• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Routing of 2001:db8::/32

Started by cholzhauer, November 02, 2010, 11:03:15 AM

Previous topic - Next topic

cholzhauer

I don't know why this just hit me, but it did.

In IPv4, you're supposed to route all of the private IP address ranges to something like 0.0.0.0 so they don't appear in Internet traffic.

I would assume that the best practice is to route an unused range like 2001:db8::/32 to ::/0?

Which other networks should be added to the list of networks that shouldn't be routed?

broquea

Well, that is the documentation prefix, used obviously in documentation. You want to use ULA space if you want non-routed non-global space behind a firewall. There is an ongoing thread on NANOG about this matter.

cholzhauer

I don't want to use the documentation prefix to carry traffic...I just want to make sure that it doesn't get past my firewall/router.

broquea

If linux, can use ip -6 route blackhole, or to loopback, or similar.

cholzhauer

I routed it to the loop back, thanks

Are there other subnets that I shouldn't let get out of my network?

broquea

3ffe obviously, and we keep a list of bogon space that is currently announced and shouldn't be at http://bgp.he.net/report/bogons#_bogonsv6pfx
Although if you only source from your globally routed and allocated space, and never use bogons, etc., you shouldn't have this issue.

lukec

Another useful bogon reference is :-
http://www.team-cymru.org/Services/Bogons/
Much more there as well...
regards
lukec

cholzhauer

Yikes...there's quite a few bogons for IPv6

snarked

In my setup, I don't really care where it's routed - because I block it in my firewall.

antillie

Since I'm lazy I just added the following to my 2621xm router that acts as my edge device:

ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0


Trying to filter the massive list of IPv6 full bogons just isn't practical on a small router IMO. I figure it can't hurt too much to just throw everything else at HE's gateway and let them figure it out from there. Its also probably a good idea to add the following to any internet facing IPv6 enabled Cisco router:

no ipv6 source-route

It keeps people from using your router to perform certain types of IP spoofing.