[squid-dev] [PATCH] IPv6 NDP lookups

Steve Hill steve at opendium.com
Wed Dec 21 12:42:25 UTC 2016

The attached patch is against Squid 3.5.  Given Squid 3.5's status as a 
stable release, this probably won't be integrated into the vanilla Squid 
release, but I'm posting here in case anyone finds it useful, or if 
someone wants to port it to Squid 4.

Squid currently supports ACLs and logformat specifiers which rely on the 
EUI-48 (MAC address) for IPv4 traffic, and EUI-64 for IPv6 traffic.

For IPv4, Squid queries the ARP cache for the client's address.  For 
IPv6, Squid extracts the EUI-64 from site-local SLAAC addresses.  This 
isn't going to work for most clients, since site-local addresses are 
rarely used in the real world.  This patch brings the IPv6 functionality 
in line with the IPv4 functionality by querying the neighbour table 
using rtnetlink.

Open question: we could also pull the EUI-64 from a global scope SLAAC 
address.  Would it be trustworthy enough?  Is it worth doing?  Since 
most clients now use privacy extensions it's probably not worthwhile.


- We have to examine the entire neighbour table since (as far as I can 
tell) the kernel doesn't allow querying a specific IP address.  This 
could be slow if there are a lot of neighbours.

- The IPv4 neighbour table can be retrieved in the same way, so there is 
scope for unifying the IPv6 and IPv4 code.

- The neighbour table contains MAC addresses (i.e. EUI-48), not EUI-64 
addresses.  This patch converts the retrieved EUI-48 into an EUI-64 by 
inserting 0xfffe into the middle.

- If the IPv4/IPv6 code is to be unified in the future, consider 
converting everything to EUI-64 instead of making a distinction between 
EUI-48 and EUI-64.

- This code is useful where users are being authenticated through a 
mechanism other than HTTP proxy auth.  For example, a client can 
identify itself through a captive portal, but then use a combination of 
IPv4 and numerous IPv6 addresses (due to privacy extensions) thereafter. 
  The client can be linked back to their portal login through their MAC, 
irrespective of the IP address they are using for any given request.

- Obviously the client needs to be on the same layer 2 network as Squid, 
so this doesn't help in situations where clients are behind a router.

  - Steve Hill
    Technical Director
    Opendium    Online Safety / Web Filtering    http://www.opendium.com

    Enquiries                 Support
    ---------                 -------
    sales at opendium.com        support at opendium.com
    +44-1792-824568           +44-1792-825748
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eui64.patch
Type: text/x-patch
Size: 4438 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20161221/01a9abde/attachment.bin>

More information about the squid-dev mailing list