"... that it is practically impossible to host a server on IPv6 without opening up that port in your firewall for all IPv6 hosts. For example, if I want to host a web server on 2001:db8::1, I must add an entry in my screening ACL for ::/0 port 80. This is necessary because I cannot guarantee that my provider-assigned prefix will always by 2001:db8::/64."
Several articles seem to imply that it's common for ISPs to change the prefix. That seems odd to me. It's the equivalent of dynamic IP addressing but seems fairly pointless for IPv6.
Yes, I think it would be odd for the prefix to change frequently.
What would matter is updating the internet DNS(6) entry (or AAAA record) with the whole new address, which would be equivalent to existing dynamic DNS methods..
But back to the the firewall rule, remember this is not quite the same as port forwarding. What you are allowing is for traffic arriving at the
internet side of the firewall that is requesting
destination port 80 at one or more
hosts on the
internal side of the firewall.
Not port 80 on the
WAN address of the
firewall.
The
host portion of the address (the right half if you like) is something you control as it is your network, so you can ensure this is always the same host address, whether assigned by DHCP(6) reservation or stateless auto-configuration based its MAC address, so for the purpose of an
allow rule it should not matter if the prefix (network number or left half) changes.
This will be assisted by firewalls that define their rules symbolically, conceptually something like:
| Text |
1
| allow in on interface {WAN} to host {h}, port {http, https} on {LAN subnet} |
so that they can reflect current prefixes.
To be really slick, host h above could be just a hostname (locally unique within your network) such that the router notes the host address for this anyway when the server renews its DHCP lease (or possibly during Neighbour Discovery).
I will be looking at how pfSense does this in the 2.1 beta ahead of release, as in IPv4 entries they already allow symbolic names (Firewall Aliases) in rules such that one rule can apply to a group of hosts (or ports, or networks).
Names for networks (like LAN, WAN, DMZ) are abstracted from the physical interface (and/or VLAN) such that you can do things like reassign your "LAN" network from eth0 to eth1, VLAN 100 without rewriting any rules.
As I have commented before, people may first have to wean themselves off the idea of assigning IP addresses manually on each host when adopting IPv6.
I am looking forward to a certain poster (hint beginning with E...) updating their current guidance to use static addressing as a fix for almost every network question.
prompt $P - Invalid drive specification - Abort, Retry, Fail? $G
prlzx on iDNET: ADSL2+ / 21CN at ~4Mbps / 700kbps with IP4/6
Edited by prlzx (Wed 08-May-13 21:59:44)
Pages in this thread: 
Print Thread
