除了LLA / ULA之外还有其他应过滤的内容吗?
对于LLA,标准做法是对完整的fe80 :: / 10进行覆盖过滤,还是仅过滤fe80 :: / 64?
#1 楼
RFC 6890第2.2.3节描述了IPv6的专用前缀。链接在这里:http://tools.ietf.org/html/rfc6890#page-14
要包括的前缀为:
+----------------------+------------------+
| Attribute | Value |
+----------------------+------------------+
| Address Block | ::1/128 |
| Name | Loopback Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+------------------+
Table 17: Loopback Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | ::/128 |
| Name | Unspecified Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+---------------------+
Table 18: Unspecified Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | 64:ff9b::/96 |
| Name | IPv4-IPv6 Translat. |
| RFC | [RFC6052] |
| Allocation Date | October 2010 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | True |
| Reserved-by-Protocol | False |
+----------------------+---------------------+
Table 19: IPv4-IPv6 Translation Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | ::ffff:0:0/96 |
| Name | IPv4-mapped Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+---------------------+
Table 20: IPv4-Mapped Address
+----------------------+----------------------------+
| Attribute | Value |
+----------------------+----------------------------+
| Address Block | 100::/64 |
| Name | Discard-Only Address Block |
| RFC | [RFC6666] |
| Allocation Date | June 2012 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------------------+
Table 21: Discard-Only Prefix
+----------------------+---------------------------+
| Attribute | Value |
+----------------------+---------------------------+
| Address Block | 2001::/23 |
| Name | IETF Protocol Assignments |
| RFC | [RFC2928] |
| Allocation Date | September 2000 |
| Termination Date | N/A |
| Source | False[1] |
| Destination | False[1] |
| Forwardable | False[1] |
| Global | False[1] |
| Reserved-by-Protocol | False |
+----------------------+---------------------------+
[1] Unless allowed by a more specific allocation.
+----------------------+----------------+
| Attribute | Value |
+----------------------+----------------+
| Address Block | 2001::/32 |
| Name | TEREDO |
| RFC | [RFC4380] |
| Allocation Date | January 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------+
Table 23: TEREDO
+----------------------+----------------+
| Attribute | Value |
+----------------------+----------------+
| Address Block | 2001:2::/48 |
| Name | Benchmarking |
| RFC | [RFC5180] |
| Allocation Date | April 2008 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------+
Table 24: Benchmarking
+----------------------+---------------+
| Attribute | Value |
+----------------------+---------------+
| Address Block | 2001:db8::/32 |
| Name | Documentation |
| RFC | [RFC3849] |
| Allocation Date | July 2004 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+---------------+
Table 25: Documentation
+----------------------+--------------+
| Attribute | Value |
+----------------------+--------------+
| Address Block | 2001:10::/28 |
| Name | ORCHID |
| RFC | [RFC4843] |
| Allocation Date | March 2007 |
| Termination Date | March 2014 |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+--------------+
Table 26: ORCHID
+----------------------+---------------+
| Attribute | Value |
+----------------------+---------------+
| Address Block | 2002::/16 [2] |
| Name | 6to4 |
| RFC | [RFC3056] |
| Allocation Date | February 2001 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | N/A [2] |
| Reserved-by-Protocol | False |
+----------------------+---------------+
[2] See [RFC3056] for details.
Table 27: 6to4
+----------------------+--------------+
| Attribute | Value |
+----------------------+--------------+
| Address Block | fc00::/7 |
| Name | Unique-Local |
| RFC | [RFC4193] |
| Allocation Date | October 2005 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+--------------+
Table 28: Unique-Local
+----------------------+-----------------------+
| Attribute | Value |
+----------------------+-----------------------+
| Address Block | fe80::/10 |
| Name | Linked-Scoped Unicast |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+-----------------------+
Table 29: Linked-Scoped Unicast
这应该足够了。还可以选择过滤Bogon,但是除非您设置与Team Cymru或类似的对等网络,否则感觉有些过大。
#2 楼
您可以使用三个选项。第一个也是最准确的一个,就是与Team Cymru建立对等关系,正如SimonJGreen解释的那样。您拥有最准确的列表的优点,而缺点是维护对等关系,策略声明/路由映射等。
第二种方法是拒绝前缀“您应该(例如,本地链接前缀,旧的6Bone 3FFE :: / 16前缀等),然后将其与您应该看到的前缀结合起来。参见以下示例。优点是这是最简单的配置,缺点是它不如第一个选项准确。
第三条方法(您永远不应实现)是采用当前的ipv6 bogon列表(由Team Cymru发布),并将其作为静态过滤器粘贴到您的配置中。这是几年前很多人对ipv4所做的事情,今天导致了很多苦难...请勿使用此选项。
作为示例,下面是一个不错的ipv6前缀列表和允许拒绝的前缀列表:
ipv6 prefix-list in-filter-v6 seq 5 deny 3ffe::/16 le 128
ipv6 prefix-list in-filter-v6 seq 10 deny 2001:db8::/32 le 128
ipv6 prefix-list in-filter-v6 seq 15 permit 2001::/32
ipv6 prefix-list in-filter-v6 seq 20 deny 2001::/32 le 128
ipv6 prefix-list in-filter-v6 seq 25 permit 2002::/16
ipv6 prefix-list in-filter-v6 seq 30 deny 2002::/16 le 128
ipv6 prefix-list in-filter-v6 seq 35 deny ::/8 le 128
ipv6 prefix-list in-filter-v6 seq 40 deny fe00::/9 le 128
ipv6 prefix-list in-filter-v6 seq 45 deny ff00::/8 le 128
ipv6 prefix-list in-filter-v6 seq 50 permit 2000::/3 le 48
ipv6 prefix-list in-filter-v6 seq 55 deny ::/0 le 128
#3 楼
请参阅http://www.team-cymru.org/Services/Bogons/http.html上的IPv6 Fullbogons列表。执行自动过滤。
下面是在Cisco上自动过滤的示例:
router bgp <your asn>
! Session 1
neighbor A.B.C.D remote-as 65332
neighbor A.B.C.D description <your description>
neighbor A.B.C.D ebgp-multihop 255
neighbor A.B.C.D password <your password>
! Session 2
neighbor E.F.G.H remote-as 65332
neighbor E.F.G.H description <your description>
neighbor E.F.G.H ebgp-multihop 255
neighbor E.F.G.H password <your password>
!
address-family ipv4
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v4 out
neighbor A.B.C.D route-map CYMRUBOGONS-V4 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v4 out
neighbor E.F.G.H route-map CYMRUBOGONS-V4 in
!
address-family ipv6
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v6 out
neighbor A.B.C.D route-map CYMRUBOGONS-V6 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v6 out
neighbor E.F.G.H route-map CYMRUBOGONS-V6 in
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
ip community-list 100 permit 65332:888
!
ip route 192.0.2.1 255.255.255.255 Null0
!
ip prefix-list cymru-out-v4 seq 5 deny 0.0.0.0/0 le 32
!
ipv6 route 2001:DB8:0:DEAD:BEEF::1/128 Null0
!
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
!
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ip next-hop 192.0.2.1
这是一个适用于JunOS的示例:
/*
* Define BGP peer group
*/
delete protocols bgp group cymru-bogons
set protocols bgp group cymru-bogons type external
set protocols bgp group cymru-bogons description "cymru fullbogon bgp feed (ipv4 + 6)"
set protocols bgp group cymru-bogons multihop ttl 255
set protocols bgp group cymru-bogons import cymru-bogons-in
/*
* Define MD5 password in quotes
*/
set protocols bgp group cymru-bogons authentication-key "<YOUR PASSWORD>"
set protocols bgp group cymru-bogons export deny-all
set protocols bgp group cymru-bogons peer-as 65332
/*
* Replace values below as appropriate
*/
set protocols bgp group cymru-bogons neighbor A.B.C.D local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet unicast
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet6 unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet6 unicast
/*
* Define CYMRU import policy
*/
delete policy-options policy-statement cymru-bogons-in
set policy-options policy-statement cymru-bogons-in term 1 from family inet
set policy-options policy-statement cymru-bogons-in term 1 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 1 then community add no-export
set policy-options policy-statement cymru-bogons-in term 1 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 1 then accept
set policy-options policy-statement cymru-bogons-in term 2 from family inet6
set policy-options policy-statement cymru-bogons-in term 2 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 2 then community add no-export
set policy-options policy-statement cymru-bogons-in term 2 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 2 then accept
set policy-options policy-statement cymru-bogons-in then reject
/*
* Define deny-all export policy
*/
delete policy-options policy-statement deny-all
set policy-options policy-statement deny-all then reject
/*
* Define CYMRU Bogon community
*/
delete policy-options community comm-cymru-bogon
set policy-options community comm-cymru-bogon members no-export
set policy-options community comm-cymru-bogon members 65332:888
/*
* Define internal no-export community
*/
delete policy-options community comm-no-export
set policy-options community comm-no-export members no-export
#4 楼
该IPv6过滤建议有些陈旧,但我认为仍然具有基本的权利:http://www.space.net/~gert/RIPE/ipv6-filters.html评论
请注意,页面上的Juniper示例当前存在错误(即不匹配正确的前缀)。参见networkengineering.stackexchange.com/a/384/59
–塞巴斯蒂安·维辛格
13年5月29日在8:39
#5 楼
如果要进行“深层”过滤,可以查看团队cymru模板和bogons项目:http://www.team-cymru.org/ipv6-router-reference。 html
评论
我不同意所有特殊目的地址“不应路由”或“至少应过滤”。例如,有些标记为“ Forwardable”和“ Global”,尤其是NAT64标记为64:ff9b :: / 96。
– Zevlag
13年5月16日在3:21
显然,如果您使用这些前缀中的任何一个,则不应过滤它们。也许您正在使用Teredo等,但是除非您正在运行NAT或隧道,否则默认姿势应该是对它们进行过滤。
–丹尼尔·迪布(Daniel Dib)
13年5月16日下午4:07
为什么要过滤2002 :: / 16?这将阻止使用6to4作为过渡机制的任何人与您进行通信。
– Paul Gear
13年7月20日在21:12