Re: rules matching ipv6 prefix addrs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Jan Engelhardt <jengelh@medozas.de>,
	David Miller <davem@davemloft.net>,
	netfilter-devel@vger.kernel.org
Subject: Re: rules matching ipv6 prefix addrs
Date: Thu, 04 Nov 2010 12:55:16 +0100	[thread overview]
Message-ID: <4CD29F24.70804@plouf.fr.eu.org> (raw)
In-Reply-To: <4CD21679.2070508@zytor.com>

H. Peter Anvin a écrit :
> On 11/03/2010 06:52 PM, Jan Engelhardt wrote:
>> I take it you mean a setup where addresses are automatically assigned
>> (DHCPv6, PPP).

6to4 with the prefix based on a variable IPv4 address, fail-over setup
using links with different prefixes...

> DHCPv6, PPP, RA, anything.

AFAIK PPP only assigns the IPv6 link local addresses so it is not an
issue, and the global prefix must be configured by other means such as
DHCPv6.

> Keep in mind that "expect prefix changes" is 
> a deliberate part of the IPv6 systems design.

I have been using IPv6 for a few years now, and was not aware this was a
design feature. I know two ISPs here that provide IPv6, both assign a
fixed prefix. Also AFAIK IPv6 tunnel brokers assign fixed prefixes. In
my mind, "dynamic" does not necessarily mean "variable".

> Consider for example the case where I get from my ISP the netblock 
> 2001:0db8:ac10::/48.  I subnet this internally with subnet numbers 
> prefixed by /52 security domains, i.e 2001:0db8:ac10:0000::/52, 
> 2001:0db8:ac10:1000::/52 and so forth.

/52 is quite unusual. AFAIK stateless autoconfiguration requires a
prefix length of /64.

> Accordingly, my ip6tables would 
> contain rules as to what kind of traffic can flow between these prefixes.
>
> Now, the upstream (ISP-assigned) prefix changes to 2001:6b2f:1705::/48. 
> RA will handle reassigning addresses to actual downstream hosts, but 
> things that explicitly encode IPv6 addresses need to be changed, and 
> that includes ip6tables, in this case these rules now need to refer to 
> 2001:6b2f:1705:0000::/52, 2001:62bf:1705:1000::/52 and so on.

Are you talking about rules on the router which subnets the block, or on
downstream hosts ?
Also, is each subnet prefix on a separate link ?
Could you provide an example of such rules ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2010-11-04 11:55 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-02 20:52 rules matching ipv6 prefix addrs David Miller
2010-11-02 21:24 ` Maciej Żenczykowski
2010-11-03  7:37 ` Patrick McHardy
2010-11-03  9:29 ` Pascal Hambourg
2010-11-03 10:51   ` Jan Engelhardt
2010-11-03 12:19   ` David Miller
2010-11-03 12:32     ` Jan Engelhardt
2010-11-03 21:55       ` David Miller
2010-11-03 22:36         ` H. Peter Anvin
2010-11-03 22:52           ` Jan Engelhardt
2010-11-04  2:12             ` H. Peter Anvin
2010-11-04  4:14               ` Patrick McHardy
2010-11-04  8:58               ` Jan Engelhardt
2010-11-04 11:36                 ` H. Peter Anvin
2010-11-04 11:53                   ` Jan Engelhardt
2010-11-04 14:41                     ` H. Peter Anvin
2010-11-04 20:02                       ` Pascal Hambourg
2010-11-04 12:07                   ` Pascal Hambourg
2010-11-04 11:08               ` Stephen Clark
2010-11-04 11:29                 ` Pascal Hambourg
2010-11-04 12:07                   ` Stephen Clark
2010-11-04 12:19                     ` Pascal Hambourg
2010-11-04 13:34                 ` Jozsef Kadlecsik
2010-11-04 14:41                 ` H. Peter Anvin
2010-11-04 17:35                   ` Jeff Haran
2010-11-04 18:45                     ` H. Peter Anvin
2010-11-04 19:24                   ` Jan Engelhardt
2010-11-04 19:26                     ` H. Peter Anvin
2010-11-04 11:55               ` Pascal Hambourg [this message]
2010-11-04 14:42                 ` H. Peter Anvin
2010-11-04 20:00                   ` Pascal Hambourg
2010-11-03 12:56     ` Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CD29F24.70804@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=davem@davemloft.net \
    --cc=hpa@zytor.com \
    --cc=jengelh@medozas.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.