How to allowlist outgoing traffic from IPv6 static privacy (RFC7217) addresses

Started by onnieoneone, October 28, 2024, 11:14:23 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 28, 2024, 11:14:23 PM
Hi,

I am migrating to IPv6 only. I have a /48 from my ISP which I have created a number of /57 local prefixes in which I am hosting various vms and physical machines.

All these hosts I have set to use SOII (the OpenBSD name for RFC7217 addresses). In short each host has a static listening address and fairly rapidly cycles through random(?) addresses in the /57 for outgoing traffic. I think Windows hosts do something similar so what I am asking here is I guess a fairly common use case.

Any incoming traffic through OPNsense is easy to add to allowlists in firewall rules as the addresses is static, but the outgoing traffic is causing me issues.

I would like to, on a host-by-host basis create allowlists and so firewall rules for specific outgoing traffic. So far I have tried allowing by src MAC address (even though it was in an "IPv6" rule); this worked for a while but then started blocking the traffic some hours later*. I have settled on allowing the entire /57 (I basically have a single host in each /57 I have created so far) but this seems unsatisfactory and not a long term solution.

Does anyone have any advice/war stories regarding the same? I thought I'd check here before I head upstream.

*I had a quick read around and filtering by MAC does seem a bad idea:
- Still true?: https://forum.opnsense.org/index.php?topic=2790.0
- Also seems like it could get bad performance: https://forums.freebsd.org/threads/filtering-by-mac-address.32841/

October 28, 2024, 11:47:11 PM #1
Place hosts that share an outbound policy in a common network/VLAN and ignore host addresses. Filtering by address does not scale and is easily spoofed.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 29, 2024, 10:29:05 AM #2
Patrick's solution is the way to go unless the number of hosts is really small. Keep in mind that any host may have multiple at any time, depending on your network configuration.

If you do want host based rules, you may use (DHCPv6) static address assignments and base your rules on those.
October 29, 2024, 02:45:18 PM #3
Also, please do not use /57 as LAN networks, you must (almost) always use /64 for IPv6 networks.
October 29, 2024, 03:42:16 PM #4 Last Edit: October 29, 2024, 03:47:11 PM by onnieoneone
Quote from: bimbar on October 29, 2024, 02:45:18 PM
Also, please do not use /57 as LAN networks, you must (almost) always use /64 for IPv6 networks.

My bad, it was late at night when I posted. I have a number of /64s in the /57 that's been delegated to my OPNsense router by my CPE router (that has the /48).
October 29, 2024, 03:46:49 PM #5
Quote from: Patrick M. Hausen on October 28, 2024, 11:47:11 PM
Place hosts that share an outbound policy in a common network/VLAN and ignore host addresses. Filtering by address does not scale and is easily spoofed.

This seems to be the most straightforward way, thanks for confirming.
Print
Go Up Pages1
User actions