Re: IPv6 Pain Experiment

["tim () pelican org" <tim () pelican org>]

On Friday, 4 October, 2019 05:55, "Doug Barton" <dougb () dougbarton us> said:

> ... unless you're large enough to have your own address space. And even
> if you do need to change providers, once you have your addressing plan
> in place all you have to change is the prefix.

And if this is hard, we should be beating up hardware (and software) vendors to make it easier.

Case in point, my home broadband has a /56 routed to it.  (It's a dynamic /56, and it does change, which is broken in 
itself, but that's another discussion).  The ISP-supplied router has a basic GUI-driven IPv6 firewall - in which I can 
edit only the host parts of the local addresses, and the /64 is automatically filled in from the current prefix.  
Routed prefix changes, all the firewall rules change to match.

I'm not a firewall guy, but wouldn't it be cool if grown-up firewalls did this (if they don't already)?  Maybe with a 
bit more control, so you explicitly set $IPV6_PREFIX somewhere in the config, and can base all your other config off 
it.  Maybe with the ability to have multiple such prefixes active at the same time, so while you're renumbering, your 
firewall rules, interface addressing, RAs, ... all cover both IPv6 prefixes just by adding one line of config to the 
"prefixes I have" stanza.

Even without the tools built-in, s/2001:db8:1::/2001:db8:2::/g feels like a manageable piece of work, not a blocker.

Regards,
Tim.