• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Network Isolation, ULA Addresses and Proxy Servers

Started by CaseyR, September 25, 2013, 04:07:13 AM

Previous topic - Next topic

CaseyR

Having recently watched the presentation below, I'm curious as to how to go about accomplishing allowing ULA address to access the internet via proxy. Basically the topic I was in process of researching that lead me to this video was Network Isolation. I'm wanting to make sure I understand all the options available for when it comes to network isolation.

https://www.youtube.com/watch?v=DJSuLcw7zB0

I understand that some may think the idea of using a proxy to allow a ULA to browse the internet defeats the purpose of IPv6 and you are thinking that one should just assign a Global address to a host if it needs access to the internet, but I am trying to understand the concept, it's drawbacks and benefits and what is needed to accomplish such a setup.

I have always wondered about the best way to provide network isolation when it's needed when you don't want a host to have a direct connection to the internet. I am glad from the information I gathered, that Unique Local Addresses are able to be used for VPN links and to attach to networks together. I'm learning all I can about using ULA for site-to-site and road-warrior VPN. The question still remains though what proxies are available that would allow this setup to be deployed? In case of the VPN, what would be done to allow clients access to the internet over the VPN, have the VPN assign both a Global Address and a ULA?

Would I use a squid proxy server? As I understand it squid is ONLY a web proxy. If squid or any other proxy for that matter were used, how would one be able to browse https traffic? It's my understanding that when HTTPS is used, the proxy should allow a direct connection rather than proxying the connection unless the proxy is configured as a intercepting proxy that decrypts traffic and encrypts before presenting to client (Man in the Middle Attack, I know).

If you needed to proxy absolutely every piece of traffic destined for the internet from a ULA network, would squid proxy be able to accomplish this. The most common applications that I can think of that someone would want to access the internet on a isolated network are ssh, http, https, ftp, and instant messaging (yahoo, skype, etc..).

plugwash

Quote from: CaseyR on September 25, 2013, 04:07:13 AM
Would I use a squid proxy server? As I understand it squid is ONLY a web proxy. If squid or any other proxy for that matter were used, how would one be able to browse https traffic? It's my understanding that when HTTPS is used, the proxy should allow a direct connection rather than proxying the connection
When doing https (or in theory any other TCP based protocol) over a http proxy the client uses a command called "connect". This tells the proxy to stop acting as a http proxy and start acting as a dumb forwarder of the byte streams carried in TCP payloads.

The key is that it's only forwarding the payloads. So it's perfectly fine for the client to proxy connection to use private addresses while the proxy to origin server connection uses global addesses. It's even perfectly fine if the client to proxy and proxy to origin server connection use different IP versions.

kasperd

Quote from: plugwash on November 14, 2013, 12:53:53 AMThe key is that it's only forwarding the payloads. So it's perfectly fine for the client to proxy connection to use private addresses while the proxy to origin server connection uses global addesses. It's even perfectly fine if the client to proxy and proxy to origin server connection use different IP versions.
That is entirely true. The drawback of such a setup is that you now have a stateful component between the client and server. So you don't get end-to-end connectivity. If the proxy is restarted all connections are dropped, and they have to be reestablished.

Most webapplications have been designed with this in mind, and such a proxy restart is only mildly annoying. If you are doing other protocols through the proxy, a restart is more bothersome. In the past I have had to do SSH through an HTTP proxy using CONNECT commands. If the proxy was being restarted in such a case, you'd have to log in all over again.