[squid-dev] [PATCH] IPv6 NDP lookups
steve at opendium.com
Wed Dec 21 12:42:25 UTC 2016
The attached patch is against Squid 3.5. Given Squid 3.5's status as a
stable release, this probably won't be integrated into the vanilla Squid
release, but I'm posting here in case anyone finds it useful, or if
someone wants to port it to Squid 4.
Squid currently supports ACLs and logformat specifiers which rely on the
EUI-48 (MAC address) for IPv4 traffic, and EUI-64 for IPv6 traffic.
For IPv4, Squid queries the ARP cache for the client's address. For
IPv6, Squid extracts the EUI-64 from site-local SLAAC addresses. This
isn't going to work for most clients, since site-local addresses are
rarely used in the real world. This patch brings the IPv6 functionality
in line with the IPv4 functionality by querying the neighbour table
Open question: we could also pull the EUI-64 from a global scope SLAAC
address. Would it be trustworthy enough? Is it worth doing? Since
most clients now use privacy extensions it's probably not worthwhile.
- We have to examine the entire neighbour table since (as far as I can
tell) the kernel doesn't allow querying a specific IP address. This
could be slow if there are a lot of neighbours.
- The IPv4 neighbour table can be retrieved in the same way, so there is
scope for unifying the IPv6 and IPv4 code.
- The neighbour table contains MAC addresses (i.e. EUI-48), not EUI-64
addresses. This patch converts the retrieved EUI-48 into an EUI-64 by
inserting 0xfffe into the middle.
- If the IPv4/IPv6 code is to be unified in the future, consider
converting everything to EUI-64 instead of making a distinction between
EUI-48 and EUI-64.
- This code is useful where users are being authenticated through a
mechanism other than HTTP proxy auth. For example, a client can
identify itself through a captive portal, but then use a combination of
IPv4 and numerous IPv6 addresses (due to privacy extensions) thereafter.
The client can be linked back to their portal login through their MAC,
irrespective of the IP address they are using for any given request.
- Obviously the client needs to be on the same layer 2 network as Squid,
so this doesn't help in situations where clients are behind a router.
- Steve Hill
Opendium Online Safety / Web Filtering http://www.opendium.com
sales at opendium.com support at opendium.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4438 bytes
Desc: not available
More information about the squid-dev