> -----Original Message----- > From: Per Carlson [mailto:[email protected]] > Sent: Monday, December 06, 2010 12:58 PM > To: George Manousakis > Cc: [email protected] > Subject: Re: [c-nsp] Handling the inbound ACL's with dynamic pd ipv6 > prefix from the ISP > > > But let's say now that you got an ftp server, or a www server on a > host. How > > can you set your access list? Since you have no clue what your ipv6 > pd will > > be like you have to permit all inbound traffic from internet to all > hosts to > > ports 80 and/or 25. > > With PD you (most likely) get a prefix shorter than /64. For a SOHO a > /56 is quite common. This enables you to have more than one subnet > (256 subnets with a /56) behind the router. > > My suggestion is to put all those hosts with public accessible > services on one subnet, and all clients on another subnet. You can > then have different ACL's protecting the different subnets (allow any > -> tcp/80 on the www-server subnet, deny any on the client subnet). If > you would like to (and have enough subnets) you can put the www-server > on one subnet and a ftp-server on another as well.
The problem is that the pd assigned from the ISP is not static! So how can you set ACL rules with a dynamic prefix? The assignment you say may be used but still you cannot define the www-server subnet on the ACL because you cannot know what the subnet will be! > > Don't fall in the trap thinking of IPv6 as "IPv4 + longer addresses"! > > > IS there a way to allow some services to internal hosts without > exposing > > everything to internet? > > Yes, use ULA's (RFC4193). I actually meant how to set the ACL in order to allow access to only one host and not the whole range. Why would you use ULA's? > > I can also recommend reading RFC4864 (Local Network Protection for > IPV6) which discusses how to move from IPv4+NAT to IPV6 in some > scenarios. > > -- > Pelle > > RFC1925, truth 11: > Every old idea will be proposed again with a different name and > a different presentation, regardless of whether it works. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
