[c-nsp] Handling the inbound ACL's with dynamic pd ipv6 prefix from the ISP

[George Manousakis]

Hi all,

 

I adjust a script to update a local DNS zone file and worked ok. Now I have
a custom method to update the FQDN to the "dynamic" ipv6 address my server
gets.

Why dynamic? Because the ipv6 address has the pd prefix announced from the
isp and the "Static" interface id part.

 

Because of having global unicast addresses on all hosts you have to add an
access-list on your interface with your provider in order to limit the
access to your hosts (when something is not needed).

 

But let's say now that you got an ftp server, or a www server on a host. How
can you set your access list? Since you have no clue what your ipv6 pd will
be like you have to permit all inbound traffic from internet to all hosts to
ports 80 and/or 25.

On ipv4/nat era you didn't have that kind of problem. You natted what was
necessary to the specific host and you were fine.

 

Is there any change to set ipv6 ACL configured with a general-prefix? I now
it does not make a lot of sense but it could be a way to resolve that issue.
IS there a way to allow some services to internal hosts without exposing
everything to internet?

 

(Of course we assume that you do not have a static prefix assigned to you)

 

Thanks!