I don't know why this just hit me, but it did.
In IPv4, you're supposed to route all of the private IP address ranges to something like 0.0.0.0 so they don't appear in Internet traffic.
I would assume that the best practice is to route an unused range like 2001:db8::/32 to ::/0?
Which other networks should be added to the list of networks that shouldn't be routed?
Well, that is the documentation prefix, used obviously in documentation. You want to use ULA space if you want non-routed non-global space behind a firewall. There is an ongoing thread on NANOG about this matter.
I don't want to use the documentation prefix to carry traffic...I just want to make sure that it doesn't get past my firewall/router.
If linux, can use ip -6 route blackhole, or to loopback, or similar.
I routed it to the loop back, thanks
Are there other subnets that I shouldn't let get out of my network?
3ffe obviously, and we keep a list of bogon space that is currently announced and shouldn't be at http://bgp.he.net/report/bogons#_bogonsv6pfx
Although if you only source from your globally routed and allocated space, and never use bogons, etc., you shouldn't have this issue.
Another useful bogon reference is :-
http://www.team-cymru.org/Services/Bogons/
Much more there as well...
regards
lukec
Yikes...there's quite a few bogons for IPv6
In my setup, I don't really care where it's routed - because I block it in my firewall.
Since I'm lazy I just added the following to my 2621xm router that acts as my edge device:
ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0
Trying to filter the massive list of IPv6 full bogons just isn't practical on a small router IMO. I figure it can't hurt too much to just throw everything else at HE's gateway and let them figure it out from there. Its also probably a good idea to add the following to any internet facing IPv6 enabled Cisco router:
no ipv6 source-route
It keeps people from using your router to perform certain types of IP spoofing.