Received: with ECARTIS (v1.0.0; list netdev); Sun, 27 Feb 2005 10:20:16 -0800 (PST)
Received: from xeonone.bizarre-host.com (bizarre-host.com [70.84.110.116] (may be forged))
	by oss.sgi.com (8.13.0/8.13.0) with ESMTP id j1RIKC2e018372
	for <netdev@oss.sgi.com>; Sun, 27 Feb 2005 10:20:12 -0800
Received: from c-24-1-54-54.client.comcast.net ([24.1.54.54] helo=hydra.darkmatter.org)
	by xeonone.bizarre-host.com with esmtpsa (SSLv3:RC4-MD5:128)
	(Exim 4.44)
	id 1D5T1Y-0001Wr-KF
	for netdev@oss.sgi.com; Sun, 27 Feb 2005 18:20:13 +0000
From: Quantum Scientific <Info@quantum-sci.com>
To: netdev@oss.sgi.com
Subject: Re: Kernel 2.6 IPV6 Busted
Date: Sun, 27 Feb 2005 12:20:06 -0600
User-Agent: KMail/1.7.1
References: <200502270928.44402.Info@Quantum-Sci.com> <422205F7.4080401@tomt.net>
In-Reply-To: <422205F7.4080401@tomt.net>
helo: PowerMAC
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200502271220.06560.Info@quantum-sci.com>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - xeonone.bizarre-host.com
X-AntiAbuse: Original Domain - oss.sgi.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - quantum-sci.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Virus-Scanned: ClamAV 0.83/730/Sat Feb 26 17:56:54 2005 on oss.sgi.com
X-Virus-Status: Clean
X-archive-position: 2092
X-ecartis-version: Ecartis v1.0.0
Sender: netdev-bounce@oss.sgi.com
Errors-to: netdev-bounce@oss.sgi.com
X-original-sender: Info@quantum-sci.com
Precedence: bulk
X-list: netdev
Content-Length: 1634
Lines: 44

On Sunday 27 February 2005 11:40, Andre Tomt wrote:
> Connection tracking (as in stateful firewalling) do not a useful ipv6 
> stack make.. The stack works fine, at least the stack provided in 2.6 
> kernels.
...
> You seem to be fixed on the idea that a ipv6 stack has to have stateful 
> firewalling, or else its utter crap, correct? :-)

No, I'll try to say this clearer.

The stack works fine in.  And out.  But for a useful virtual circuit you must 
have something like connection tracking.

Remember what my issue is:  
- I have a very tight firewall,
- I ping6 out,
- The firewall blocks the reply back, because the connection is stateless!
- Same with http, etc.

This means that I have to open for incoming, virtually every port I send 
outgoing to, or else I do not get any replies. This is what I call 
non-functional, because one does not open incoming ports, for the most part.

Why are you not having this problem?


> Connection tracking is on the way, currently a implementation exists in 
> the netfilter.org patch-o-matic svn.

Is this reasonably solid?  Does this operate on Layer 3, rather than Layer 2?


> Not all hosts need firewalling at all, or firewalling is provided by 
> routers/firewalls for them. I use ipv6 in production networks, on Linux, 
> without special patches.

Sorry, I disagree.  The whole point of IPV6 is ubiquitous addressing.  So 
every single node must have a good firewall.  In fact my router is 
firewalling as well, so my LAN nodes are double-firewalled.

It is irresponsible to not firewall all nodes, as they are supposed to be 
universally available with this paradigm.

Carl Cook