• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Routes to block on your IPv6 router

Started by cholzhauer, April 29, 2014, 09:55:50 AM

Previous topic - Next topic

cholzhauer

A few years ago I had posted asking which address ranges shouldn't be forwarded out of your network to the Internet.  Unfortunately I'm unable to find that post to update it, so I'll just start a new one with the latest information.

From http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/xsp-recommendations.html

Quote
[2] Reject the packets which contain following special-use
            prefix in the source address field.

           - IETF reserved Address(formerly IPv4-compatible IPv6
             Address)                  :  ::/96
           - Loop back Address         :  ::1/128
           - IPv4-mapped IPv6 Address  :  ::ffff:0:0/96
           - Discard-Only Address      :  100::/64
           - TEREDO Address            :  2001::/32
           - Benchmarking Address      :  2001:2::/48
           - ORCHID Address            :  2001:10::/28
           - Documentation Address     :  2001:db8::/32
           - Unique-local Address      :  fc00::/7
           - IETF reserved Address(formerly Site-local Address)
                                       :  fec0::/10
           - Multicast Address         :  ff00::/8

snarked

::0 shouldn't be forwarded onto The Internet either.  However, it may need different handling within the local network than ::/96, especially for machines autoconfiguring via bootpd.

::1 should be intercepted by the local interface and thus doesn't need special handling (beyond that of ::/96).

Some multicast addresses MAY be forwarded onto The Internet for multicasted services (greater than "site local").

broquea

Interesting they list Teredo, and not 6to4 at the same time.

snarked

Also, thinking about this a bit more, some addresses may be valid as a destination but not as a source.  Although the OP did say "source address," this needs to be stressed, as well as this belongs only on gateways, not blocking internal to a network.

cholzhauer

Quote from: snarked on April 30, 2014, 12:38:51 PM
Also, thinking about this a bit more, some addresses may be valid as a destination but not as a source.  Although the OP did say "source address," this needs to be stressed, as well as this belongs only on gateways, not blocking internal to a network.

I suppose that depends on how you have your network set up.  In my case, the router hosting my tunnel is only touched if traffic is heading out of organization; there's an 'internal' router that routes between VLAN's.  I don't want to route garbage packets to the Internet, so for me I'd block all of these at the router.  The link has another section of what should be blocked as a destination.