Paul de Weerd <we...@weirdnet.nl> writes: > On Fri, May 02, 2014 at 06:53:08PM +0200, Jérémie Courrèges-Anglas wrote: > | > | What's a regular OpenBSD host with no IPv6? I'd assume that it is > | > | a host that can perform IPv6 connections to ::1 / localhost and reach > | > | its neighbors through link-local addresses. > | > > | > Why would you expect to be able to reach your neighbors through > | > link-local addresses if you have "no IPv6" (which I take to mean 'no > | > *configured* IPv6', please correct me if I'm wrong here)? > | > | I don't make a big difference between automatically or "manually" > | configured addresses. They're here and supposed to be usable for > | whatever purpose, limited only by their intrinsic limitations. > > I'm not referring to SLAAC. I'm referring to addresses that are > configured on interfaces without the user even requesting them. > link-local addresses, specifically.
I was actually answering your question about link-local addresses. > Bring up an interface and you > have IPv6. Accessible (and attackable) by everyone on the local > network (i.e., not firewalled by default). If you have no use for this interface, why do you bring it up? Why do you have services listening on it, be it an IPv4 address or an IPv6 link-local one? > Why do you expect this to > work without specific configuration (either setting up a static > address, configuring SLAAC, by using DHCPv6, or whatever means)? You know why. This is how v6 works, and I heard OpenBSD made a pretty good job at making it work in a pretty safe way. > | > I believe your expectation here is wrong (although it is the current > | > state of IPv6 on OpenBSD). Can you explain why you disagree? > | > | Not really, I'm puzzled by your question. It works and has always > | worked but I shouldn't expect them to work... > > I'm puzzled by the fact it has always been this way in OpenBSD. It > goes against the OpenBSD philosophy. Maybe it is, or maybe not. I am not the one that says that (almost?) all the IPv6 implementations out there, running ND by default, are wrong. What's the actual impact? What are the risks? How do you evaluate them? How much may someone be surprised by this fact? > I'll try to rephrase the > question: > > Why do you expect that you are accessible on IPv6 > when you configure an interface with IPv4? You > don't expect to get IPv4 connectivity when you > configure IPv6, do you? Same answer. The current practice is to run ND and configure link-local addresses by default, yet I have to explain why this assumption should be valid. This is tiresome. > I hope this question is less puzzling, apologies if that's still not > the case. It's not puzzling anymore, it's merely annoying. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
