Router has a DynDNS function. I am using a reverse proxy for multiple services, but this only sets up router IP and IPv4 NAT port forwarding to the reverse proxy.
So what would be the correct setup with IPv6 when using privacy extensions?
I don't see any benefit in allowing IPv6 traffic or using IPv6, but a couple of new problems coming up with it.
Privacy extensions are additional addresses that are used by default for outbound connections. You still have the non-privacy address, which doesn't change; put that one into DNS.
This approach prevents outbound connections from leaking the address needed to connect to your servers. On v4, it's likely that any outbound connection from your network gives the server the IP they need to do that.
> My ISP changes the prefix on a regular base (and on request)
I found this was the case (with Telus) until I reconfigured the DHCPv6-PD client on my gateway, mainly to stop it from sending DHCPv6 Release messages and to have it explicitly request the prefix I was previously assigned.
OpenWRT in particular seemed to be built not to save any dhcp client state in non-volatile memory, resulting in a lot of unnecessary address and prefix churn when rebooting the router. I've had the same stable prefix for over a year now, using systemd-networkd with the following configuration (the important parts are SendRelease=no, RequestAddress= and PrefixDelegationHint=; the rest of the options are just insurance):
So you'll never have a permanent unchanging v6 address to ID your traffic with.
Privacy extensions are orthogonal here; they only affect the suffix, not the prefix. As for dealing with a changing prefix... I'm afraid you'll just have to find some way to automate the DNS updates. You can do it with a program running on one of the servers -- I can't suggest a specific one offhand since I have a static prefix and haven't needed it, but they do exist.
Never checked. But it does change once in a while. The router has a dyndns function which updates a DNS entry, but only for the router itself. But this is sufficient for the NAT port forwarding.
Let's say when your ipv6 prefix changes it is almost the same situation. Only that ipv4 bundles all traffic of all devices on one ip which obfuscates a bit.
But having the ipv6 prefix change you get a pile of problems (DNS, firewall), you don't have with ipv4.
The IPv6 prefix changes are disruptive, I agree. My prefix has been stable for a couple years, but on another ISP it would change every few months and was certainly annoying.
So what would be the correct setup with IPv6 when using privacy extensions?
I don't see any benefit in allowing IPv6 traffic or using IPv6, but a couple of new problems coming up with it.