On Thu, 4 Nov 2010, Stephen Clark wrote: > > Consider for example the case where I get from my ISP the netblock > > 2001:0db8:ac10::/48. I subnet this internally with subnet numbers prefixed > > by /52 security domains, i.e 2001:0db8:ac10:0000::/52, > > 2001:0db8:ac10:1000::/52 and so forth. Accordingly, my ip6tables would > > contain rules as to what kind of traffic can flow between these prefixes. > > > > Now, the upstream (ISP-assigned) prefix changes to 2001:6b2f:1705::/48. RA > > will handle reassigning addresses to actual downstream hosts, but things > > that explicitly encode IPv6 addresses need to be changed, and that includes > > ip6tables, in this case these rules now need to refer to > > 2001:6b2f:1705:0000::/52, 2001:62bf:1705:1000::/52 and so on. > > > Won't this break existing tcp connections if all of a sudden you get a new > address? Actually, not: according to the IPv6 design, the old prefix and address(es) should be kept until there's a single existing connection (and the old addresses must not be assigned to new connections of course). That gives a smooth path to change prefix anytime. However, as others already expressed, that does not mean upstream should change the prefix anytime. The whole process is to make possible to change *ISP* anytime so the administrators are fully aware that there's a prefix issue. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
