6

I have a section on a website that blocks access to all IPs, except for those that are whitelisted. For IPv4, this is very simple, because even with dynamic IPs, they generally won't changed for months, or even years.

However, with IPv6, these seem to alternate every 24 hours or so. This means that I can't simply whitelist the initial IPv6 IP and call it good, because it'll just change again too quickly. Therefore, I need to whitelist a whole range. Even after reading about and testing IPv6 over the past couple of days, I'm still not confident I've got a handle on it.

Here's what I've got:

order deny,allow
allow from 1234:123:4567:ab1::/64
deny from all

The first 4 sections of the IP address never change, but the last 4 sections constantly change. Is this the correct way to whitelist an individual's IP in this context?

IPv6Quest
  • 63
  • 1
  • 1
  • 4

1 Answers1

4

With IPv6 you have to start thinking in terms of subnets, rather than individual IP addresses. A /64 subnet is allocated to a physical LAN (or VLAN) and hosts in that subnet may be assigned addresses in that subnet in a variety of ways, and may change them arbitrarily if configured to do so (e.g. privacy addresses).

It is not possible to be certain that two different IPv6 addresses in a subnet correspond to the same machine, but you can be reasonably sure that a given IPv6 /64 corresponds to a subnet and of course all of the hosts in it.

Michael Hampton
  • 252,907