Guess what... other services like DNS needs to deal with this too, and so far has not; this is part of what needs to happen before nontrivial scale IPv6 deployment happens... "Jan Engelhardt" <jengelh@xxxxxxxxxx> wrote: > >On Thursday 2010-11-04 03:12, H. Peter Anvin wrote: >> >>Consider for example the case where I get from my ISP the netblock >>2001:0db8:ac10::/48. I subnet this internally with subnet numbers >prefixed by >>/52 security domains, i.e 2001:0db8:ac10:0000::/52, >2001:0db8:ac10:1000::/52 >>and so forth. Accordingly, my ip6tables would contain rules as to >what kind of >>traffic can flow between these prefixes. >> >>Now, the upstream (ISP-assigned) prefix changes to >2001:6b2f:1705::/48. RA >>will handle reassigning addresses to actual downstream hosts, but >things that >>explicitly encode IPv6 addresses need to be changed, and that includes >>ip6tables, in this case these rules now need to refer to >>2001:6b2f:1705:0000::/52, 2001:62bf:1705:1000::/52 and so on. > >Now that helps, thanks :) > >You could use > > ip6tables -A FORWARD -d 0:0:0:1000::/0:0:0:ffff:: > >to ignore the changing prefix part. > >>You're assuming (a) that I'm talking about a home gateway here (which >may be, >>but is far from certain -- the dynamic prefixes are a design feature >of the >>entire IPv6 Internet, and any entity that is not large enough to have >direct >>access to BGP6 is required to handle arbitrary prefix changes), > >I was just assuming this because I would find it highly disturbing if >my rented-servers-in-a-datacenter suddenly had their prefix changed, >for then that would also necessitate a change in the DNS zone. >If you self-host your own DNS zone to which the ISP has no write >access then goodluck. -- Sent from my mobile phone. Please pardon any lack of formatting. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
