top | item 46466833

(no title)

Is there yet answer to question "how to get random self-assigned addresses into dns records, firewall rules and switch acls?" ?

discuss

jcgl|1 month ago

802.1x instead of switch ACLs SSSD (Linux) or Active Directory (Windows) or other more custom solutions for dynamic DNS Firewalls rules that use those dynamic DNS names

Bonus: the relatively recent RFC 9686 that I hope will get some good traction: https://datatracker.ietf.org/doc/rfc9686/

patmorgan23|1 month ago

Dynamic DNS, DHCP, and static assignment are all still part of IPv6. Putting single IPs in switch ACLs is an anti pattern. Consider zero trust or working with whole subnets(they're plentiful in v6) instead.

izacus|1 month ago

Every IPv6 networker fan has rabidly torn me to pieces when I asked how to deploy DHCPv6.

Apparently it's "not how it's done" and we're "doing it wrong".

My SOHO equipment doesn't really support it either, so it's just as well, staying on IPv4 which does DHCP and solves that problem.

bigfatkitten|1 month ago

> DHCP

Not if you're on Android. https://issuetracker.google.com/issues/36949085

Tractor8626|1 month ago

How do you setup dynamic dns in your network? Which software do you use?

ectospheno|1 month ago

Turn off temp addresses. If your prefix changes then use ULA addresses.

ectospheno|1 month ago

I suppose I could have said how.

Windows in powershell:

  SetNetIPv6Protocol -UseTemporaryAddresses Disabled
  SetNetIPv6Protocol -RandomizeIdentifiers Disabled

Linux:

  sysctl net.ipv6.conf.all.use_tempaddr=0

or in NetworkManager config file:

  ip6-privacy=0

OpenBSD:

  ifconfig em0 inet6 -temporary

Tractor8626|1 month ago

Yeah. ULA and nat66 would work nicely. Except you would get murdered for asking about nat66.

bigfatkitten|1 month ago

"Build yourself an IPAM solution, at great operational cost and complexity."