's why they give different IPs to each customer and don't NAT you at all. You are NATing your machines. And you are responsible for everything your machines did on the net unless you can proof that it was your grandma.
You were claiming that ISPs could not monitor the traffic with so many addresses, as they do now with IPv4. There is no difference between doing this with NAT or not. They only have to monitor your traffic. With IPv4 and NAT, there is no connection between IP address and hardware behind the NAT. With IPv6 and random addresses, the same applies. With MAC addresses, then each computer could be tracked, which, incidentally, is the reason the random address method was developed.
Maybe your rubbish Windows 7 or Suse can't do that out of the box. But there is also NAT with IPv6 and there are even reasons why some people
The reason for NAT is to share IPv4 addresses, as there are not enough to go around. While it may be technically possible to NAT IPv6, it is not supported by the IETF, the people who write the Internet specs. Given the huge IPv6 address space, there is no reason to and NAT also breaks some protocols.
Lol, that's what I've expected to hear.
You mean the part where he said the problem was with his network? That's precisely my position.
need it.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
[1. text/plain]
Rüdiger Meier wrote:
Ok, I give up. Still don't know how you would do it but now I believe you could manage to give me /48 as a subnet of your /56.
When have I ever claimed that? I have said that ISPs can hand out lots of /48, /56 or /64 subnets, without danger of running out of address space in the foreseeable future.
I second that.
And morever if you can't give everybody a whole subnet then you
probably want to restrict every user to a single IP because you as the ISP have to log the user/IP/time map. (At least in Germany you have to do this). Logging this map would be much harder if these 6000 users are using random adresses from the shared subnet.
Compare that to what happens now with IPv4 and NAT. The ISP cannot monitor each individual computer behind the NAT router, only the aggregate traffic from the router. That's why they give different IPs to each customer and don't NAT you at all. You are NATing your machines. And you are responsible for everything your machines did on the net unless you can proof that it was your grandma.
You were claiming that ISPs could not monitor the traffic with so many addresses, as they do now with IPv4. There is no difference between doing this with NAT or not. They only have to monitor your traffic.
I was claiming that. You haven't seen actual infringement notices, it heavily depends on how technophile the issuing court is, there are cases where they have to hand out all customers connected at a certain time in a /24 AS owned by the ISP because according to German (and Swedish?) law the ISP is (partially) liable too. If they can however name one party they can proceed against them in a civil case demanding compensation. I can very well imagine incompetent prosecutors who demand all connections in a /32 at a given time or time span (because the ISP is treated like a suspect too) I SOOOO would love to hand over 20000 sheets of paper :)
With IPv4 and NAT, there is no connection between IP address and hardware behind the NAT. With IPv6 and random addresses, the same applies. With MAC addresses, then each computer could be tracked, which, incidentally, is the reason the random address method was developed.
Yep, making it the end hard to trace, but that's EXACTLY what an ISP needs to do (in certain countries). -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
I was claiming that. You haven't seen actual infringement notices, it heavily depends on how technophile the issuing court is, there are cases where they have to hand out all customers connected at a certain time in a /24 AS owned by the ISP because according to German (and Swedish?) law the ISP is (partially) liable too. If they can however name one party they can proceed against them in a civil case demanding compensation.
I can very well imagine incompetent prosecutors who demand all connections in a /32 at a given time or time span (because the ISP is treated like a suspect too) I SOOOO would love to hand over 20000 sheets of paper:)
With IPv4 and NAT, there is no connection between IP address and hardware behind the NAT. With IPv6 and random addresses, the same applies. With MAC addresses, then each computer could be tracked, which, incidentally, is the reason the random address method was developed.
Yep, making it the end hard to trace, but that's EXACTLY what an ISP needs to do (in certain countries).
That law is incompetent. It leaves many people in the position of having to prove their innocence. There's no difference between this and rounding up everyone on a busy street, because *ONE* of them committed a crime. There are plenty of examples of laws passed by people who do not understand the implications. Regardless, there's no difference between computers hiding behind NAT and computers using random addresses in this respect. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
Nope, it doesn't matter what you think is suitable or not, my point is that it must be just as easy to adapt to the one situation as to the other.
I can tell you that if I were to plug my computer into that network and booted into either Linux or Windows, I would have that problem, because either way, I would have both MAC and random addresses.
Yes, I know, me too actually. Still, as a network admin, I wouldn't change my network policies just because some devices can't use my network out of the box. And you should be more specific, Ubuntu 11.10 CAN access the network in question out of the box, it's just SuSE 12.1 that can't.
OK, get a new computer with Windows 7 on it. What will happen? This is the situation that most networks will face soon if not already. What will you do about it? You'll have to do exactly the same thing to accomodate 12.1.
Yes, but in Windows it's just a click, or two, under SuSE it's worth a whole long discussion that has been going on for quite a while and to be honest I lost track if the OP has found a solution or not. [snip]
PS: I have been talking to them, and they do offer a fully routed /64, and even a /48, alas they expect me to pay a lot more dosh for that.
You may want to refer them to the IETF guidelines on this. http://www.eu.ipv6tf.org/PublicDocuments/guidelines_for_isp_on_ipv6_assignme...
I'm pretty sure they're aware of this document, after all you're free (not monetarily unfortunately) upgrade and get a /64 or a /48 which is completely routed.
However, this is an example of someone being stuck on IPv4 methods. With IPv4, the shortage of addresses limited what an ISP could offer. With IPv6, there's absolutely no valid reason for not offering at least a /64 subnet. I get my IPv6 subnet from a tunnel broker and it's a /56 (256 /64 subnets). Others offer /48. With the tunnel broker I use, I can configure for either a single address or a subnet, but it's entirely my choice and not theirs.
Nope, that's exactly where you are wrong. Unless you possess an ASN and sign up with a carrier giving you BGP access, you canNOT freely do whatever you want. You have no right and they have no obligation, it's their network after all. What lawful or otherwise (protocol?) enforcing options do you have when your tunnel broker or ISP decides not to route X::dead:beef? Exactly, none. And my theory is that tunnel brokers hand out /56s or /48s for you to get used to them, and then they up their prices when you want them natively. Btw, I expect as much resistance for the orthogonal problem, a network operator with too permissive routing rules. The other day we found out that we can `claim' certain v6 addresses within the surrounding /64s and we reported this as a bug, but (annoyingly) the network operator pointed us to their policies and it's clearly stated how the routing works, which I guess leaves us with the option of putting up with it or wandering off. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
Nope, that's exactly where you are wrong. Unless you possess an ASN and sign up with a carrier giving you BGP access, you canNOT freely do whatever you want. You have no right and they have no obligation, it's their network after all.
Funny thing. I have no BGP router, yet I have a subnet. BGP is used by carriers and ISPs to determine optimum routing. It is not useful for end networks that have only one connection to the Internet. Also, in another note I mentioned Teredo tunnels. These should be blocked, disabled or otherwise managed on a corporate network as they enable someone to completely bypass the firewall etc. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
James Knott
Sebastian Freundt wrote:
Nope, that's exactly where you are wrong. Unless you possess an ASN and sign up with a carrier giving you BGP access, you canNOT freely do whatever you want. You have no right and they have no obligation, it's their network after all.
Funny thing. I have no BGP router, yet I have a subnet. BGP is used by carriers and ISPs to determine optimum routing. It is not useful for end networks that have only one connection to the Internet.
I wouldn't have thought so, otherwise you wouldn't come up with claims like you're free to do whatever you want. You are. But only up to the first router you don't have the password for. Whois your network and you will see whom it belongs to. And then reread the T&C for your tunnel or ISP connection and then we can talk about who decides what's useful and what isn't.
Also, in another note I mentioned Teredo tunnels. These should be blocked, disabled or otherwise managed on a corporate network as they enable someone to completely bypass the firewall etc.
Yes, you can do that on all the networks you happen to administer, I certainly won't stop you. But I configure *my* networks as it suits *me*. And it may be bad practice and considered unsafe, but there are many older routers out there that only provide 6to4 functionality with teredo addresses. You can buy our university some new routers if you want to interfere. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
Yes, you can do that on all the networks you happen to administer, I certainly won't stop you. But I configure*my* networks as it suits *me*. And it may be bad practice and considered unsafe, but there are many older routers out there that only provide 6to4 functionality with teredo addresses. You can buy our university some new routers if you want to interfere.
I was referring to Teredo on individual computers. Every recent vintage Windows computer has it turned on by default. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Sebastian Freundt wrote:
OK, get a new computer with Windows 7 on it. What will happen? This
is the situation that most networks will face soon if not already. What will you do about it? You'll have to do exactly the same thing to accomodate 12.1.
Yes, but in Windows it's just a click, or two, under SuSE it's worth a whole long discussion that has been going on for quite a while and to be honest I lost track if the OP has found a solution or not.
Really? Which click or two would that be? Here's what's required: http://www.windowsreference.com/networking/disable-ipv6-random-identifier-in... That doesn't seem to be a heck of a lot easier than chaning that one config setting in Linux. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/17/2011 10:17 AM, Sebastian Freundt wrote:
Yes, but in Windows it's just a click, or two, under SuSE it's worth a whole long discussion that has been going on for quite a while and to be honest I lost track if the OP has found a solution or not.
Thanks for everyone's help, it was a true learning experience. After checking with the network gurus here we've got things sorted out. These guys know what they're doing and this particular network has received international accolades for leading the way in IPv6 implementation. They have enough clout that they can actually affect IPv6 policy at Google, Apple, and security-stack hardware vendors. They're good guys. One of the admins penned this morning: thanks for the info. sounds like SuSE Linux has moved to the new default for IPv6 configuration. Win7 and OSX Lion both default to choosing (and changing) a private IPv6 address. that's what we are watching on the testbed VLAN 44. OSX changes the v6 address every 24 hours and keeps the previous handful active on the interface for some days. currently the v6 sweeper on V44 tries to keep the newest IPv6 address registered for a device in DNS and LDAP, assuming that it is the "today" or "after reboot" current address even though others may still show up in the neighbor table on the switch. your host is treated to the old v6 sweeper logic so when it saw a SLAAC address it registered that for him and it will stick. So the problem is basically our network's, in particular the v6 "sweeper", I think. They switched me to the test VLAN and we'll see what happens. I'll report back any SuSE specific issues that might pop up. Now, I'll download 12.1 FCS and go to town! Thanks, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, Lew Wolfgang wrote:
On 11/17/2011 10:17 AM, Sebastian Freundt wrote:
Yes, but in Windows it's just a click, or two, under SuSE it's worth a whole long discussion that has been going on for quite a while and to be honest I lost track if the OP has found a solution or not.
Thanks for everyone's help, it was a true learning experience.
After checking with the network gurus here we've got things sorted out. These guys know what they're doing and this particular network has received international accolades for leading the way in IPv6 implementation. They have enough clout that they can actually affect IPv6 policy at Google, Apple, and security-stack hardware vendors. They're good guys.
One of the admins penned this morning:
thanks for the info. sounds like SuSE Linux has moved to the new default for IPv6 configuration. Win7 and OSX Lion both default to choosing (and changing) a private IPv6 address. that's what we are watching on the testbed VLAN 44. OSX changes the v6 address every 24 hours and keeps the previous handful active on the interface for some days.
currently the v6 sweeper on V44 tries to keep the newest IPv6 address registered for a device in DNS and LDAP, assuming that it is the "today" or "after reboot" current address even though others may still show up in the neighbor table on the switch. your host is treated to the old v6 sweeper logic so when it saw a SLAAC address it registered that for him and it will stick.
So the problem is basically our network's, in particular the v6 "sweeper", I think.
Nice! Sounds they are not really incompetent and trying hard to allow their users the privacy comfort. You see that they have to do a "bit" more than simply running "usual routers" with default config. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/17/2011 11:47 AM, Rüdiger Meier wrote:
"sweeper", I think. Nice! Sounds they are not really incompetent and trying hard to allow their users the privacy comfort. You see that they have to do a "bit" more
So the problem is basically our network's, in particular the v6 than simply running "usual routers" with default config.
(thanks for the complement! at least one of them is following this thread) As was relayed to me this morning, one of the issues with private addressing is accountability. Take the example of a security incident logged at a remote web site or honey pot coming from a client within our domain. How can an organization backtrack to their client's source IP if all the reporter has are random addresses? This implies we'd have to keep track of all random addys, that might change on a daily basis, to correlate them with physical ones. Then, what if we didn't receive the incident report until two-weeks after it happened? How many random address do we keep? I'm not saying it can't be done, but in this case someone has to do it. If perfected, this v6 sweeper would give us the best of both worlds, privacy on the Internet, with local accountability if needed. Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
thanks for the info. sounds like SuSE Linux has moved to the new default for IPv6 configuration. Win7 and OSX Lion both default to choosing (and changing) a private IPv6 address. that's what we are watching on the testbed VLAN 44. OSX changes the v6 address every 24 hours and keeps the previous handful active on the interface for some days.
currently the v6 sweeper on V44 tries to keep the newest IPv6 address registered for a device in DNS and LDAP, assuming that it is the "today" or "after reboot" current address even though others may still show up in the neighbor table on the switch. your host is treated to the old v6 sweeper logic so when it saw a SLAAC address it registered that for him and it will stick.
The random address will change, though I don't know when, other than rebooting does it. However, why do they insist on calling it "private", when it's not. It might be called a "privacy" address, as it makes it more difficult to trace, but it's still a public address that can be reached from the public internet. A private address is one that exists only on the local lan, such as the RFC1918 IPv4 addresses. The link local IPv6 addresses can serve the same function, as can other limited scope IPv6 addresses. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/17/2011 01:15 PM, James Knott wrote:
The random address will change, though I don't know when, other than rebooting does it. However, why do they insist on calling it "private", when it's not. It might be called a "privacy" address, as it makes it more difficult to trace, but it's still a public address that can be reached from the public internet. A private address is one that exists only on the local lan, such as the RFC1918 IPv4 addresses. The link local IPv6 addresses can serve the same function, as can other limited scope IPv6 addresses.
I agree about the "private" thing, but don't make anything of it. The fellow writing the note knows the difference. Apparently OSX Lion will change it's "privacy" address once per day, and keep stale ones around for a while. Maybe this is to handle those really long round-trip packet time routes? :-) As an aside, I once worked on a project that had round-trip packet times measured in hours. We used UDP and hoped for the best. Yes, SuSE was there... Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
On 11/17/2011 01:15 PM, James Knott wrote:
The random address will change, though I don't know when, other than rebooting does it. However, why do they insist on calling it "private", when it's not. It might be called a "privacy" address, as it makes it more difficult to trace, but it's still a public address that can be reached from the public internet. A private address is one that exists only on the local lan, such as the RFC1918 IPv4 addresses. The link local IPv6 addresses can serve the same function, as can other limited scope IPv6 addresses.
I agree about the "private" thing, but don't make anything of it. The fellow writing the note knows the difference.
Apparently OSX Lion will change it's "privacy" address once per day, and keep stale ones around for a while. Maybe this is to handle those really long round-trip packet time routes? :-)
That would be comparable to getting a new DHCP address every morning. And yes, it does hang on to old addresses for a while for that reason. With IPv6, it's possible to smoothly renumber an entire network with that. You just add on your new subnet, update the DNS, and eventually let the old addresses die, so you can turn down the old subnet.
As an aside, I once worked on a project that had round-trip packet times measured in hours. Ouch!!!
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, James Knott wrote:
Also, a router normally passes all valid addresses from a subnet, unless specifically configured not to. As an example, my firewall/router here is a Linux box. For me to limit what addresses can pass through it, I'd have to use the iptables rules to block some addresses.
Yes and what's wrong with using iptables? Only incompetent network admins are using iptables or what?
But I, as a network admin, can expect my users to comply with the rules I've set up for the network, so it's their problem, either they want access or they don't. Now wouldn't it be greatly helpful if you/your system could*easily* adapt to these rules?
If your rules don't allow normal, out of the box, behaviour, then your rules are wrong, unless you're prepared to configure every computer to comply with them.
That's simply not true. If you would plug your box into my network here then I would not route anything from you regardless which IP you are using. This is what I'm doing here and I consider it right because I don't want clients like you using my net.
This is most definitely not a user issue as most users wouldn't have a clue about it. As a network admin, I'd expect you to know the implications of what you do. Blocking addresses that are not based on the MAC is not a suitable policy,
How you know the policies and requirements of Lew's network?
in that, by default, later versions of Linux & Windows provide both MAC based and random IP addresses..
Neither windows nor linux client _provides_ the address but the owner of the net you want to be part of. BTW back to Lew's problem ... Reading his last posting you see that obviously he has no problems to access the net. Network admin just told him to not use random addresses or they _will_ block him soon. (If got it right.) cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rüdiger Meier wrote:
On Thursday 17 November 2011, James Knott wrote:
Also, a router normally passes all valid addresses from a subnet, unless specifically configured not to. As an example, my firewall/router here is a Linux box. For me to limit what addresses can pass through it, I'd have to use the iptables rules to block some addresses.
Yes and what's wrong with using iptables? Only incompetent network admins are using iptables or what?
My point was not about iptables, but rather I'd have to take specific actions to limit what addresses are passed/blocked by the router.
But I, as a network admin, can expect my users to comply with the rules I've set up for the network, so it's their problem, either they want access or they don't. Now wouldn't it be greatly helpful if you/your system could*easily* adapt to these rules?
If your rules don't allow normal, out of the box, behaviour, then your rules are wrong, unless you're prepared to configure every computer to comply with them.
That's simply not true. If you would plug your box into my network here then I would not route anything from you regardless which IP you are using. This is what I'm doing here and I consider it right because I don't want clients like you using my net.
Get a computer running Windows 7 and plug it into your network without modification and see what happens. This is what is happening all over the world. If your network config blocks this, then you have a big problem of your own creation. You either change the network rules or you change all the computers on your network. Your choice.
This is most definitely not a user issue as most users wouldn't have a clue about it. As a network admin, I'd expect you to know the implications of what you do. Blocking addresses that are not based on the MAC is not a suitable policy,
How you know the policies and requirements of Lew's network?
in that, by default, later versions of Linux& Windows provide both MAC based and random IP addresses..
Neither windows nor linux client _provides_ the address but the owner of the net you want to be part of.
The network provides the most significant bits (the subnet address only). The host portion of the address is provided by the computer, unless DHCP is used. The host portion may be determined by MAC address, random number or, as in this case, both. In Windows 7, run ipconfig and tell me what you see w.r.t. IPv6 addresses. You will see an IPv6 address based on the MAC, a temporary IPv6 address based on a random number, a link local address starting with FE80 and a Teredo tunnel address, unless it has been disabled. Both the MAC and random addresses will be valid on your subnet.
BTW back to Lew's problem ... Reading his last posting you see that obviously he has no problems to access the net. Network admin just told him to not use random addresses or they _will_ block him soon. (If got it right.)
That's also my impression and it means they will be blocking Windows 7 (and other later Windows versions) too. Use Wireshark to take a look at what happens when you, for example, connect to a web site. It will identify your computer by the temporary address, whether in 12.1 or Windows 7. You will not see the MAC based address, unless some other computer connects to yours. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, James Knott wrote:
Rüdiger Meier wrote:
That's simply not true. If you would plug your box into my network here then I would not route anything from you regardless which IP you are using. This is what I'm doing here and I consider it right because I don't want clients like you using my net.
Get a computer running Windows 7 and plug it into your network without modification and see what happens.
As I said nothing would happen. I expect the similar behavior as I would plug a banana into my network. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Rüdiger Meier wrote:
On Thursday 17 November 2011, James Knott wrote:
Rüdiger Meier wrote:
That's simply not true. If you would plug your box into my network here then I would not route anything from you regardless which IP you are using. This is what I'm doing here and I consider it right because I don't want clients like you using my net.
Get a computer running Windows 7 and plug it into your network without modification and see what happens.
As I said nothing would happen. I expect the similar behavior as I would plug a banana into my network.
cu, Rudi
If your network chokes on random IPv6 addresses, then you will have the same problem as the OP. A random address is a random address, whether on Linux or Windows. Both Windows 7 and 12.1 behave the same in this respect. Why do you insist otherwise? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/17/2011 08:24 AM, Rüdiger Meier wrote:
BTW back to Lew's problem ... Reading his last posting you see that obviously he has no problems to access the net. Network admin just told him to not use random addresses or they_will_ block him soon. (If got it right.)
Hi Rudi, Correct. The box is working well except for their nagging sweeper. I've been in touch with the admins and have some new information that I'll post in a bit. Thanks, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, Lew Wolfgang wrote:
On 11/17/2011 08:24 AM, Rüdiger Meier wrote:
BTW back to Lew's problem ... Reading his last posting you see that obviously he has no problems to access the net. Network admin just told him to not use random addresses or they_will_ block him soon. (If got it right.)
Hi Rudi,
Correct. The box is working well except for their nagging sweeper.
And to be 100% sure, this nagging comes from your admin's mouth and not via icmp6 or syslog, right?
I've been in touch with the admins and have some new information that I'll post in a bit.
OK. Sry for messing up your thread with the other wasteful discussions ;) cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/17/2011 09:43 AM, Rüdiger Meier wrote:
On Thursday 17 November 2011, Lew Wolfgang wrote:
On 11/17/2011 08:24 AM, Rüdiger Meier wrote:
BTW back to Lew's problem ... Reading his last posting you see that obviously he has no problems to access the net. Network admin just told him to not use random addresses or they_will_ block him soon. (If got it right.) Hi Rudi,
Correct. The box is working well except for their nagging sweeper. And to be 100% sure, this nagging comes from your admin's mouth and not via icmp6 or syslog, right?
Hi Rudi, The nagging comes from an automatically generated email notification that says I have two weeks to fix the private address problem or face blocking. This network is not an ISP open to the public, so blocking on their terms is within their purview.
I've been in touch with the admins and have some new information that I'll post in a bit. OK. Sry for messing up your thread with the other wasteful discussions ;)
Ack! No apologies necessary! I've learned lots about IPv6 thanks to the discussions and I appreciate it. Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
The nagging comes from an automatically generated email notification that says I have two weeks to fix the private address problem or face blocking. This network is not an ISP open to the public, so blocking on their terms is within their purview.
If they're choking on a random address that's valid for your subnet, ask them why they call it a private address, when it most certainly is not a private address. The random addresses, in both Linux & Windows have the same first 64 bits as the MAC based address. If they insist on calling it private, then they are clearly indicating they do not know what they're talking about. You may want to show them this link. Please note this is an RFC, which describes IETF standard practices. https://www.ietf.org/rfc/rfc3041.txt -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 17 November 2011, Lew Wolfgang wrote:
On 11/16/2011 08:34 AM, Ruediger Meier wrote:
As others have mentioned already the network staff probably wants to track what_your_ machine is doing within the network thus they don't allow you to use randomized addresses for a good reason.
Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address.
Have you tried to manually enforce a particular source IP? So if this is your config eth0 Link encap:Ethernet HWaddr 00:xx:E8:08:00:43 inet addr:xxx.yy.77.50 Bcast:xxx.yy.79.255 Mask:255.255.252.0 inet6 addr: xxxx:yyy:zz:76:224:e8ff:fe08:43/64 Scope:Global inet6 addr: fe80::xxx:e8ff:fe08:43/64 Scope:Link inet6 addr: xxxx:yyy:zz:76:54d2:36fb:2fd5:56b6/64 Scope:Global Try ping6 -n -I xxxx:yyy:zz:76:224:e8ff:fe08:43 2001:470:0:76::2 and ping6 -n -I xxxx:yyy:zz:76:54d2:36fb:2fd5:56b6 2001:470:0:76::2 What gives ip route get 2001:470:0:76::2 Can you ping6 your router? cu Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/16/2011 06:43 PM, Rüdiger Meier wrote:
On Thursday 17 November 2011, Lew Wolfgang wrote:
On 11/16/2011 08:34 AM, Ruediger Meier wrote:
As others have mentioned already the network staff probably wants to track what_your_ machine is doing within the network thus they don't allow you to use randomized addresses for a good reason. Yes, this is the case. The network infrastructure requires that any device touching the network be pre-registered, with enforcement implemented with the MAC address. Have you tried to manually enforce a particular source IP?
So if this is your config eth0 Link encap:Ethernet HWaddr 00:xx:E8:08:00:43 inet addr:xxx.yy.77.50 Bcast:xxx.yy.79.255 Mask:255.255.252.0 inet6 addr: xxxx:yyy:zz:76:224:e8ff:fe08:43/64 Scope:Global inet6 addr: fe80::xxx:e8ff:fe08:43/64 Scope:Link inet6 addr: xxxx:yyy:zz:76:54d2:36fb:2fd5:56b6/64 Scope:Global
Try ping6 -n -I xxxx:yyy:zz:76:224:e8ff:fe08:43 2001:470:0:76::2 and ping6 -n -I xxxx:yyy:zz:76:54d2:36fb:2fd5:56b6 2001:470:0:76::2
Hi Rudi, Both of the ping6 commands worked: 64 bytes from 2001:470:0:76::2: icmp_seq=1 ttl=58 time=857 ms 64 bytes from 2001:470:0:76::2: icmp_seq=2 ttl=58 time=81.4 ms
What gives ip route get 2001:470:0:76::2
ironhead:~ # ip route get 2001:470:0:76::2 2001:470:0:76::2 from :: via fe80::212:f2ff:fe95:c300 dev eth0 src xxxx:yyy:zz:76:9db4:e194:e0c4:3126 metric 0 cache
Can you ping6 your router?
Yes. Also, I can ssh into the box and it connects with its ipv6 global address, it doesn't fall back to ipv4. Everything seems to be working except the network infrastructure process to determine public/private addresses. Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/16/2011 06:33 AM, Ruediger Meier wrote:
I think the infrastructure scanner here looks for a match and
if it doesn't find it assumes a private address?
That's what I suspect. Your network admin will have to fix that or expect a lot of problems in the future. I'don't believe that the network staff of that 6000 nodes is completely wrong here. Before asking the admin about_fixing_ his network I would ask him about how your client should be configured.
I work closely with the infrastructure guys, but I haven't brought up this issue yet. I wanted to see if it was a "configuration" issue that differentiated 11.4 from 12.1. Apparently the differences are inherent and we're stuck with what we get in 12.1. This will shake out one of two ways: either they can easily fix their private address determination logic, or they'll just ban openSuSE 12.1 from use on the network. Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/16/2011 03:56 PM, James Knott wrote:
Lew Wolfgang wrote:
or they'll just ban openSuSE 12.1 from use on the network.
Then they'll also have to ban Windows 7.
Hi James, Win 7 can be configured to not use private addressing. We have quite a few Win 7 systems on the network (unfortunately). Regards, Lew -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
On 11/16/2011 03:56 PM, James Knott wrote:
Lew Wolfgang wrote:
or they'll just ban openSuSE 12.1 from use on the network.
Then they'll also have to ban Windows 7.
Hi James,
Win 7 can be configured to not use private addressing. We have quite a few Win 7 systems on the network (unfortunately).
That second address you mentioned, which has the same first 64 bits as your desired address is *NOT* a private address. It is a valid publicly available address for your subnet. The only "private" address you mentioned was the link local address that starts with FE80. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On woensdag 16 november 2011 01:12:55 Lew Wolfgang wrote:
Hi Folks,
I installed RC2 last week on a desktop just for the fun of it. There were a few glitches during the install process but overall it went well.
But I'm having an issue with IPv6 addressing. The install is on a large network that runs both IPv4 and IPv6. Something like 96% of the six-thousand or so hosts are fully IPv6 enabled. openSuSE has always worked well enough in this environment.
See also the discussion that started here: http://lists.opensuse.org/opensuse-factory/2011-01/msg00185.html and possibly other discussions on this list. -- fr.gr. Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On woensdag 16 november 2011 12:13:54 Freek de Kruijf wrote:
On woensdag 16 november 2011 01:12:55 Lew Wolfgang wrote:
Hi Folks,
I installed RC2 last week on a desktop just for the fun of it. There were a few glitches during the install process but overall it went well.
But I'm having an issue with IPv6 addressing. The install is on a large network that runs both IPv4 and IPv6. Something like 96% of the six-thousand or so hosts are fully IPv6 enabled. openSuSE has always worked well enough in this environment.
See also the discussion that started here: http://lists.opensuse.org/opensuse-factory/2011-01/msg00185.html and possibly other discussions on this list.
And http://en.opensuse.org/SDB:Native_IPv6 -- fr.gr. Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Lew Wolfgang wrote:
Ifconfig shows that none of the inet6 address have the lower half of the MAC address as is usual.
All devices have a "link local" address that start with "fe80" and contain the MAC address. The MAC address is padded out to 64 bits by inserting "fffe" in the middle. All devices must have that address as it's used for router and host advertisements. I've noticed both 12.1 and Windows 7 also create a 2nd address that's valid on the local subnet, so it's not a private address. I don't know the purpose of that 2nd address, but as it happens in both Linux and Windows, your network had better get used to dealing with it. BTW, there are 4 ways to generate an IPv6 address: 1) Derived from MAC 2) DHCP 3) Random number 4) Manual configuration I suspect that 2nd address uses the random method. Also, with IPv6, multiple addresses are not only allowed, they're expected. If your network is rejecting addresses that don't contain the MAC address, then that's where the problem is. A good book for this sort of thing is "IPv6 Essentials" from O'Reilly. http://shop.oreilly.com/product/9780596100582.do -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 16 Nov 2011 08:20:23 James Knott wrote:
BTW, there are 4 ways to generate an IPv6 address:
1) Derived from MAC 2) DHCP 3) Random number 4) Manual configuration
This is not quite accurate, it should be something like: 1. Stateless auto configuration 2. Statefull auto configuration 3. Manual configuration With stateless auto-conf (the most common and seemingly prefered method) this includes both mac and random generated suffixes to the address. The address network is (usually) broadcast to the network with something like radvd (router advertisment daemon) e.g. Src: fe80::xxxx.xxxx.xxxx.xxxx Dst: IPv6 multicast to ff02::1 The payload will contain at least the network prefix info and the link layer (mac)address of the router. In practice it often also contains DNS server info and other meta data. It's also possible, depending on the IPv6 stack implementation, for addresses to be auto-configured through neighbor solicitation/advertisment. If your curious to see what this traffic looks like, fire up wireshark and set the filter to "icmpv6" Statefull auto configuration is using DHCP6, but most IPv6 guru's will tell you this is quite a hack, and really not how IPv6 was engineered to be used. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (8)
-
Freek de Kruijf
-
Graham Anderson
-
James Knott
-
Jon Nelson
-
Lew Wolfgang
-
Ruediger Meier
-
Rüdiger Meier
-
Sebastian Freundt