[CentOS] transition to ip6

Mon Apr 2 15:56:42 UTC 2012
Peter Eckel <lists at eckel-edv.de>

Hi Les (sorry for calling you 'Lee' before), 

> What is typical or reasonable for source address restrictions? That
> is, if there are 2 global organizations, and one wants to increase
> the security on access to a service by limiting to the source
> addresses that might come from the other, is there a sane way to
> specify it, and to make the application use those addresses at the
> right times if the interface has others?

In general, all IPv6 addresses on a given interface will have the same network prefix, and that will (except in some ... exotic ... cases) be a /64. So setting up the address filter on the server side to the whole /64 will make most sense. 

When the client has only one interface, that should be all there is to do. When it has more than one interface, as Adam previously noted, you'll use routing tables to make sure external traffic uses the /64 that is allowed on the external server, while internal traffic uses whatever is needed. 

If you are required to use one single address to connect to the external server and have only one interface, configuring the software to bind to the permitted v6 address will do the trick. It will also use that one for internal traffic, but that won't matter as it's on the same /64 as the other addresses on that LAN.

I'm not sure how to handle the case where you have one interface with several v6 addresses for external traffic and one or more interfaces for internal traffic and have to use one specific address on the external interface because of single-address restrictions on the external server. I'd say, either don't do it (filter on /64 instead), or remove all addreesses but the one required from the external interface and let routing tables handle the rest.