> From: netfilter-devel-owner@xxxxxxxxxxxxxxx [mailto:netfilter-devel-owner@xxxxxxxxxxxxxxx] On Behalf Of H. Peter Anvin > > On 11/04/2010 07:08 AM, Stephen Clark wrote: >>> >>> Now, the upstream (ISP-assigned) prefix changes to >>> 2001:6b2f:1705::/48. RA will handle reassigning addresses to actual >>> downstream hosts, but things that explicitly encode IPv6 addresses >>> need to be changed, and that includes ip6tables, in this case these >>> rules now need to refer to 2001:6b2f:1705:0000::/52, >>> 2001:62bf:1705:1000::/52 and so on. >>> >> Won't this break existing tcp connections if all of a sudden you get a >> new address? >> > >Yes. Welcome to the brave new world of IPv6. One of many reasons why >IPv6 IMO is seriously misdesigned, but it's what we have and we no longer have the time to do anything else. > > -hpa Ideally, your ISP wouldn't do this to you. Ideally, they would advertise the new prefix as preferred and deprecate the old one. So connections using the old prefix would continue to work while new connections should start using the new prefix. By the time the old prefix is invalid there should be no TCP connections using it since most TCP connections don't last as long as the valid lifetime. But since TCP doesn't define a maximum connection duration, it's still a possibility that long lived connections could be dropped, no matter how hard the ISP tries to prevent it. But it does mean that any reasonable IPv6 firewall setup should deal with multiple prefixes. And it also means that if you have an application that won't well tolerate dropped connections, you should probably code it to do a clean close and restart whenever the address at your end of the socket transitions from preferred to deprecated state. Jeff Haran Bytemobile -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
