RE: rules matching ipv6 prefix addrs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: netfilter-devel-owner@xxxxxxxxxxxxxxx
[mailto:netfilter-devel-owner@xxxxxxxxxxxxxxx] On Behalf Of H. Peter
Anvin
>
> On 11/04/2010 07:08 AM, Stephen Clark wrote:
>>>
>>> Now, the upstream (ISP-assigned) prefix changes to 
>>> 2001:6b2f:1705::/48. RA will handle reassigning addresses to actual 
>>> downstream hosts, but things that explicitly encode IPv6 addresses 
>>> need to be changed, and that includes ip6tables, in this case these 
>>> rules now need to refer to 2001:6b2f:1705:0000::/52,
>>> 2001:62bf:1705:1000::/52 and so on.
>>>
>> Won't this break existing tcp connections if all of a sudden you get
a 
>> new address?
>>
>
>Yes.  Welcome to the brave new world of IPv6.  One of many reasons why
>IPv6 IMO is seriously misdesigned, but it's what we have and we no
longer have the time to do anything else.
>
>	-hpa

Ideally, your ISP wouldn't do this to you. Ideally, they would advertise
the new prefix as preferred and deprecate the old one. So connections
using the old prefix would continue to work while new connections should
start using the new prefix. By the time the old prefix is invalid there
should be no TCP connections using it since most TCP connections don't
last as long as the valid lifetime. But since TCP doesn't define a
maximum connection duration, it's still a possibility that long lived
connections could be dropped, no matter how hard the ISP tries to
prevent it. But it does mean that any reasonable IPv6 firewall setup
should deal with multiple prefixes. And it also means that if you have
an application that won't well tolerate dropped connections, you should
probably code it to do a clean close and restart whenever the address at
your end of the socket transitions from preferred to deprecated state.

Jeff Haran
Bytemobile

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux