Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Routing of 2001:db8::/32  (Read 7428 times)

cholzhauer

  • Hero Member
  • *****
  • Posts: 2737
Routing of 2001:db8::/32
« on: November 02, 2010, 11:03:15 AM »

I don't know why this just hit me, but it did.

In IPv4, you're supposed to route all of the private IP address ranges to something like 0.0.0.0 so they don't appear in Internet traffic.

I would assume that the best practice is to route an unused range like 2001:db8::/32 to ::/0?

Which other networks should be added to the list of networks that shouldn't be routed?
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1736
Re: Routing of 2001:db8::/32
« Reply #1 on: November 02, 2010, 11:17:27 AM »

Well, that is the documentation prefix, used obviously in documentation. You want to use ULA space if you want non-routed non-global space behind a firewall. There is an ongoing thread on NANOG about this matter.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2737
Re: Routing of 2001:db8::/32
« Reply #2 on: November 02, 2010, 11:21:03 AM »

I don't want to use the documentation prefix to carry traffic...I just want to make sure that it doesn't get past my firewall/router.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1736
Re: Routing of 2001:db8::/32
« Reply #3 on: November 02, 2010, 11:24:00 AM »

If linux, can use ip -6 route blackhole, or to loopback, or similar.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2737
Re: Routing of 2001:db8::/32
« Reply #4 on: November 02, 2010, 11:28:57 AM »

I routed it to the loop back, thanks

Are there other subnets that I shouldn't let get out of my network?
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1736
Re: Routing of 2001:db8::/32
« Reply #5 on: November 02, 2010, 11:40:24 AM »

3ffe obviously, and we keep a list of bogon space that is currently announced and shouldn't be at http://bgp.he.net/report/bogons#_bogonsv6pfx
Although if you only source from your globally routed and allocated space, and never use bogons, etc., you shouldn't have this issue.
Logged

lukec

  • Jr. Member
  • **
  • Posts: 65
    • Home
Re: Routing of 2001:db8::/32
« Reply #6 on: November 02, 2010, 03:31:51 PM »

Another useful bogon reference is :-
http://www.team-cymru.org/Services/Bogons/
Much more there as well...
regards
lukec
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2737
Re: Routing of 2001:db8::/32
« Reply #7 on: November 02, 2010, 03:36:40 PM »

Yikes...there's quite a few bogons for IPv6
Logged

snarked

  • Hero Member
  • *****
  • Posts: 778
Re: Routing of 2001:db8::/32
« Reply #8 on: November 03, 2010, 11:10:13 AM »

In my setup, I don't really care where it's routed - because I block it in my firewall.
Logged

antillie

  • Full Member
  • ***
  • Posts: 104
Re: Routing of 2001:db8::/32
« Reply #9 on: November 12, 2010, 11:45:52 AM »

Since I'm lazy I just added the following to my 2621xm router that acts as my edge device:

Code: [Select]
ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0

Trying to filter the massive list of IPv6 full bogons just isn't practical on a small router IMO. I figure it can't hurt too much to just throw everything else at HE's gateway and let them figure it out from there. Its also probably a good idea to add the following to any internet facing IPv6 enabled Cisco router:

Code: [Select]
no ipv6 source-route
It keeps people from using your router to perform certain types of IP spoofing.
Logged