On Wed, Apr 12, 2017 at 10:48:50AM +0200, Florian Ermisch wrote:
| Hi everyone,
|
| is there a way with to identify and filter
| automatically generated, MAC-based IPv6
| addresses in pf?
| I think there was some bit set or flipped in
| the MAC-based or the RFC 4941 privacy
| extensions based addresses. But I then
| still had to match an address based on a
| single bit (and the networks prefix, of
| course).
| Are bitwise matches even possible with
| pf?
|
| The usecase, of course, is to prevent
| devices too stupid or too poorly configured
| to use the privacy extensions to access
| anything outside the LAN via IPv6.
|
| Kind regards, Florian
Even if you could, filtering on the global/local bit like you suggest
(bit 6, when the leftmost bit of the host-part of the address is
numbered 0) won't work. Privacy addresses all have 0 there. But
EUI64 addresses are based on the MAC address where that same bit is
inverted. In MAC addresses, that bit means 'locally administered'
when set to 0, 'globally unique' when set to 1 (which sounds a lot
like the global/local stuff in v6, but is completely different).
Here's a vio0 interface on a Linux KVM vm running OpenBSD:
vio0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 52:54:00:6c:8e:79
Note the '2' in the second nibble there: this is a locally
administered MAC address. This bit gets *inverted* when generating an
EUI64 address:
inet6 fe80::5054:ff:fe6c:8e79%vio0 prefixlen 64 scopeid 0x1
So, now you have a 0 in bit 6 of the host part of your EUI64 address.
A more certain way of seeing if an address is EUI64, is to check for
the ff:fe bit in the middle of the host part of the address. However,
I don't think it's possible to filter on that in pf(4).
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
