Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Routes to block on your IPv6 router  (Read 3013 times)

cholzhauer

  • Hero Member
  • *****
  • Posts: 2726
Routes to block on your IPv6 router
« on: April 29, 2014, 09:55:50 AM »

A few years ago I had posted asking which address ranges shouldn't be forwarded out of your network to the Internet.  Unfortunately I'm unable to find that post to update it, so I'll just start a new one with the latest information.

From http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/xsp-recommendations.html

Quote
[2] Reject the packets which contain following special-use
            prefix in the source address field.

           - IETF reserved Address(formerly IPv4-compatible IPv6
             Address)                  :  ::/96
           - Loop back Address         :  ::1/128
           - IPv4-mapped IPv6 Address  :  ::ffff:0:0/96
           - Discard-Only Address      :  100::/64
           - TEREDO Address            :  2001::/32
           - Benchmarking Address      :  2001:2::/48
           - ORCHID Address            :  2001:10::/28
           - Documentation Address     :  2001:db8::/32
           - Unique-local Address      :  fc00::/7
           - IETF reserved Address(formerly Site-local Address)
                                       :  fec0::/10
           - Multicast Address         :  ff00::/8
Logged

snarked

  • Hero Member
  • *****
  • Posts: 774
Re: Routes to block on your IPv6 router
« Reply #1 on: April 29, 2014, 12:03:42 PM »

::0 shouldn't be forwarded onto The Internet either.  However, it may need different handling within the local network than ::/96, especially for machines autoconfiguring via bootpd.

::1 should be intercepted by the local interface and thus doesn't need special handling (beyond that of ::/96).

Some multicast addresses MAY be forwarded onto The Internet for multicasted services (greater than "site local").
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1733
Re: Routes to block on your IPv6 router
« Reply #2 on: April 29, 2014, 12:11:09 PM »

Interesting they list Teredo, and not 6to4 at the same time.
Logged

snarked

  • Hero Member
  • *****
  • Posts: 774
Re: Routes to block on your IPv6 router
« Reply #3 on: April 30, 2014, 12:38:51 PM »

Also, thinking about this a bit more, some addresses may be valid as a destination but not as a source.  Although the OP did say "source address," this needs to be stressed, as well as this belongs only on gateways, not blocking internal to a network.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2726
Re: Routes to block on your IPv6 router
« Reply #4 on: May 01, 2014, 05:39:18 AM »

Also, thinking about this a bit more, some addresses may be valid as a destination but not as a source.  Although the OP did say "source address," this needs to be stressed, as well as this belongs only on gateways, not blocking internal to a network.

I suppose that depends on how you have your network set up.  In my case, the router hosting my tunnel is only touched if traffic is heading out of organization; there's an 'internal' router that routes between VLAN's.  I don't want to route garbage packets to the Internet, so for me I'd block all of these at the router.  The link has another section of what should be blocked as a destination.
Logged