Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Routing Platforms => Topic started by: cholzhauer on April 29, 2014, 09:55:50 AM

Title: Routes to block on your IPv6 router
Post by: cholzhauer on April 29, 2014, 09:55:50 AM
A few years ago I had posted asking which address ranges shouldn't be forwarded out of your network to the Internet.  Unfortunately I'm unable to find that post to update it, so I'll just start a new one with the latest information.

From http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/xsp-recommendations.html

Quote
[2] Reject the packets which contain following special-use
            prefix in the source address field.

           - IETF reserved Address(formerly IPv4-compatible IPv6
             Address)                  :  ::/96
           - Loop back Address         :  ::1/128
           - IPv4-mapped IPv6 Address  :  ::ffff:0:0/96
           - Discard-Only Address      :  100::/64
           - TEREDO Address            :  2001::/32
           - Benchmarking Address      :  2001:2::/48
           - ORCHID Address            :  2001:10::/28
           - Documentation Address     :  2001:db8::/32
           - Unique-local Address      :  fc00::/7
           - IETF reserved Address(formerly Site-local Address)
                                       :  fec0::/10
           - Multicast Address         :  ff00::/8
Title: Re: Routes to block on your IPv6 router
Post by: snarked on April 29, 2014, 12:03:42 PM
::0 shouldn't be forwarded onto The Internet either.  However, it may need different handling within the local network than ::/96, especially for machines autoconfiguring via bootpd.

::1 should be intercepted by the local interface and thus doesn't need special handling (beyond that of ::/96).

Some multicast addresses MAY be forwarded onto The Internet for multicasted services (greater than "site local").
Title: Re: Routes to block on your IPv6 router
Post by: broquea on April 29, 2014, 12:11:09 PM
Interesting they list Teredo, and not 6to4 at the same time.
Title: Re: Routes to block on your IPv6 router
Post by: snarked on April 30, 2014, 12:38:51 PM
Also, thinking about this a bit more, some addresses may be valid as a destination but not as a source.  Although the OP did say "source address," this needs to be stressed, as well as this belongs only on gateways, not blocking internal to a network.
Title: Re: Routes to block on your IPv6 router
Post by: cholzhauer on May 01, 2014, 05:39:18 AM
Quote from: snarked on April 30, 2014, 12:38:51 PM
Also, thinking about this a bit more, some addresses may be valid as a destination but not as a source.  Although the OP did say "source address," this needs to be stressed, as well as this belongs only on gateways, not blocking internal to a network.

I suppose that depends on how you have your network set up.  In my case, the router hosting my tunnel is only touched if traffic is heading out of organization; there's an 'internal' router that routes between VLAN's.  I don't want to route garbage packets to the Internet, so for me I'd block all of these at the router.  The link has another section of what should be blocked as a destination.