Mailinglist Archive: opensuse-factory (1578 mails)

[James Knott <james.knott@xxxxxxxxxx>]

Rüdiger Meier wrote:
> On Thursday 17 November 2011, James Knott wrote:
>
>    
> > Also,
> > a router normally passes all valid addresses from a subnet, unless
> > specifically configured not to.  As an example, my firewall/router
> > here is a Linux box.  For me to limit what addresses can pass through
> > it, I'd have to use the iptables rules to block some addresses.
> >      
> Yes and what's wrong with using iptables? Only incompetent network
> admins are using iptables or what?
>    

My point was not about iptables, but rather I'd have to take specific 
actions to limit what addresses are passed/blocked by the router.
>    
> > > But I, as a network admin, can expect my users to comply with the
> > > rules I've set up for the network, so it's their problem, either
> > > they want access or they don't.  Now wouldn't it be greatly helpful
> > > if you/your system could*easily*  adapt to these rules?
> > >        
> > If your rules don't allow normal, out of the box, behaviour, then
> > your rules are wrong, unless you're prepared to configure every
> > computer to comply with them.
> >      
> That's simply not true. If you would plug your box into my network here
> then I would not route anything from you regardless which IP you are
> using. This is what I'm doing here and I consider it right because I
> don't want clients like you using my net.
>
>
>    

Get a computer running Windows 7 and plug it into your network without 
modification and see what happens.  This is what is happening all over 
the world.  If your network config blocks this, then you have a big 
problem of your own creation.  You either change the network rules or 
you change all the computers on your network.  Your choice.

> > This is most definitely not a user
> > issue as most users wouldn't have a clue about it.
> > As a network admin, I'd expect you to know the implications of what
> > you do.  Blocking addresses that are not based on the MAC is not a
> > suitable policy,
> >      
> How you know the policies and requirements of Lew's network?
>    

> > in that, by default, later versions of Linux&
> > Windows provide both MAC based and random IP addresses..
> >      
> Neither windows nor linux client _provides_ the address but the owner of
> the net you want to be part of.
>    
The network provides the most significant bits (the subnet address 
only). The host portion of the address is provided by the computer, 
unless DHCP is used.  The host portion may be determined by MAC address, 
random number or, as in this case, both.  In Windows 7, run ipconfig and 
tell me what you see w.r.t. IPv6 addresses.  You will see an IPv6 
address based on the MAC, a temporary IPv6 address based on a random 
number, a link local address starting with FE80 and a Teredo tunnel 
address, unless it has been disabled.  Both the MAC and random addresses 
will be valid on your subnet.
> BTW back to Lew's problem ...
> Reading his last posting you see that obviously he has no problems to
> access the net. Network admin just told him to not use random addresses
> or they _will_ block him soon. (If got it right.)
>
>
>    
That's also my impression and it means they will be blocking Windows 7 
(and other later Windows versions) too.  Use Wireshark to take a look at 
what happens when you, for example, connect to a web site.  It will 
identify your computer by the temporary address, whether in 12.1 or 
Windows 7.  You will not see the MAC based address, unless some other 
computer connects to yours.


--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx