Route server IPv6 avoid_martians
Hi, This page describes an IPv4 route-server: https://gitlab.labs.nic.cz/labs/bird/wikis/Simple_route_server I like the function avoid_martians(), and use it (mine's even been expanded a bit) I'd like to implement something similar for IPv6. Has anyone else already created a function for IPv6? I'm especially wondering about how to filter out too-long prefixes--i think that's the 0.0.0.0/0{25,32} line. Any pointers, even just to how this syntax works, would be welcome. I hope i can update the wiki with the knowledge gleaned. Thanks, Jonathan MBIX.ca
On Wed, Aug 19, 2015 at 05:34:49PM -0500, Jonathan Stewart wrote:
This page describes an IPv4 route-server: https://gitlab.labs.nic.cz/labs/bird/wikis/Simple_route_server
I like the function avoid_martians(), and use it (mine's even been expanded a bit). I'd like to implement something similar for IPv6.
here you go: function avoid_martians() prefix set martians; { martians = [ 0000::/8{8,128}, 0200::/7{7,128}, 2001::/32{32,128}, 2001:db8::/32{32,128}, 2002::/16{16,128}, 3ffe::/16{16,128}, 5f00::/8{8,128}, fc00::/7{7,128}, fe80::/10{10,128}, fec0::/10{10,128}, ff00::/8{8,128} ]; if net ~ martians then return true; return false; } Kind regards, Job
On Thu, Aug 20, 2015 at 12:44:18AM +0200, Job Snijders wrote:
On Wed, Aug 19, 2015 at 05:34:49PM -0500, Jonathan Stewart wrote:
This page describes an IPv4 route-server: https://gitlab.labs.nic.cz/labs/bird/wikis/Simple_route_server
I like the function avoid_martians(), and use it (mine's even been expanded a bit). I'd like to implement something similar for IPv6.
here you go:
function avoid_martians() prefix set martians; { martians = [ 0000::/8{8,128}, 0200::/7{7,128}, 2001::/32{32,128}, 2001:db8::/32{32,128}, 2002::/16{16,128}, 3ffe::/16{16,128}, 5f00::/8{8,128}, fc00::/7{7,128}, fe80::/10{10,128}, fec0::/10{10,128}, ff00::/8{8,128} ]; if net ~ martians then return true; return false; }
The above is not complete, but you get the gist of it, here is a more current overview in BIRD format: 0000::/8{8,128}, # loopback, unspecified, v4-mapped 0064:ff9b::/96{96,128}, # IPv4-IPv6 Translat. [RFC6052] 0100::/8{8,128}, # reserved for Discard-Only Address Block [RFC6666] 0200::/7{7,128}, # Reserved by IETF [RFC4048] 0400::/6{6,128}, # Reserved by IETF [RFC4291] 0800::/5{5,128}, # Reserved by IETF [RFC4291] 1000::/4{4,128}, # Reserved by IETF [RFC4291] 2001::/32{33,128}, # Teredo prefix [RFC4380] 2001:0002::/48{48,128}, # Benchmarking [RFC5180] 2001:0003::/32{32,128}, # Automatic Multicast Tunneling [RFC7450] 2001:10::/28{28,128}, # Deprecated ORCHID [RFC4843] 2001:20::/28{28,128}, # ORCHIDv2 [RFC7343] 2001:db8::/32{32,128}, # NON-ROUTABLE range to be used for documentation purpose [RFC3849] 2002::/16{17,128}, # 6to4 prefix [RFC3068] 3ffe::/16{16,128}, # used for the 6bone but was returned [RFC5156] 4000::/3{3,128}, # Reserved by IETF [RFC4291] 5f00::/8{8,128}, # used for the 6bone but was returned [RFC5156] 6000::/3{3,128}, # Reserved by IETF [RFC4291] 8000::/3{3,128}, # Reserved by IETF [RFC4291] a000::/3{3,128}, # Reserved by IETF [RFC4291] c000::/3{3,128}, # Reserved by IETF [RFC4291] e000::/4{4,128}, # Reserved by IETF [RFC4291] f000::/5{5,128}, # Reserved by IETF [RFC4291] f800::/6{6,128}, # Reserved by IETF [RFC4291] fc00::/7{7,128}, # Unique Local Unicast [RFC4193] fe80::/10{10,128}, # Link Local Unicast [RFC4291] fec0::/10{10,128}, # Reserved by IETF [RFC3879] ff00::/8{8,128} # Multicast [RFC4291] based on: http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicas... Kind regards, Job
On Wed, Aug 19, 2015 at 5:56 PM, Job Snijders <job@instituut.net> wrote:
On Thu, Aug 20, 2015 at 12:44:18AM +0200, Job Snijders wrote:
On Wed, Aug 19, 2015 at 05:34:49PM -0500, Jonathan Stewart wrote:
This page describes an IPv4 route-server: https://gitlab.labs.nic.cz/labs/bird/wikis/Simple_route_server
I like the function avoid_martians(), and use it (mine's even been expanded a bit). I'd like to implement something similar for IPv6.
here you go:
function avoid_martians() prefix set martians; { martians = [ 0000::/8{8,128}, 0200::/7{7,128}, 2001::/32{32,128}, 2001:db8::/32{32,128}, 2002::/16{16,128}, 3ffe::/16{16,128}, 5f00::/8{8,128}, fc00::/7{7,128}, fe80::/10{10,128}, fec0::/10{10,128}, ff00::/8{8,128} ]; if net ~ martians then return true; return false; }
The above is not complete, but you get the gist of it, here is a more current overview in BIRD format:
0000::/8{8,128}, # loopback, unspecified, v4-mapped 0064:ff9b::/96{96,128}, # IPv4-IPv6 Translat. [RFC6052] 0100::/8{8,128}, # reserved for Discard-Only Address Block [RFC6666] 0200::/7{7,128}, # Reserved by IETF [RFC4048] 0400::/6{6,128}, # Reserved by IETF [RFC4291] 0800::/5{5,128}, # Reserved by IETF [RFC4291] 1000::/4{4,128}, # Reserved by IETF [RFC4291] 2001::/32{33,128}, # Teredo prefix [RFC4380] 2001:0002::/48{48,128}, # Benchmarking [RFC5180] 2001:0003::/32{32,128}, # Automatic Multicast Tunneling [RFC7450] 2001:10::/28{28,128}, # Deprecated ORCHID [RFC4843] 2001:20::/28{28,128}, # ORCHIDv2 [RFC7343] 2001:db8::/32{32,128}, # NON-ROUTABLE range to be used for documentation purpose [RFC3849] 2002::/16{17,128}, # 6to4 prefix [RFC3068] 3ffe::/16{16,128}, # used for the 6bone but was returned [RFC5156] 4000::/3{3,128}, # Reserved by IETF [RFC4291] 5f00::/8{8,128}, # used for the 6bone but was returned [RFC5156] 6000::/3{3,128}, # Reserved by IETF [RFC4291] 8000::/3{3,128}, # Reserved by IETF [RFC4291] a000::/3{3,128}, # Reserved by IETF [RFC4291] c000::/3{3,128}, # Reserved by IETF [RFC4291] e000::/4{4,128}, # Reserved by IETF [RFC4291] f000::/5{5,128}, # Reserved by IETF [RFC4291] f800::/6{6,128}, # Reserved by IETF [RFC4291] fc00::/7{7,128}, # Unique Local Unicast [RFC4193] fe80::/10{10,128}, # Link Local Unicast [RFC4291] fec0::/10{10,128}, # Reserved by IETF [RFC3879] ff00::/8{8,128} # Multicast [RFC4291]
Job, this looks great! I'll incorporate this for sure. I really like your longer list with comments. Helps to remind the operator why these prefixes are special. I want to ask a question: do any of these rules define an overall prefix length accepted? A statement like "accept a /8 to a /48"? How would i write this type of rule? Cheers, Jonathan
On Thu, Aug 20, 2015 at 05:57:15PM -0500, Jonathan Stewart wrote:
I want to ask a question: do any of these rules define an overall prefix length accepted? A statement like "accept a /8 to a /48"? How would i write this type of rule?
You could match on it with something along the lines of: function avoid_too_long_or_too_short() prefix set boundry; { boundry = [ ::/0{8,48} ]; if net ~ boundry then return true; return false } And later on use: if !(avoid_too_long_or_too_short()) then reject; Kind regards, Job
On Thu, Aug 20, 2015 at 6:08 PM, Job Snijders <job@instituut.net> wrote:
You could match on it with something along the lines of:
function avoid_too_long_or_too_short() prefix set boundry; { boundry = [ ::/0{8,48} ]; if net ~ boundry then return true; return false }
And later on use:
if !(avoid_too_long_or_too_short()) then reject;
Kind regards,
Hi Job, I just wanted to follow up with a big THANKS. I followed your example and have upgraded our IPv6 route servers at MBIX.ca so they they are blocking martians, and we are controlling announcement length. Your information was exactly what I was looking for. I will now endeavour to add what I've learned to the BIRD wiki. Anyone know how I should get edit access to the wiki? -- Jonathan
On Wed, Sep 09, 2015 at 05:25:30PM -0500, Jonathan Stewart wrote:
On Thu, Aug 20, 2015 at 6:08 PM, Job Snijders <job@instituut.net> wrote:
You could match on it with something along the lines of:
function avoid_too_long_or_too_short() prefix set boundry; { boundry = [ ::/0{8,48} ]; if net ~ boundry then return true; return false }
And later on use:
if !(avoid_too_long_or_too_short()) then reject;
Kind regards,
I will now endeavour to add what I've learned to the BIRD wiki. Anyone know how I should get edit access to the wiki?
Hi I don't know much about edit access approval, but if you send me the text, i will put it there. BTW, you can specify prefix set constants directly as global statement, it is not necessary to have functions just for that: define martians = [ 0000::/8{8,128}, 0200::/7{7,128}, 2001::/32{32,128}, 2001:db8::/32{32,128}, 2002::/16{16,128}, 3ffe::/16{16,128}, 5f00::/8{8,128}, fc00::/7{7,128}, fe80::/10{10,128}, fec0::/10{10,128}, ff00::/8{8,128} ]; ... if net ~ martians then reject; Also note that checking for proper length using the '::/0{8,48}' pattern in a prefix set is OK, but if it is a separate check instead of a part of a wider prefix set, it is simpler to use: if (net.len < 8) or (net.len > 48) then reject; -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (3)
-
Job Snijders -
Jonathan Stewart -
Ondrej Zajicek