Hi Ondrejs & Fellow BIRD users, I'm currently building the IPv6 Part of our BIRD Configuration Template. I'm trying to build it in the same way as our IPv4 stuff, which is trivial, because I've prepared all the code for a "dual stack" implementation. My question is, what your current best practice is for avoiding martians or unnecessary ipv6 routes (Like the Link Local Range, but I guess there are much more which I currently am not thinking about). Like in IPv4 I have this: prefix set martians; { martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ]; if net.ip = 0.0.0.0 then return false; # Avoid too short and too long prefixes if (net.len < 8) || (net.len > 30) then return false; if net ~ martians then return false; return true; } What is your recommendation for that? Wolfgang PS: I think we have a very decent, awesome and super-automated IPv4 BIRD installation now @VIX, still not running productive, but as soon as IPv6 (and some minor tweaking in the webinterface) is done, we are going to run productive, which will be well before Euro-IX in Brussels. -- www.vix.at | www.aco.net wh@univie.ac.at | WH844-RIPE Vienna University Computer Center
On 17.03.2010 16:34 Wolfgang Hennerbichler wrote
I'm currently building the IPv6 Part of our BIRD Configuration Template. I'm trying to build it in the same way as our IPv4 stuff, which is trivial, because I've prepared all the code for a "dual stack" implementation. My question is, what your current best practice is for avoiding martians or unnecessary ipv6 routes (Like the Link Local Range, but I guess there are much more which I currently am not thinking about).
... What is your recommendation for that?
filtering according to http://www.space.net/~gert/RIPE/ipv6-filters.html is imho highly accepted. Gert's page is well documented and always up to date. We (i.e. DE-CIX) most likely will go for the "relaxed" version. Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333
On Mar 17, 2010, at 23:13 , Arnold Nipper wrote:
On 17.03.2010 16:34 Wolfgang Hennerbichler wrote
I'm currently building the IPv6 Part of our BIRD Configuration Template. I'm trying to build it in the same way as our IPv4 stuff, which is trivial, because I've prepared all the code for a "dual stack" implementation. My question is, what your current best practice is for avoiding martians or unnecessary ipv6 routes (Like the Link Local Range, but I guess there are much more which I currently am not thinking about).
... What is your recommendation for that?
filtering according to http://www.space.net/~gert/RIPE/ipv6-filters.html is imho highly accepted. Gert's page is well documented and always up to date.
Thanks Arnold!
We (i.e. DE-CIX) most likely will go for the "relaxed" version.
We (VIX) will probably do so, too.
Arnold
Wolfgang
-- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333
-- www.vix.at | www.aco.net wh@univie.ac.at | WH844-RIPE Vienna University Computer Center
On Wed, Mar 17, 2010 at 04:34:22PM +0100, Wolfgang Hennerbichler wrote:
Like in IPv4 I have this: prefix set martians; { martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ]; if net.ip = 0.0.0.0 then return false; # Avoid too short and too long prefixes if (net.len < 8) || (net.len > 30) then return false;
Just a note, you can replace these two tests by adding 0.0.0.0/32-, 0.0.0.0/0{0,7} and 0.0.0.0/0{31,32} to the martians prefix set. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On 17.3.2010 16:34, Wolfgang Hennerbichler wrote:
Hi Ondrejs & Fellow BIRD users,
I'm currently building the IPv6 Part of our BIRD Configuration Template. I'm trying to build it in the same way as our IPv4 stuff, which is trivial, because I've prepared all the code for a "dual stack" implementation. My question is, what your current best practice is for avoiding martians or unnecessary ipv6 routes (Like the Link Local Range, but I guess there are much more which I currently am not thinking about).
Like in IPv4 I have this: prefix set martians; { martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ]; if net.ip = 0.0.0.0 then return false; # Avoid too short and too long prefixes if (net.len < 8) || (net.len > 30) then return false; if net ~ martians then return false; return true; }
What is your recommendation for that?
As Ondrej has mentioned, this is a little bit better/faster approach: ---------------------------------- function avoid_martians() prefix set martians; { martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 0.0.0.0/0{31,32}, 0.0.0.0/0{0,7} ]; # Avoid RFC1918 networks if net ~ martians then return false; return true; } ---------------------------------- But I personally prefer: 0.0.0.0/0{25,32} :-) I use this IPv6 filter: ---------------------------------- # This function excludes weird networks function avoid_martians() prefix set martians; { martians = [ fc00::/7+, fec0::/10+, ::/128-, ::/0{0,15}, ::/0{49,128} ]; if net ~ martians then return false; return true; } ----------------------------------
Wolfgang
PS: I think we have a very decent, awesome and super-automated IPv4 BIRD installation now @VIX, still not running productive, but as soon as IPv6 (and some minor tweaking in the webinterface) is done, we are going to run productive, which will be well before Euro-IX in Brussels.
Good news! Ondrej
On Mar 18, 2010, at 22:36 , Ondrej Filip wrote:
On 17.3.2010 16:34, Wolfgang Hennerbichler wrote:
Hi Ondrejs & Fellow BIRD users,
I'm currently building the IPv6 Part of our BIRD Configuration Template. I'm trying to build it in the same way as our IPv4 stuff, which is trivial, because I've prepared all the code for a "dual stack" implementation. My question is, what your current best practice is for avoiding martians or unnecessary ipv6 routes (Like the Link Local Range, but I guess there are much more which I currently am not thinking about).
Like in IPv4 I have this: prefix set martians; { martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ]; if net.ip = 0.0.0.0 then return false; # Avoid too short and too long prefixes if (net.len < 8) || (net.len > 30) then return false; if net ~ martians then return false; return true; }
What is your recommendation for that?
As Ondrej has mentioned, this is a little bit better/faster approach:
---------------------------------- function avoid_martians() prefix set martians; { martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 0.0.0.0/0{31,32}, 0.0.0.0/0{0,7} ];
# Avoid RFC1918 networks if net ~ martians then return false;
return true; } ----------------------------------
But I personally prefer: 0.0.0.0/0{25,32} :-)
Yeah, we really should not accept bigger networks than /24, that's true.
I use this IPv6 filter: ---------------------------------- # This function excludes weird networks function avoid_martians() prefix set martians; { martians = [ fc00::/7+, fec0::/10+, ::/128-, ::/0{0,15}, ::/0{49,128} ];
if net ~ martians then return false;
return true; } ----------------------------------
Allright, I came up with this now (Thanks to Arnold's Hint and yours above): # this function avoids illegal ipv6 networks. function avoid_martians() prefix set ipv6_no_gos; { ipv6_no_gos = [ 3ffe::/16+, 2001:db8::/32+, fe00::/9+, ff00::/8+, ::/128-, ::/0{0,15}, ::/0{49,128} ]; if net ~ ipv6_no_gos then return false; return true; } Thanks for your hints; Wolfgang -- www.vix.at | www.aco.net wh@univie.ac.at | WH844-RIPE Vienna University Computer Center
participants (4)
-
Arnold Nipper -
Ondrej Filip -
Ondrej Zajicek -
Wolfgang Hennerbichler