[Openstack] DHCP for IPv6
Jeremy Stanley
fungi at yuggoth.org
Fri Sep 29 00:37:18 UTC 2017
On 2017-09-28 20:29:38 -0300 (-0300), Jorge Luiz Correa wrote:
> It would be good if developers could know about that because
> privacy extension is becoming the default on every operate
> systems. I've tested last version of *ubuntu and some FreeBSD
> kernels, all operating with privacy extension by default.
>
> So, this way of creating the iptables rules need to be reviewed.
[...]
To accommodate privacy extensions, we'd basically have to give up on
any assumptions as to what the viable source addresses originating
on a port could be (at least within the netmask). This filtering is
the primary mechanism for preventing address spoofing within a
shared network.
By comparison, RFC 4941 privacy extensions are primarily a
protection for desktop/mobile client systems and do little (if
anything) useful for a statically-addressed server. Disabling it
there makes a lot of sense to me, as a privacy/security-conscious
sysadmin.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170929/d3d79bee/attachment.sig>
More information about the Openstack
mailing list