[c-nsp] Handling the inbound ACL's with dynamic pd ipv6 prefix from the ISP

[Per Carlson]

> But let's say now that you got an ftp server, or a www server on a host. How
> can you set your access list? Since you have no clue what your ipv6 pd will
> be like you have to permit all inbound traffic from internet to all hosts to
> ports 80 and/or 25.

With PD you (most likely) get a prefix shorter than /64. For a SOHO a
/56 is quite common. This enables you to have more than one subnet
(256 subnets with a /56) behind the router.

My suggestion is to put all those hosts with public accessible
services on one subnet, and all clients on another subnet. You can
then have different ACL's protecting the different subnets (allow any
-> tcp/80 on the www-server subnet, deny any on the client subnet). If
you would like to (and have enough subnets) you can put the www-server
on one subnet and a ftp-server on another as well.

Don't fall in the trap thinking of IPv6 as "IPv4 + longer addresses"!

> IS there a way to allow some services to internal hosts without exposing
> everything to internet?

Yes, use ULA's (RFC4193).

I can also recommend reading RFC4864 (Local Network Protection for
IPV6) which discusses how to move from IPv4+NAT to IPV6 in some
scenarios.

-- 
Pelle

RFC1925, truth 11:
 Every old idea will be proposed again with a different name and
 a different presentation, regardless of whether it works.