IPv6 filtering in an ISP environment
Hi, I'm looking for examples on what people have implemented as ingress filtering for IPv6 prefixes in an BGP environment. I'm would like to get some sort of filter that will not require daily maintenance based on assigned prefixes by the RIR. I'm leaning towards having some sort of filtering based on: Drop anything from bogon list allow RIR PA space - between /12 - /35 Allow RIR PI space between /32 - /48. (For instance for the RIPE 2001:67c::/32 & 2001:7f8::/32 parts ) So basically, a bit more strict filter than allow 2003::/3 and not having to update it daily with each assignment made J Also some insight in why you have selected to filter on a specific prefix length is very helpful. Erik Bais
Hi, On Wed, May 18, 2011 at 12:51:18PM +0200, Erik Bais wrote:
I'm looking for examples on what people have implemented as ingress filtering for IPv6 prefixes in an BGP environment.
Packet filtering, or BGP filtering? Gert Doering -- NetMaster -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Hi, On Wed, May 18, 2011 at 01:42:12PM +0200, Erik Bais wrote:
Packet filtering, or BGP filtering? BGP prefix filtering.
I have started to write down some recommendations, plus some discussion that goes with it... http://www.space.net/~gert/RIPE/ipv6-filters.html ... it doesn't reflect the outcome of the "how much deaggregation does the operator community permit?" discussion in the routing WG yet (mainly because I don't think there *is* any consensus yet), but it's at least something to get your thoughts started. <strong> Do not use these as-is without adaption to your local policies </> (PS: if I have missed any new netblocks that have different allocation rules, plesae let me know) Gert Doering -- NetMaster -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
On Wed, 18 May 2011, Gert Doering wrote:
http://www.space.net/~gert/RIPE/ipv6-filters.html ... <strong> Do not use these as-is without adaption to your local policies </>
(PS: if I have missed any new netblocks that have different allocation rules, plesae let me know)
JunOS strict filter does not work. Longest prefix matching semantics of filters differs from Cisco. The 5 more specific ranges of 2001::/32 are rejected. Those need to be put in a separate term as a workaround. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Erik, I'm also looking for some - lets call them best practices. At the moment we run a filter that allows PA+PI space upto a /48 - so a single combined filter. Met vriendelijke groet, Jasper Jans From: ipv6-wg-admin@ripe.net [mailto:ipv6-wg-admin@ripe.net] On Behalf Of Erik Bais Sent: Wednesday, May 18, 2011 12:51 PM To: ipv6-wg@ripe.net Subject: [ipv6-wg] IPv6 filtering in an ISP environment Hi, I'm looking for examples on what people have implemented as ingress filtering for IPv6 prefixes in an BGP environment. I'm would like to get some sort of filter that will not require daily maintenance based on assigned prefixes by the RIR. I'm leaning towards having some sort of filtering based on: Drop anything from bogon list allow RIR PA space - between /12 - /35 Allow RIR PI space between /32 - /48. (For instance for the RIPE 2001:67c::/32 & 2001:7f8::/32 parts ) So basically, a bit more strict filter than allow 2003::/3 and not having to update it daily with each assignment made :) Also some insight in why you have selected to filter on a specific prefix length is very helpful. Erik Bais ________________________________ Op dit e-mailbericht is een disclaimer van toepassing, welke te vinden is op http://www.espritxb.nl/disclaimer
Team Cymru does a nice job of keeping an updated bogon list.. it's on you to keep pulling it though to keep your local policy accurate. You can get it in a variety of formats as well: http://www.team-cymru.org/Services/Bogons/ They also maintain base filter templates: http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/ --Heather On Wed, May 18, 2011 at 6:51 AM, Erik Bais <ebais@a2b-internet.com> wrote:
Hi,
I’m looking for examples on what people have implemented as ingress filtering for IPv6 prefixes in an BGP environment.
I’m would like to get some sort of filter that will not require daily maintenance based on assigned prefixes by the RIR.
I’m leaning towards having some sort of filtering based on:
Drop anything from bogon list
allow RIR PA space – between /12 - /35
Allow RIR PI space between /32 - /48. (For instance for the RIPE 2001:67c::/32 & 2001:7f8::/32 parts )
So basically, a bit more strict filter than allow 2003::/3 and not having to update it daily with each assignment made J
Also some insight in why you have selected to filter on a specific prefix length is very helpful.
Erik Bais
participants (5)
-
Erik Bais -
Gert Doering -
Heather Schiller -
Jasper Jans -
Pekka Savola