IPv6 Template

Fri Mar 19 08:03:40 CET 2010

On Mar 18, 2010, at 22:36 , Ondrej Filip wrote:

> On 17.3.2010 16:34, Wolfgang Hennerbichler wrote:
>> Hi Ondrejs & Fellow BIRD users, 
>> 
>> I'm currently building the IPv6 Part of our BIRD Configuration Template. I'm trying to build it in the same way as our IPv4 stuff, which is trivial, because I've prepared all the code for a "dual stack" implementation. My question is, what your current best practice is for avoiding martians or unnecessary ipv6 routes (Like the Link Local Range, but I guess there are much more which I currently am not thinking about). 
>> 
>> Like in IPv4 I have this: 
>> prefix set martians;
>> {
>>  martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];
>>  if net.ip = 0.0.0.0 then return false;
>>  # Avoid too short and too long prefixes
>>  if (net.len < 8) || (net.len > 30) then return false;
>>  if net ~ martians then return false;
>>  return true;
>> }
>> 
>> What is your recommendation for that?
> 
> As Ondrej has mentioned, this is a little bit better/faster approach:
> 
> ----------------------------------
> function avoid_martians()
> prefix set martians;
> {
>  martians = [ 169.254.0.0/16+, 172.16.0.0/12+,
>               192.168.0.0/16+, 10.0.0.0/8+,
>               224.0.0.0/4+, 240.0.0.0/4+,
>               0.0.0.0/32-, 0.0.0.0/0{31,32}, 0.0.0.0/0{0,7} ];
> 
>  # Avoid RFC1918 networks
>  if net ~ martians then return false;
> 
>  return true;
> }
> ----------------------------------
> 
> But I personally prefer: 0.0.0.0/0{25,32}
> :-)

Yeah, we really should not accept bigger networks than /24, that's true. 

> 
> I use this IPv6 filter:
> ----------------------------------
> # This function excludes weird networks
> function avoid_martians()
> prefix set martians;
> {
>  martians = [ fc00::/7+, fec0::/10+,
>     ::/128-, ::/0{0,15}, ::/0{49,128} ];
> 
>  if net ~ martians then return false;
> 
>  return true;
> }
> ----------------------------------

Allright, I came up with this now (Thanks to Arnold's Hint and yours above): 

# this function avoids illegal ipv6 networks.
function avoid_martians()
prefix set ipv6_no_gos;
{
  ipv6_no_gos = [ 3ffe::/16+, 2001:db8::/32+, fe00::/9+, ff00::/8+, ::/128-, ::/0{0,15}, ::/0{49,128} ];
  if net ~ ipv6_no_gos then return false;
  return true;
}

Thanks for your hints; 

Wolfgang

-- 
www.vix.at | www.aco.net
wh at univie.ac.at | WH844-RIPE
Vienna University Computer Center