[Dshield] IPv6 support?

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Tue Apr 18 22:15:14 GMT 2006

On Tue, 18 Apr 2006 14:39:56 EDT, "Johannes B. Ullrich" said:

> IPv6 will require a very different data structure then IPv4 to do it
> right. Its more difficult then just expanding the address size (and even
> thats not that easy).

Amen to that.  ff02:: and fe80:: are going to be pains, and 6-in-4
addresses for ffff:: are going to suck too...

> One big problem is that I don't really have any good sample data to show
> what regular vs. abnormal IPv6 traffic looks like in iptables. Does
> anybody have such samples? Maybe there is a simple "first cut" I could
> do. But at this point: who would submit data?

Well, here's what a 2.6.17-rc1-mm3 kernel says about an attempted telnet into
the box:

Apr 18 17:20:15 turing-police kernel: IN=eth3 OUT= MAC=00:06:5b:ea:8e:4e:00:0f:35:3e:d4:1a:86:dd SRC=2001:0468:0c80:2105:0211:43ff:feda:d769 DST=2001:0468:0c80:2103:0206:5bff:feea:8e4e LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=57664 DPT=23 WINDOW=5760 RES=0x00 SYN URGP=0 

That's what basically any 2.6.16 or later will show...

(For those who care, my laptop has interfaces:

eth3      Link encap:Ethernet  HWaddr 00:06:5B:EA:8E:4E  
          inet addr:  Bcast:  Mask:
          inet6 addr: 2001:468:c80:2103:206:5bff:feea:8e4e/64 Scope:Global
          inet6 addr: fe80::206:5bff:feea:8e4e/64 Scope:Link
eth5      Link encap:Ethernet  HWaddr 00:02:2D:5C:11:48  
          inet addr:  Bcast:  Mask:
          inet6 addr: 2001:468:c80:2181:202:2dff:fe5c:1148/64 Scope:Global
          inet6 addr: fe80::202:2dff:fe5c:1148/64 Scope:Link

Yes, we support IPv6 on the wireless network (eth5).. ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060418/e2069341/attachment.bin

More information about the list mailing list