How to prefer communication in the local subnet using IPv6 ULA instead of IPv6 GUA?
up vote
0
down vote
favorite
all my devices own IPv4, IPv6 LL, IPv6 ULA and IPv6 GUA adresses like this:
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 88:b1:11:ed:21:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp1s0
valid_lft 863780sec preferred_lft 863780sec
inet6 fd00::xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 3385sec
inet6 2003:d4:4f1f:9500:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 1585sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Some more complex devices (service providers) have a iptables firewall installed with:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
When I now try to reach device a from device b via DNS name, sometimes the IPv6 GUA and sometimes the ULA is used. My firewalls allow some ports (e.g. SSH) only for connections from the ULA subnet. Therefore, I want to force the use of ULAs within my subnet.
Is this the right way? How can I solve this problem without disabling my firewalls and without typing the destination IP?
Thank you
EDIT 20181118:
RFC 6724 says: By default, global IPv6 destinations are preferred over ULA destinations, since an arbitrary ULA is not necessarily reachable (Thanks to Ron Maupin). So I obviously did something wrong with my network structure. Is there another way to filter traffic within my subnet using iptables? The global IPv6 prefix is dynamic, so I can't use it in my static iptables to determine if packets come from within my subnet.
networking dns iptables ipv6
asked Nov 17 at 16:56
Santobert
15
add a comment |
up vote
0
down vote
favorite
all my devices own IPv4, IPv6 LL, IPv6 ULA and IPv6 GUA adresses like this:
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 88:b1:11:ed:21:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp1s0
valid_lft 863780sec preferred_lft 863780sec
inet6 fd00::xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 3385sec
inet6 2003:d4:4f1f:9500:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 1585sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Some more complex devices (service providers) have a iptables firewall installed with:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
When I now try to reach device a from device b via DNS name, sometimes the IPv6 GUA and sometimes the ULA is used. My firewalls allow some ports (e.g. SSH) only for connections from the ULA subnet. Therefore, I want to force the use of ULAs within my subnet.
Is this the right way? How can I solve this problem without disabling my firewalls and without typing the destination IP?
Thank you
EDIT 20181118:
RFC 6724 says: By default, global IPv6 destinations are preferred over ULA destinations, since an arbitrary ULA is not necessarily reachable (Thanks to Ron Maupin). So I obviously did something wrong with my network structure. Is there another way to filter traffic within my subnet using iptables? The global IPv6 prefix is dynamic, so I can't use it in my static iptables to determine if packets come from within my subnet.
networking dns iptables ipv6
asked Nov 17 at 16:56
Santobert
15
1
superuser.com/questions/436574/…
– rtaccon
Nov 17 at 17:34
RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6) explains how the addresses are supposed to be selected. I will not guarantee that your OS follows the RFC.
– Ron Maupin
Nov 17 at 20:18
Add information from RFC 6724 (Thanks to Ron Maupin). There is still no solution.
– Santobert
Nov 18 at 9:45
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
all my devices own IPv4, IPv6 LL, IPv6 ULA and IPv6 GUA adresses like this:
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 88:b1:11:ed:21:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp1s0
valid_lft 863780sec preferred_lft 863780sec
inet6 fd00::xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 3385sec
inet6 2003:d4:4f1f:9500:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 1585sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Some more complex devices (service providers) have a iptables firewall installed with:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
When I now try to reach device a from device b via DNS name, sometimes the IPv6 GUA and sometimes the ULA is used. My firewalls allow some ports (e.g. SSH) only for connections from the ULA subnet. Therefore, I want to force the use of ULAs within my subnet.
Is this the right way? How can I solve this problem without disabling my firewalls and without typing the destination IP?
Thank you
EDIT 20181118:
RFC 6724 says: By default, global IPv6 destinations are preferred over ULA destinations, since an arbitrary ULA is not necessarily reachable (Thanks to Ron Maupin). So I obviously did something wrong with my network structure. Is there another way to filter traffic within my subnet using iptables? The global IPv6 prefix is dynamic, so I can't use it in my static iptables to determine if packets come from within my subnet.
networking dns iptables ipv6
asked Nov 17 at 16:56
Santobert
15
all my devices own IPv4, IPv6 LL, IPv6 ULA and IPv6 GUA adresses like this:
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 88:b1:11:ed:21:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp1s0
valid_lft 863780sec preferred_lft 863780sec
inet6 fd00::xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 3385sec
inet6 2003:d4:4f1f:9500:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic noprefixroute
valid_lft 6985sec preferred_lft 1585sec
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link noprefixroute
valid_lft forever preferred_lft forever
Some more complex devices (service providers) have a iptables firewall installed with:
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
When I now try to reach device a from device b via DNS name, sometimes the IPv6 GUA and sometimes the ULA is used. My firewalls allow some ports (e.g. SSH) only for connections from the ULA subnet. Therefore, I want to force the use of ULAs within my subnet.
Is this the right way? How can I solve this problem without disabling my firewalls and without typing the destination IP?
Thank you
EDIT 20181118:
RFC 6724 says: By default, global IPv6 destinations are preferred over ULA destinations, since an arbitrary ULA is not necessarily reachable (Thanks to Ron Maupin). So I obviously did something wrong with my network structure. Is there another way to filter traffic within my subnet using iptables? The global IPv6 prefix is dynamic, so I can't use it in my static iptables to determine if packets come from within my subnet.
networking dns iptables ipv6
networking dns iptables ipv6
asked Nov 17 at 16:56
Santobert
15
asked Nov 17 at 16:56
Santobert
15
edited Nov 18 at 9:46
asked Nov 17 at 16:56
Santobert
15
asked Nov 17 at 16:56
Santobert
15
asked Nov 17 at 16:56
Santobert
15
15
1
superuser.com/questions/436574/…
– rtaccon
Nov 17 at 17:34
RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6) explains how the addresses are supposed to be selected. I will not guarantee that your OS follows the RFC.
– Ron Maupin
Nov 17 at 20:18
Add information from RFC 6724 (Thanks to Ron Maupin). There is still no solution.
– Santobert
Nov 18 at 9:45
add a comment |
1
superuser.com/questions/436574/…
– rtaccon
Nov 17 at 17:34
RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6) explains how the addresses are supposed to be selected. I will not guarantee that your OS follows the RFC.
– Ron Maupin
Nov 17 at 20:18
Add information from RFC 6724 (Thanks to Ron Maupin). There is still no solution.
– Santobert
Nov 18 at 9:45
1
1
superuser.com/questions/436574/…
– rtaccon
Nov 17 at 17:34
superuser.com/questions/436574/…
– rtaccon
Nov 17 at 17:34
RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6) explains how the addresses are supposed to be selected. I will not guarantee that your OS follows the RFC.
– Ron Maupin
Nov 17 at 20:18
RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6) explains how the addresses are supposed to be selected. I will not guarantee that your OS follows the RFC.
– Ron Maupin
Nov 17 at 20:18
Add information from RFC 6724 (Thanks to Ron Maupin). There is still no solution.
– Santobert
Nov 18 at 9:45
Add information from RFC 6724 (Thanks to Ron Maupin). There is still no solution.
– Santobert
Nov 18 at 9:45
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Try editing /etc/gai.conf and give your ULAs precedence over the GUAs.
If that doesn't help, and assuming DNS returns all tour addresses in random order, a workaround would be to add a new address entry for each machine (maybe under a different subdomain) that returns only the ULA address.
answered Nov 17 at 20:14
dirkt
8,59331121
This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not.
– Santobert
Nov 18 at 9:44
RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as source addresses shows that sometimes GUAs and sometimes ULAs are used as destination addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing/etc/gai.confshould allow you to prefers ULAs as destination address, fixing the problem.
– dirkt
Nov 18 at 16:54
If you want to determine whether packets come from your subnet or not, you can if course check for all prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS.
– dirkt
Nov 18 at 16:56
Thanks for the clarification. I've read some other posts like this that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain?
– Santobert
Nov 18 at 20:38
As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using/etc/hosts). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via/etc/gai.conf, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can baseiptablesentries on that.
– dirkt
Nov 19 at 6:43
|
show 4 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Try editing /etc/gai.conf and give your ULAs precedence over the GUAs.
If that doesn't help, and assuming DNS returns all tour addresses in random order, a workaround would be to add a new address entry for each machine (maybe under a different subdomain) that returns only the ULA address.
answered Nov 17 at 20:14
dirkt
8,59331121
This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not.
– Santobert
Nov 18 at 9:44
RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as source addresses shows that sometimes GUAs and sometimes ULAs are used as destination addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing/etc/gai.confshould allow you to prefers ULAs as destination address, fixing the problem.
– dirkt
Nov 18 at 16:54
If you want to determine whether packets come from your subnet or not, you can if course check for all prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS.
– dirkt
Nov 18 at 16:56
Thanks for the clarification. I've read some other posts like this that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain?
– Santobert
Nov 18 at 20:38
As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using/etc/hosts). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via/etc/gai.conf, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can baseiptablesentries on that.
– dirkt
Nov 19 at 6:43
|
show 4 more comments
up vote
2
down vote
accepted
Try editing /etc/gai.conf and give your ULAs precedence over the GUAs.
If that doesn't help, and assuming DNS returns all tour addresses in random order, a workaround would be to add a new address entry for each machine (maybe under a different subdomain) that returns only the ULA address.
answered Nov 17 at 20:14
dirkt
8,59331121
This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not.
– Santobert
Nov 18 at 9:44
RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as source addresses shows that sometimes GUAs and sometimes ULAs are used as destination addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing/etc/gai.confshould allow you to prefers ULAs as destination address, fixing the problem.
– dirkt
Nov 18 at 16:54
If you want to determine whether packets come from your subnet or not, you can if course check for all prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS.
– dirkt
Nov 18 at 16:56
Thanks for the clarification. I've read some other posts like this that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain?
– Santobert
Nov 18 at 20:38
As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using/etc/hosts). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via/etc/gai.conf, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can baseiptablesentries on that.
– dirkt
Nov 19 at 6:43
|
show 4 more comments
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Try editing /etc/gai.conf and give your ULAs precedence over the GUAs.
If that doesn't help, and assuming DNS returns all tour addresses in random order, a workaround would be to add a new address entry for each machine (maybe under a different subdomain) that returns only the ULA address.
answered Nov 17 at 20:14
dirkt
8,59331121
Try editing /etc/gai.conf and give your ULAs precedence over the GUAs.
If that doesn't help, and assuming DNS returns all tour addresses in random order, a workaround would be to add a new address entry for each machine (maybe under a different subdomain) that returns only the ULA address.
answered Nov 17 at 20:14
dirkt
8,59331121
answered Nov 17 at 20:14
dirkt
8,59331121
answered Nov 17 at 20:14
dirkt
8,59331121
answered Nov 17 at 20:14
dirkt
8,59331121
8,59331121
This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not.
– Santobert
Nov 18 at 9:44
RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as source addresses shows that sometimes GUAs and sometimes ULAs are used as destination addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing/etc/gai.confshould allow you to prefers ULAs as destination address, fixing the problem.
– dirkt
Nov 18 at 16:54
If you want to determine whether packets come from your subnet or not, you can if course check for all prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS.
– dirkt
Nov 18 at 16:56
Thanks for the clarification. I've read some other posts like this that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain?
– Santobert
Nov 18 at 20:38
As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using/etc/hosts). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via/etc/gai.conf, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can baseiptablesentries on that.
– dirkt
Nov 19 at 6:43
|
show 4 more comments
This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not.
– Santobert
Nov 18 at 9:44
RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as source addresses shows that sometimes GUAs and sometimes ULAs are used as destination addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing/etc/gai.confshould allow you to prefers ULAs as destination address, fixing the problem.
– dirkt
Nov 18 at 16:54
If you want to determine whether packets come from your subnet or not, you can if course check for all prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS.
– dirkt
Nov 18 at 16:56
Thanks for the clarification. I've read some other posts like this that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain?
– Santobert
Nov 18 at 20:38
As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using/etc/hosts). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via/etc/gai.conf, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can baseiptablesentries on that.
– dirkt
Nov 19 at 6:43
This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not.
– Santobert
Nov 18 at 9:44
This would be a solution if I decide to stay with my network structure. RFC 6724 describes this problem without giving a concrete solution. It looks like I did something wrong when I designed my network structure. There should be another solution to determine whether incoming packets are coming from my subnet or not.
– Santobert
Nov 18 at 9:44
RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as source addresses shows that sometimes GUAs and sometimes ULAs are used as destination addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing
/etc/gai.conf should allow you to prefers ULAs as destination address, fixing the problem.– dirkt
Nov 18 at 16:54
RFC 6724 describes how a source address is selected given a destination address. That sometimes GUAs and sometimes ULAs are used as source addresses shows that sometimes GUAs and sometimes ULAs are used as destination addresses, and this usually comes from DNS giving back addresses in random order. If you don't think this is the reason, debug it: Write a simple C program that does host name resolution and prints out the IPv6 address it gets, run it several times. Editing
/etc/gai.conf should allow you to prefers ULAs as destination address, fixing the problem.– dirkt
Nov 18 at 16:54
If you want to determine whether packets come from your subnet or not, you can if course check for all prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS.
– dirkt
Nov 18 at 16:56
If you want to determine whether packets come from your subnet or not, you can if course check for all prefixes you assigned on your subnet, including GUAs. Then it won't matter which prefixes are chosen based on DNS.
– dirkt
Nov 18 at 16:56
Thanks for the clarification. I've read some other posts like this that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain?
– Santobert
Nov 18 at 20:38
Thanks for the clarification. I've read some other posts like this that describes my problem pretty well. I don't want to edit a client's configuration unless there is a solution to solve the problem for all clients. The article above recommends using the hostname in iptables. Isn't it unsafe since everyone can assign themselves a different hostname and/or domain?
– Santobert
Nov 18 at 20:38
As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using
/etc/hosts). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via /etc/gai.conf, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can base iptables entries on that.– dirkt
Nov 19 at 6:43
As I wrote: The problematic point is how your DNS works (and you didn't give any details how it is set up). You also didn't say how you acquire your GUA prefix (from your ISP? Does it change?). To be on the safe side, you must control your DNS (e.g. via a proxy, or even using
/etc/hosts). If you can guarantee that either (1) you have special DNS entry only for ULAs, e.g. in a subdomain, or (2) ULAs are always the preferred choice, either via /etc/gai.conf, or via DNS configuration, or (3) your GUA prefix and the DNS entries always match, then you can base iptables entries on that.– dirkt
Nov 19 at 6:43
|
show 4 more comments
draft saved
draft discarded
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1376269%2fhow-to-prefer-communication-in-the-local-subnet-using-ipv6-ula-instead-of-ipv6-g%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
superuser.com/questions/436574/…
– rtaccon
Nov 17 at 17:34
RFC 6724, Default Address Selection for Internet Protocol Version 6 (IPv6) explains how the addresses are supposed to be selected. I will not guarantee that your OS follows the RFC.
– Ron Maupin
Nov 17 at 20:18
Add information from RFC 6724 (Thanks to Ron Maupin). There is still no solution.
– Santobert
Nov 18 at 9:45