On Wed, 1 May 2002, Pim van Pelt wrote:
Regarding filtering on incoming and outgoing BGP updates, kindly note my opinion on the matter (which differs somewhat from Gert's slides at the ripe42 meeting). He had pasted UUNet UK's rules, but following the current RFC and policies from RIR and 6BONE, this might be more approriate:
ipv6 prefix-list strict seq 5 permit 3ffe::/17 ge 24 le 24
I believe this should be 3ffe::/18, not that it matters.
ipv6 prefix-list strict seq 20 permit 2000::/3 ge 16 le 16
This gives away e.g. 2003::/16. Perhaps it's a good thing, for introducing new services.
ipv6 prefix-list strict seq 25 permit 2001::/16 ge 29 le 35
I'd allow ge 24 or something, in case APNIC or such starts to give out bigger chunks. Note that 2001::/17 is enough for now [http://www.iana.org/assignments/ipv6-tla-assignments], but better prepare for the worst.
ipv6 prefix-list strict seq 30 deny 2000::/3
I'd make the the last rule deny ::/0, otherwise e.g. ::/96 or 5ffe::/16 goes through implicit deny. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords