[c-nsp] Handling the inbound ACL's with dynamic pd ipv6 prefix from the ISP
George Manousakis
george at mang.gr
Thu Dec 9 15:08:25 EST 2010
> -----Original Message-----
> From: Per Carlson [mailto:pelle at hemmop.com]
> Sent: Monday, December 06, 2010 12:58 PM
> To: George Manousakis
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Handling the inbound ACL's with dynamic pd ipv6
> prefix from the ISP
>
> > But let's say now that you got an ftp server, or a www server on a
> host. How
> > can you set your access list? Since you have no clue what your ipv6
> pd will
> > be like you have to permit all inbound traffic from internet to all
> hosts to
> > ports 80 and/or 25.
>
> With PD you (most likely) get a prefix shorter than /64. For a SOHO a
> /56 is quite common. This enables you to have more than one subnet
> (256 subnets with a /56) behind the router.
>
> My suggestion is to put all those hosts with public accessible
> services on one subnet, and all clients on another subnet. You can
> then have different ACL's protecting the different subnets (allow any
> -> tcp/80 on the www-server subnet, deny any on the client subnet). If
> you would like to (and have enough subnets) you can put the www-server
> on one subnet and a ftp-server on another as well.
The problem is that the pd assigned from the ISP is not static!
So how can you set ACL rules with a dynamic prefix?
The assignment you say may be used but still you cannot define the
www-server
subnet on the ACL because you cannot know what the subnet will be!
>
> Don't fall in the trap thinking of IPv6 as "IPv4 + longer addresses"!
>
> > IS there a way to allow some services to internal hosts without
> exposing
> > everything to internet?
>
> Yes, use ULA's (RFC4193).
I actually meant how to set the ACL in order to allow access to only one
host and not the whole range. Why would you use ULA's?
>
> I can also recommend reading RFC4864 (Local Network Protection for
> IPV6) which discusses how to move from IPv4+NAT to IPV6 in some
> scenarios.
>
> --
> Pelle
>
> RFC1925, truth 11:
> Every old idea will be proposed again with a different name and
> a different presentation, regardless of whether it works.
More information about the cisco-nsp
mailing list