Awalan IPv6 apa yang tidak boleh dirutekan?

12

Tampak jelas bagi saya bahwa Tautan Lokal, dan Alamat Unik Lokal, setidaknya harus difilter.

Apakah ada selain LLA / ULA yang harus disaring?
Untuk LLA, apakah itu praktik standar untuk menyelimuti filter fe80 :: / 10 penuh, atau hanya memfilter fe80 :: / 64?

ipv6 Craig Constantine
sumber

12

RFC 6890 bagian 2.2.3 menjelaskan awalan tujuan khusus untuk IPv6. Tautan ada di sini:

http://tools.ietf.org/html/rfc6890#halaman 14

Awalan yang akan disertakan adalah:

               +----------------------+------------------+
               | Attribute            | Value            |
               +----------------------+------------------+
               | Address Block        | ::1/128          |
               | Name                 | Loopback Address |
               | RFC                  | [RFC4291]        |
               | Allocation Date      | February 2006    |
               | Termination Date     | N/A              |
               | Source               | False            |
               | Destination          | False            |
               | Forwardable          | False            |
               | Global               | False            |
               | Reserved-by-Protocol | True             |
               +----------------------+------------------+

                    Table 17: Loopback Address

             +----------------------+---------------------+
             | Attribute            | Value               |
             +----------------------+---------------------+
             | Address Block        | ::/128              |
             | Name                 | Unspecified Address |
             | RFC                  | [RFC4291]           |
             | Allocation Date      | February 2006       |
             | Termination Date     | N/A                 |
             | Source               | True                |
             | Destination          | False               |
             | Forwardable          | False               |
             | Global               | False               |
             | Reserved-by-Protocol | True                |
             +----------------------+---------------------+

                   Table 18: Unspecified Address

            +----------------------+---------------------+
            | Attribute            | Value               |
            +----------------------+---------------------+
            | Address Block        | 64:ff9b::/96        |
            | Name                 | IPv4-IPv6 Translat. |
            | RFC                  | [RFC6052]           |
            | Allocation Date      | October 2010        |
            | Termination Date     | N/A                 |
            | Source               | True                |
            | Destination          | True                |
            | Forwardable          | True                |
            | Global               | True                |
            | Reserved-by-Protocol | False               |
            +----------------------+---------------------+

              Table 19: IPv4-IPv6 Translation Address

             +----------------------+---------------------+
             | Attribute            | Value               |
             +----------------------+---------------------+
             | Address Block        | ::ffff:0:0/96       |
             | Name                 | IPv4-mapped Address |
             | RFC                  | [RFC4291]           |
             | Allocation Date      | February 2006       |
             | Termination Date     | N/A                 |
             | Source               | False               |
             | Destination          | False               |
             | Forwardable          | False               |
             | Global               | False               |
             | Reserved-by-Protocol | True                |
             +----------------------+---------------------+

                   Table 20: IPv4-Mapped Address

          +----------------------+----------------------------+
          | Attribute            | Value                      |
          +----------------------+----------------------------+
          | Address Block        | 100::/64                   |
          | Name                 | Discard-Only Address Block |
          | RFC                  | [RFC6666]                  |
          | Allocation Date      | June 2012                  |
          | Termination Date     | N/A                        |
          | Source               | True                       |
          | Destination          | True                       |
          | Forwardable          | True                       |
          | Global               | False                      |
          | Reserved-by-Protocol | False                      |
          +----------------------+----------------------------+

                   Table 21: Discard-Only Prefix

          +----------------------+---------------------------+
          | Attribute            | Value                     |
          +----------------------+---------------------------+
          | Address Block        | 2001::/23                 |
          | Name                 | IETF Protocol Assignments |
          | RFC                  | [RFC2928]                 |
          | Allocation Date      | September 2000            |
          | Termination Date     | N/A                       |
          | Source               | False[1]                  |
          | Destination          | False[1]                  |
          | Forwardable          | False[1]                  |
          | Global               | False[1]                  |
          | Reserved-by-Protocol | False                     |
          +----------------------+---------------------------+

         [1] Unless allowed by a more specific allocation.

                +----------------------+----------------+
                | Attribute            | Value          |
                +----------------------+----------------+
                | Address Block        | 2001::/32      |
                | Name                 | TEREDO         |
                | RFC                  | [RFC4380]      |
                | Allocation Date      | January 2006   |
                | Termination Date     | N/A            |
                | Source               | True           |
                | Destination          | True           |
                | Forwardable          | True           |
                | Global               | False          |
                | Reserved-by-Protocol | False          |
                +----------------------+----------------+

                         Table 23: TEREDO

                +----------------------+----------------+
                | Attribute            | Value          |
                +----------------------+----------------+
                | Address Block        | 2001:2::/48    |
                | Name                 | Benchmarking   |
                | RFC                  | [RFC5180]      |
                | Allocation Date      | April 2008     |
                | Termination Date     | N/A            |
                | Source               | True           |
                | Destination          | True           |
                | Forwardable          | True           |
                | Global               | False          |
                | Reserved-by-Protocol | False          |
                +----------------------+----------------+

                      Table 24: Benchmarking

                +----------------------+---------------+
                | Attribute            | Value         |
                +----------------------+---------------+
                | Address Block        | 2001:db8::/32 |
                | Name                 | Documentation |
                | RFC                  | [RFC3849]     |
                | Allocation Date      | July 2004     |
                | Termination Date     | N/A           |
                | Source               | False         |
                | Destination          | False         |
                | Forwardable          | False         |
                | Global               | False         |
                | Reserved-by-Protocol | False         |
                +----------------------+---------------+

                      Table 25: Documentation

                 +----------------------+--------------+
                 | Attribute            | Value        |
                 +----------------------+--------------+
                 | Address Block        | 2001:10::/28 |
                 | Name                 | ORCHID       |
                 | RFC                  | [RFC4843]    |
                 | Allocation Date      | March 2007   |
                 | Termination Date     | March 2014   |
                 | Source               | False        |
                 | Destination          | False        |
                 | Forwardable          | False        |
                 | Global               | False        |
                 | Reserved-by-Protocol | False        |
                 +----------------------+--------------+

                         Table 26: ORCHID

                +----------------------+---------------+
                | Attribute            | Value         |
                +----------------------+---------------+
                | Address Block        | 2002::/16 [2] |
                | Name                 | 6to4          |
                | RFC                  | [RFC3056]     |
                | Allocation Date      | February 2001 |
                | Termination Date     | N/A           |
                | Source               | True          |
                | Destination          | True          |
                | Forwardable          | True          |
                | Global               | N/A [2]       |
                | Reserved-by-Protocol | False         |
                +----------------------+---------------+

                  [2] See [RFC3056] for details.

                          Table 27: 6to4

                 +----------------------+--------------+
                 | Attribute            | Value        |
                 +----------------------+--------------+
                 | Address Block        | fc00::/7     |
                 | Name                 | Unique-Local |
                 | RFC                  | [RFC4193]    |
                 | Allocation Date      | October 2005 |
                 | Termination Date     | N/A          |
                 | Source               | True         |
                 | Destination          | True         |
                 | Forwardable          | True         |
                 | Global               | False        |
                 | Reserved-by-Protocol | False        |
                 +----------------------+--------------+

                      Table 28: Unique-Local

            +----------------------+-----------------------+
            | Attribute            | Value                 |
            +----------------------+-----------------------+
            | Address Block        | fe80::/10             |
            | Name                 | Linked-Scoped Unicast |
            | RFC                  | [RFC4291]             |
            | Allocation Date      | February 2006         |
            | Termination Date     | N/A                   |
            | Source               | True                  |
            | Destination          | True                  |
            | Forwardable          | False                 |
            | Global               | False                 |
            | Reserved-by-Protocol | True                  |
            +----------------------+-----------------------+

                      Table 29: Linked-Scoped Unicast

Ini sudah cukup. Ada juga opsi untuk memfilter bogon tetapi rasanya agak berlebihan kecuali jika Anda mengatur mengintip ke Tim Cymru atau semacamnya.

Daniel Dib
sumber

Saya tidak setuju bahwa semua alamat tujuan khusus "Tidak Harus Dirutekan" atau bahwa mereka harus "setidaknya disaring". Misalnya, ada beberapa yang ditandai "Forwardable" dan "Global", khususnya 64: ff9b :: / 96 untuk NAT64.

zevlag

Jelas jika Anda menggunakan salah satu dari awalan ini maka Anda tidak harus menyaringnya. Mungkin Anda menggunakan Teredo dll tetapi sikap standarnya adalah menyaringnya kecuali Anda menjalankan NAT atau tunneling.

Daniel Dib

2

Mengapa Anda ingin memfilter 2002 :: / 16? Itu akan menghentikan siapa pun yang menggunakan 6to4 sebagai mekanisme transisi untuk berkomunikasi dengan Anda.

Paul Gear

6

Ada tiga opsi yang bisa Anda tuju.

Yang pertama, dan yang paling akurat, adalah mengatur peering dengan Team Cymru, seperti yang dijelaskan SimonJGreen. Anda memiliki keuntungan memiliki daftar yang paling akurat, kerugian mempertahankan peering, kebijakan-pernyataan / rute-rute dll.

Rute kedua, adalah menyangkal awalan yang "Anda tidak akan pernah melihat di alam liar", seperti awalan tautan-lokal, awalan 6Bone 3FFE :: / 16 dll dan gabungkan dengan awalan yang harus Anda lihat. Lihat di bawah untuk contoh. Keuntungannya adalah ini adalah konfigurasi termudah, kerugiannya adalah tidak seakurat opsi pertama.

Rute ketiga, yang tidak boleh Anda laksanakan, adalah dengan mengambil daftar bogon ipv6 saat ini, seperti yang diterbitkan oleh Team Cymru, dan rekatkan itu sebagai filter statis di konfigurasi Anda. Inilah yang dilakukan oleh banyak orang dengan ipv4 beberapa tahun yang lalu, dan menyebabkan banyak penderitaan hari ini ... Jangan lakukan ini. Pernah.

Sebagai contoh, berikut adalah daftar awalan ipv6 yang layak untuk dibolehkan dan awalan untuk ditolak:

ipv6 prefix-list in-filter-v6 seq 5 deny 3ffe::/16 le 128 
ipv6 prefix-list in-filter-v6 seq 10 deny 2001:db8::/32 le 128 
ipv6 prefix-list in-filter-v6 seq 15 permit 2001::/32 
ipv6 prefix-list in-filter-v6 seq 20 deny 2001::/32 le 128 
ipv6 prefix-list in-filter-v6 seq 25 permit 2002::/16 
ipv6 prefix-list in-filter-v6 seq 30 deny 2002::/16 le 128 
ipv6 prefix-list in-filter-v6 seq 35 deny ::/8 le 128 
ipv6 prefix-list in-filter-v6 seq 40 deny fe00::/9 le 128 
ipv6 prefix-list in-filter-v6 seq 45 deny ff00::/8 le 128 
ipv6 prefix-list in-filter-v6 seq 50 permit 2000::/3 le 48 
ipv6 prefix-list in-filter-v6 seq 55 deny ::/0 le 128

Frank Louwers
sumber

4

Lihat daftar Fullbogons IPv6 di http://www.team-cymru.org/Services/Bogons/http.html

Ini tersedia melalui DNS , RADB , RIPE atau BGP juga jika Anda ingin melakukan penyaringan otomatis.

Berikut adalah contoh pemfilteran secara otomatis di Cisco:

router bgp <your asn>
 ! Session 1
 neighbor A.B.C.D remote-as 65332
 neighbor A.B.C.D description <your description>
 neighbor A.B.C.D ebgp-multihop 255
 neighbor A.B.C.D password <your password>
 ! Session 2
 neighbor E.F.G.H remote-as 65332
 neighbor E.F.G.H description <your description>
 neighbor E.F.G.H ebgp-multihop 255
 neighbor E.F.G.H password <your password>
!
 address-family ipv4
  ! Session 1
  neighbor A.B.C.D activate
  neighbor A.B.C.D soft-reconfiguration inbound
  neighbor A.B.C.D prefix-list cymru-out-v4 out
  neighbor A.B.C.D route-map CYMRUBOGONS-V4 in
  ! Session 2
  neighbor E.F.G.H activate
  neighbor E.F.G.H soft-reconfiguration inbound
  neighbor E.F.G.H prefix-list cymru-out-v4 out
  neighbor E.F.G.H route-map CYMRUBOGONS-V4 in
!
 address-family ipv6
  ! Session 1
  neighbor A.B.C.D activate
  neighbor A.B.C.D soft-reconfiguration inbound
  neighbor A.B.C.D prefix-list cymru-out-v6 out
  neighbor A.B.C.D route-map CYMRUBOGONS-V6 in
  ! Session 2
  neighbor E.F.G.H activate
  neighbor E.F.G.H soft-reconfiguration inbound
  neighbor E.F.G.H prefix-list cymru-out-v6 out
  neighbor E.F.G.H route-map CYMRUBOGONS-V6 in
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
ip community-list 100 permit 65332:888
!
ip route 192.0.2.1 255.255.255.255 Null0
!
ip prefix-list cymru-out-v4 seq 5 deny 0.0.0.0/0 le 32
!
ipv6 route 2001:DB8:0:DEAD:BEEF::1/128 Null0
!
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
!
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ip next-hop 192.0.2.1

Dan ini satu untuk JunOS:

/*
* Define BGP peer group
*/
delete protocols bgp group cymru-bogons
set protocols bgp group cymru-bogons type external
set protocols bgp group cymru-bogons description "cymru fullbogon bgp feed (ipv4 + 6)"
set protocols bgp group cymru-bogons multihop ttl 255
set protocols bgp group cymru-bogons import cymru-bogons-in
/*
* Define MD5 password in quotes
*/
set protocols bgp group cymru-bogons authentication-key "<YOUR PASSWORD>"
set protocols bgp group cymru-bogons export deny-all
set protocols bgp group cymru-bogons peer-as 65332
/*
* Replace values below as appropriate
*/
set protocols bgp group cymru-bogons neighbor A.B.C.D local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet unicast
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet6 unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet6 unicast
/*
* Define CYMRU import policy
*/
delete policy-options policy-statement cymru-bogons-in
set policy-options policy-statement cymru-bogons-in term 1 from family inet
set policy-options policy-statement cymru-bogons-in term 1 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 1 then community add no-export
set policy-options policy-statement cymru-bogons-in term 1 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 1 then accept
set policy-options policy-statement cymru-bogons-in term 2 from family inet6
set policy-options policy-statement cymru-bogons-in term 2 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 2 then community add no-export
set policy-options policy-statement cymru-bogons-in term 2 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 2 then accept
set policy-options policy-statement cymru-bogons-in then reject
/*
* Define deny-all export policy
*/
delete policy-options policy-statement deny-all
set policy-options policy-statement deny-all then reject
/*
* Define CYMRU Bogon community
*/
delete policy-options community comm-cymru-bogon
set policy-options community comm-cymru-bogon members no-export
set policy-options community comm-cymru-bogon members 65332:888
/*
* Define internal no-export community
*/
delete policy-options community comm-no-export
set policy-options community comm-no-export members no-export

SimonJGreen
sumber

2

Rekomendasi penyaringan IPv6 ini sedikit ketinggalan jaman, tetapi saya masih memiliki dasar-dasar yang benar menurut saya: http://www.space.net/~gert/RIPE/ipv6-filters.html

Emile Aben
sumber

Perlu diketahui bahwa contoh Juniper pada halaman saat ini bermasalah (mis. Tidak cocok dengan awalan yang tepat). Lihat networkengineering.stackexchange.com/a/384/59

Sebastian Wiesinger

0

jika Anda ingin melakukan pemfilteran "dalam", Anda dapat melihat pada templat cymru tim dan proyek bogon:

http://www.team-cymru.org/ipv6-router-reference.html

Stefano Sasso
sumber

Awalan IPv6 apa yang tidak boleh dirutekan?

Jawaban: