Regarding IPv6 prefix filtering
Hi, Regarding filtering on incoming and outgoing BGP updates, kindly note my opinion on the matter (which differs somewhat from Gert's slides at the ripe42 meeting). He had pasted UUNet UK's rules, but following the current RFC and policies from RIR and 6BONE, this might be more approriate: ipv6 prefix-list strict seq 5 permit 3ffe::/17 ge 24 le 24 ipv6 prefix-list strict seq 10 permit 3ffe:8000::/17 ge 28 le 28 ipv6 prefix-list strict seq 15 permit 3ffe:4000::/18 ge 32 le 32 ipv6 prefix-list strict seq 20 permit 2000::/3 ge 16 le 16 ipv6 prefix-list strict seq 25 permit 2001::/16 ge 29 le 35 ipv6 prefix-list strict seq 27 permit 2002::/16 ipv6 prefix-list strict seq 30 deny 2000::/3 This might clean up some of the broken elements in the current global routing tables. Regarding the informational aspect, looking at the project I am forming and briefly presented at the ripe42 meeting, perhaps this project can contribute to some form in the RIPE region education of LIRs. Any participation from the ISP and operators level is kindly requested and more information about this project can be found in the presentation slides numbered 3 and up, and the presentation is at: http://www.sixxs.net/presentation/ipv6-ripe42.htm </spam> ;-) groet, Pim -- ---------- - - - - -+- - - - - ---------- Pim van Pelt Email: pim@ipng.nl http://www.ipng.nl/ IPv6 Deployment -----------------------------------------------
On Wed, 1 May 2002, Pim van Pelt wrote:
Regarding filtering on incoming and outgoing BGP updates, kindly note my opinion on the matter (which differs somewhat from Gert's slides at the ripe42 meeting). He had pasted UUNet UK's rules, but following the current RFC and policies from RIR and 6BONE, this might be more approriate:
ipv6 prefix-list strict seq 5 permit 3ffe::/17 ge 24 le 24
I believe this should be 3ffe::/18, not that it matters.
ipv6 prefix-list strict seq 20 permit 2000::/3 ge 16 le 16
This gives away e.g. 2003::/16. Perhaps it's a good thing, for introducing new services.
ipv6 prefix-list strict seq 25 permit 2001::/16 ge 29 le 35
I'd allow ge 24 or something, in case APNIC or such starts to give out bigger chunks. Note that 2001::/17 is enough for now [http://www.iana.org/assignments/ipv6-tla-assignments], but better prepare for the worst.
ipv6 prefix-list strict seq 30 deny 2000::/3
I'd make the the last rule deny ::/0, otherwise e.g. ::/96 or 5ffe::/16 goes through implicit deny. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
hi, On Wed, May 01, 2002 at 07:11:17PM +0300, Pekka Savola wrote:
ipv6 prefix-list strict seq 25 permit 2001::/16 ge 29 le 35
I'd allow ge 24 or something, in case APNIC or such starts to give out bigger chunks.
The new policy that we decided yesterday has a default /32, and "bigger chunks if you can show a network plan that warrants this". I'm unsure whether anybody can warrant a /28 or bigger *today* :-) (But of course, this "filter list recommendation" would have to be updated continually) Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 47584 (44543) SpaceNet AG Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
Hi, On Wed, May 01, 2002 at 05:55:39PM +0200, Pim van Pelt wrote:
Regarding filtering on incoming and outgoing BGP updates, kindly note my opinion on the matter (which differs somewhat from Gert's slides at the ripe42 meeting). He had pasted UUNet UK's rules, but following the current RFC and policies from RIR and 6BONE, this might be more approriate:
Thanks for your input. I will try to collect some filters, and put them (with comments "this does permit ...", and "this is very restrictive") somewhere public.
ipv6 prefix-list strict seq 5 permit 3ffe::/17 ge 24 le 24 ipv6 prefix-list strict seq 10 permit 3ffe:8000::/17 ge 28 le 28 ipv6 prefix-list strict seq 15 permit 3ffe:4000::/18 ge 32 le 32 ipv6 prefix-list strict seq 20 permit 2000::/3 ge 16 le 16
I'm not sure about this one...? What is it doing?
ipv6 prefix-list strict seq 25 permit 2001::/16 ge 29 le 35 ipv6 prefix-list strict seq 27 permit 2002::/16 ipv6 prefix-list strict seq 30 deny 2000::/3
Your list is already very strict. As we have discussed yesterday, it might be desireable (until there is a better solution for multihoming) to explicitely permit prefixes up to a /48. This could be done "for your own region only", or "for all regions", depending on RAM and policy.
This might clean up some of the broken elements in the current global routing tables. Regarding the informational aspect, looking at the project I am forming and briefly presented at the ripe42 meeting, perhaps this project can contribute to some form in the RIPE region education of LIRs.
Yes. regards, Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 47584 (44543) SpaceNet AG Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
participants (3)
-
Gert Doering -
Pekka Savola -
Pim van Pelt