Gert,
Gert Doering wrote: I have just added an update to the "strict" filter list of my IPv6 filter list recommendations on http://www.space.net/~gert/RIPE/ipv6-filters.html
Thanks for the heads-up. Some comments:
ipv6 prefix-list ipv6-ebgp-strict permit 3ffe::/18 ge 24 le 24 ipv6 prefix-list ipv6-ebgp-strict permit 3ffe:4000::/18 ge 32 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 3ffe:8000::/22 ge 28 le 28
This part is fine.
ipv6 prefix-list ipv6-ebgp-strict permit 2001:500::/32 ge 48 le 48
It would be interesting to have more refinement here. What I mean is that I would be open to allow a /48 that contains a root server but not a /48 that serves an IXP. More details/specifics to what is inside 2001:500::/32 would be appreciated.
ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 35 le 35
I think this could be refined too. The range where /35s were originally allocated from is much smaller than 2001::/16.
ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 24 le 32
This could also be refined. Not all 2001::/16 has been delegated to RIRs. ARIN got a block, RIPE got a block, APNIC got a block, but there still is some undelegated space. The drawback of refining to that level is that it will inevitably induce a situation similar to 69/8 and will require maintenance, but the other side of that coin is that it would prevent people from hijacking prefixes from undelegated space. As an example and please correct me if wrong in the address I picked because it's all from memory, if I hijack and announce 2001:FEED::/32 that would pass your filter but this prefix can't be assigned to anybody now as it is not part of a larger block that has been delegated to a RIR, so it must be a hijack. Michel.