[OpenWrt-Devel] IPv6: network segmentation, use of vlan and IPsec

Fri Mar 27 06:15:39 EDT 2015

Hi Gnutella,

This is likely not the correct mailing list for general network 
questions like this, and I'd suggest you go to somewhere like 
##networking on Freenode to talk about this, however I'll try to answer 
your questions :)

Firstly, your question seems to lack the clear distinction that should 
be made between Ethernet (layer2) and IPv6 (layer3). Please ensure that 
you are clear about the difference and the way in which they interact. 
For example you talk about MAC addresses in frames, but this is just a 
basic feature of the underlying Ethernet and is unavoidable when using 
this medium but would be unnecessary if using a different medium, such 
as PPP.

While IPv6 has no broadcast addresses, it does have a large number of 
multicast addresses, including some that reach all nodes on a network. 
Therefore, if the decision to segment a network is based on having too 
much broadcast traffic (which takes a lot of nodes on a gigabit network 
to be a problem) then this is unlikely to change with IPv6 due to a 
similar volume of multicast traffic.

Another common reason to segment a network is for security and 
firewalling, and the choice of layer 3 protocol does not change this. 
Nodes on the same layer 2 network (VLAN) will communicate with each 
other directly, whereas those on different layer 2 networks will 
communicate via a router, which is where firewalling would usually take 
place.

You talk about filtering on a switch. This is usually considered a last 
resort when it is not practical to segment a network into separate 
subnets / VLANs. However as far as I know, the process for filtering 
traffic through a Linux switch is the same for IPv6 as it would be in 
IPv4, and Linux supports filtering bridged traffic with iptables (and I 
assume iptables6 though I have never tested this).

MAC address filtering - unfortunately, I think this question is lacking 
some understanding of the interaction between layers. Clients can always 
use a fake MAC address, but this only affects the local LAN. MAC 
addresses are always stripped from packets when they pass through a router.

It's possible that you aren't talking about MAC addresses at all, but 
"EUI-64" IP addresses based on MAC addresses. In this case, you will 
find that most clients by default will use their MAC to generate their 
primary IP when using SLAAC but will also use additional random 
"privacy" addresses. It would probably not be a good idea to try to 
modify (NAT) people's IPs as they pass through a router, though it's 
certainly possible.

I don't know enough about IPsec to answer your last question.

I hope some of this is helpful :)

Charlie

On 27/03/15 07:33, Jean-Michel Pouré - GOOZE wrote:
> Dear friends,
>
> I am studying IPv6 networks and would like to share some ideas with the
> community. At present, I am not sure to understand how to filter traffic
> and split networks. Here are a few questions:
>
> vlan:
> IPv6 has no broadcast. Do we still need vlans to segment traffic? Would
> you recommend using vlans together with IPv6?
>
> Filtering a switch:
> When a device includes a switch, how to filter ipV6 traffic on the
> switch? Do we need to use Brouting and ebtable or can it be done with
> iptables6?
>
> Mac address filtering:
> ipv6 embeds MAC address in frames. Clients may generate fake MAC
> addresses. Is there a way to hide MAC addresses on the router itself?
>
> IPsec:
> IPv6 allows to use IPsec in IPv6 frames. Can it be done already with a
> combination of FreeRadius, StrongSwan and IPv6. Do you know working
> configurations in OpenWRT?
>
> Kind regards,
> Gnutella
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel