H. Peter Anvin a écrit : > On 11/03/2010 06:52 PM, Jan Engelhardt wrote: >> I take it you mean a setup where addresses are automatically assigned >> (DHCPv6, PPP). 6to4 with the prefix based on a variable IPv4 address, fail-over setup using links with different prefixes... > DHCPv6, PPP, RA, anything. AFAIK PPP only assigns the IPv6 link local addresses so it is not an issue, and the global prefix must be configured by other means such as DHCPv6. > Keep in mind that "expect prefix changes" is > a deliberate part of the IPv6 systems design. I have been using IPv6 for a few years now, and was not aware this was a design feature. I know two ISPs here that provide IPv6, both assign a fixed prefix. Also AFAIK IPv6 tunnel brokers assign fixed prefixes. In my mind, "dynamic" does not necessarily mean "variable". > Consider for example the case where I get from my ISP the netblock > 2001:0db8:ac10::/48. I subnet this internally with subnet numbers > prefixed by /52 security domains, i.e 2001:0db8:ac10:0000::/52, > 2001:0db8:ac10:1000::/52 and so forth. /52 is quite unusual. AFAIK stateless autoconfiguration requires a prefix length of /64. > Accordingly, my ip6tables would > contain rules as to what kind of traffic can flow between these prefixes. > > Now, the upstream (ISP-assigned) prefix changes to 2001:6b2f:1705::/48. > RA will handle reassigning addresses to actual downstream hosts, but > things that explicitly encode IPv6 addresses need to be changed, and > that includes ip6tables, in this case these rules now need to refer to > 2001:6b2f:1705:0000::/52, 2001:62bf:1705:1000::/52 and so on. Are you talking about rules on the router which subnets the block, or on downstream hosts ? Also, is each subnet prefix on a separate link ? Could you provide an example of such rules ? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
