xSP IPv6 Router Recommendations
K. Ishihara
KDDI CORPORATION
M. Mukai
KDDI CORPORATION
R. Hiromi
Intec NetCore Inc.
M. Mawatari
DREAM TRAIN INTERNET INC.
Date. 2008/08/26
Packet Filter and Route Filter Recommendation for IPv6 at xSP routers
Abstract
This document describes about filtering techniques for the border
routers at xSPs. In this document we define recommendations of
filtering rules.
In this document we categorize two types of filtering rules.
The One "Minimum set of recommended filtering" means all of you
encouraged to use described filtering rules as minimum sets of xSP's
basic router operation. The other "Considered filtering set on its
necessity" will be used under the consideration of your network
operation, management and resources.
All rule sets are stands for the following ideas and we strongly
recommend all of xSP networks to apply this to their routers.
o Only IPv6 network is considered. IPv4 case is out of scope.
o No influence upon the user transmission.
(Purpose of filter would be a prevention from attack, intrusion
or theft)
o Don't send/receive unnecessary/garbage packets/route
information.
o Specific application port filter, ex)OP25B, P2P applications, is
out of scope.
Table of Contents
1. Introduction
2. Terminology
3. For Transit Connection Interface
3-1. Minimum required filter set
3-1-1. Packet Filters
3-1-1-1. Ingress Packet Filters
3-1-1-2. Egress Packet Filters
3-1-2. Route Filters
3-1-2-1. Ingress Prefix Filters
3-1-2-2. Egress Prefix Filters
3-1-2-3. Ingress AS-PATH Filters
3-1-2-4. Egress AS-PATH Filters
3-2. Considered filter set on its necessity
Consideration required filter set by network
3-2-1. Packet Filters
3-2-1-1. Ingress Packet Filters
3-2-1-2. Egress Packet Filters
3-2-2. Route Filters
3-2-2-1. Ingress Prefix Filters
3-2-2-2. Egress Prefix Filters
3-2-2-3. Ingress AS-PATH Filters
3-2-2-4. Egress AS-PATH Filters
3-3. Additional effective techniques for reduction of OAM on
filtering
4. For Public and Private Peering Connection Interface
4-1. Minimum required filter set
4-1-1. Packet Filters
4-1-1-1. Ingress Packet Filters
4-1-1-2. Egress Packet Filters
4-1-2. Route Filters
4-1-2-1. Ingress Prefix Filters
4-1-2-2. Egress Prefix Filters
4-1-2-3. Ingress AS-PATH Filters
4-1-2-4. Egress AS-PATH Filters
4-2. Considered filter set on its necessity
Consideration required filter set by network
4-2-1. Packet Filters
4-2-1-1. Ingress Packet Filters
4-2-1-2. Egress Packet Filters
4-2-2. Route Filters
4-2-2-1. Ingress Prefix Filters
4-2-2-2. Egress Prefix Filters
4-2-2-3. Ingress AS-PATH Filters
4-2-2-4. Egress AS-PATH Filters
4-3. Additional effective techniques for reduction of OAM on
filtering
5. For Customer Connection Interface
5-1. Minimum required filter set
5-1-1. Packet Filters
5-1-1-1. Ingress Packet Filters
5-1-1-2. Egress Packet Filters
5-1-2. Route Filters
5-1-2-1. Ingress Prefix Filters
5-1-2-2. Egress Prefix Filters
5-1-2-3. Ingress AS-PATH Filters
5-1-2-4. Egress AS-PATH Filters
5-2. Considered filter set on its necessity
Consideration required filter set by network
5-2-1. Packet Filters
5-2-1-1. Ingress Packet Filters
5-2-1-2. Egress Packet Filters
5-2-2. Route Filters
5-2-2-1. Ingress Prefix Filters
5-2-2-2. Egress Prefix Filters
5-2-2-3. Ingress AS-PATH Filters
5-2-2-4. Egress AS-PATH Filters
5-3. Additional effective techniques for reduction of OAM on
filtering
6. For Access to Router
6-1. Minimum required filter set
6-1-1. Packet Filters
6-1-1-1. Ingress Packet Filters
6-1-1-2. Egress Packet Filters
6-2. Considered filter set on its necessity
Consideration required filter set by network
6-2-1. Packet Filters
6-2-1-1. Ingress Packet Filters
6-2-1-2. Egress Packet Filters
6-3. Additional effective techniques for reduction of OAM on
filtering
7. Acknowledgments
8. References
8-1. Normative References
8-2. Informative References
9. Author's Address
10. Disclaimer
11. Distribution Policy of This Document
Appendix A: About 6bone
Appendix B: About 6to4
Appendix C: Useful info on IANA IPv6 Special Purpose Address
Registry
Update History
1. Introduction
With IPv6 network operation is getting practical, the security
consideration is required as same level as IPv4 network.
There is little difference between IPv4 and IPv6 in the way of
packet filtering and route filtering. But operators are encouraged
to know about the difference from protocol specification and
additional features that brought to us by IPv6 and its effect on
filtering.
This document describes current best practice on filter.
Therefore, this will be revised with additional operating
experience.
2. Terminology
1. xSP :
a service provider which
o provides internet connectivity
o is a (global) ASN holder
o interconnects with other AS with BGP
2. Packet Filter :
Filtering Technique in a router with IP header information.
In this document, it indicates using of source and
destination address field.
3. Prefix Filter :
Filter with prefix length information. It is also called as
"Prefix Based Filter"
4. AS-PATH Filter :
Filter with AS-PATH attribute
5. Route Filter :
Generic term for Filter, it includes both "Prefix Filter" and
"AS-PATH Filter"
6. Transit :
Exchange "Full Route" routing information with other BGP
systems.
7. Peer :
a neighbor BGP speaker. A router/switch which announces its
AS related routes in BGP.
3. For Transit Connection Interface
3-1. Minimum required filter set
3-1-1. Packet Filters
3-1-1-1. Ingress Packet Filters
[1] Accept all ICMPv6 packets for Neighbor Discovery and Path
MTU Discovery that is a function necessary for the
communication with IPv6.
[2] Reject the packets which contain following special-use
prefix in the source address field.
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8
- IETF reserved Address(formerly Site-local Address)
: fec0::/10
- Unique-local Address : fc00::/7
- Multicast Address : ff00::/8
- Documentation Address : 2001:db8::/32
* Attention not to reject ICMPv6 packet whose source
address used with Duplicate Address Detection is
unspecified address (::/128) is necessary.
(There is no problem if all ICMPv6 is accepted as shown
in the above-mentioned [1])
[3] Reject the packets which have your own prefix in the
source address field.
- Note that this filter may interfere with asymmetric
routing protocol such as UDLR in the satellite internet
services.
3-1-1-2. Egress Packet Filters
- N/A -
3-1-2. Route Filters
3-1-2-1. Ingress Prefix Filters
[1] Reject following special-use prefix.
- Default Route : ::/0 exact
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8 or longer
- Link-local Address : fe80::/10 or longer
- IETF reserved Address(formerly Site-local Address)
: fec0::/10 or longer
- Unique-local Address : fc00::/7 or longer
- Multicast Address : ff00::/8 or longer
- Documentation Address : 2001:db8::/32 or longer
[2] Reject your own prefix.
(Example)
You have 2001:db8::/32 for your xSP network, you should
reject 2001:db8::/32 or longer prefix.
3-1-2-2. Egress Prefix Filters
[1] Accept aggregated routes of your own prefix.
- Note that don't advertise fragmented prefixes to outside
from your internal AS system.
[2] Reject following special-use prefix.
- Default Route : ::/0 exact
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8 or longer
- Link-local Address : fe80::/10 or longer
- IETF reserved Address(formerly Site-local Address)
: fec0::/10 or longer
- Unique-local Address : fc00::/7 or longer
- Multicast Address : ff00::/8 or longer
- Documentation Address : 2001:db8::/32 or longer
3-1-2-3. Ingress AS-PATH Filters
- N/A -
3-1-2-4. Egress AS-PATH Filters
[1] Don't advertise Private AS number to outside.
- Outline
: If your network connects other BGP system with
Private AS number, you should remove its Private
AS Number from AS-PATH to the external system.
(example : utilize remove-private-as and the like.)
- Effect
: Prevent accidents from spreading wrong routes with
Private AS number in the AS-PATH.
3-2. Considered filter set on its necessity
Consideration required filter set by network
3-2-1. Packet Filters
3-2-1-1. Ingress Packet Filters
[1] Limit ICMPv6 packets to the interface used by the transit
connection.
(Example)
Accept ICMPv6 packets with selected type.
- Prerequisite
: It is necessary to make the function of
Neighbor Discovery and Path MTU Discovery
work.
- Advantage
: Defending the attack with abused ICMPv6 packet
becomes possible to some degree.
- Weakness : It might become difficult to confirm the
reachability of the packet when traceroute
that pass the router that limits ICMPv6 packet
are executed.
3-2-1-2. Egress Packet Filters
[1] Reject the packets which contain following special-use
prefix in the source address field.
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8
- IETF reserved Address(formerly Site-local Address)
: fec0::/10
- Unique-local Address : fc00::/7
- Multicast Address : ff00::/8
- Documentation Address : 2001:db8::/32
* The communication with IPv6 requires using ICMPv6 packet
with Unspecified Address (::/128) in Duplicate Address
Detection (DAD) mechanism, don't reject such control
packets.
3-2-2. Route Filters
3-2-2-1. Ingress Prefix Filters
[1] Reject all fragmented prefixes (Long Prefix).
- Reject long prefix in the range where xSP that the
reachability is lost doesn't come out.
(Example)
Reject /33 or longer prefix
Reject /49 or longer prefix
[2] Accept only prefix allocated from each RIRs to each xSPs.
- Accept only allocated prefix referring to the
delegated-latest list (Refer to 8-2-3.) from each RIRs.
* Note that update your filter list occasionally when RIRs
updates their allocated address list(Refer to 8-2-4)
3-2-2-2. Egress Prefix Filters
- N/A -
3-2-2-3. Ingress AS-PATH Filters
[1] Reject the routes with the length of AS-PATH that it is
long more than the definite value.
- Reject the routes with the length of AS-PATH that it is
long more than the definite value in the range where xSP
that the reachability is lost doesn't come out.
(Example)
Reject the routes with the length of AS-PATH is 50hop or
more.
3-2-2-4. Egress AS-PATH Filters
- N/A -
3-3. Additional effective techniques for reduction of OAM on
filtering
[1] Max-Prefix-Limits
- Outline
: Set maximum number of receiving prefix from one BGP
neighbor, this controls threshold of receiving prefix.
- Effect
: When a large amount of routes advertisement is
generated from BGP neighbor by the trouble, the
overload of the router in your AS caused by the
receiving the routes can be prevented.
- Note
: The threshold value must be well-considered. The value
sometimes leads unexpected limitation.
4. For Public and Private Peering Connection Interface
4-1. Minimum required filter set
4-1-1. Packet Filters
4-1-1-1. Ingress Packet Filters
[1] Accept all ICMPv6 packets for Neighbor Discovery and Path
MTU Discovery that is a function necessary for the
communication with IPv6.
[2] Reject the packets which contain following special-use
prefix in the source address field.
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8
- IETF reserved Address(formerly Site-local Address)
: fec0::/10
- Unique-local Address : fc00::/7
- Multicast Address : ff00::/8
- Documentation Address : 2001:db8::/32
* Attention not to reject ICMPv6 packet whose source
address used with Duplicate Address Detection is
unspecified address (::/128) is necessary.
(There is no problem if all ICMPv6 is accepted as shown
in the above-mentioned [1])
[3] Reject the packets which have your own prefix in the
source address field.
- Note that this filter may interfere with asymmetric
routing protocol such as UDLR in the satellite internet
services.
4-1-1-2. Egress Packet Filters
- N/A -
4-1-2. Route Filters
4-1-2-1. Ingress Prefix Filters
[1] Reject following special-use prefix.
- Default Route : ::/0 exact
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8 or longer
- Link-local Address : fe80::/10 or longer
- IETF reserved Address(formerly Site-local Address)
: fec0::/10 or longer
- Unique-local Address : fc00::/7 or longer
- Multicast Address : ff00::/8 or longer
- Documentation Address : 2001:db8::/32 or longer
[2] Reject your own prefix.
(Example)
You have 2001:db8::/32 for your xSP network, you should
reject 2001:db8::/32 or longer prefix.
4-1-2-2. Egress Prefix Filters
[1] Accept aggregated routes of your own prefix.
- Note that don't advertise fragmented prefixes to outside
from your internal AS system.
[2] Reject following special-use prefix.
- Default Route : ::/0 exact
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8 or longer
- Link-local Address : fe80::/10 or longer
- IETF reserved Address(formerly Site-local Address)
: fec0::/10 or longer
- Unique-local Address : fc00::/7 or longer
- Multicast Address : ff00::/8 or longer
- Documentation Address : 2001:db8::/32 or longer
4-1-2-3. Ingress AS-PATH Filters
- N/A -
4-1-2-4. Egress AS-PATH Filters
[1] Don't advertise Private AS number to outside.
- Outline
: If your network connects other BGP system with
Private AS number, you should remove its Private
AS Number from AS-PATH to the external system.
(example : utilize remove-private-as and the like.)
- Effect
: Prevent accidents from spreading wrong routes with
Private AS number in the AS-PATH.
4-2. Considered filter set on its necessity
Consideration required filter set by network
4-2-1. Packet Filters
4-2-1-1. Ingress Packet Filters
[1] Limit ICMPv6 packets to the interface used by the IX
connection or the private peer connection.
(Example)
Accept ICMPv6 packets with selected type.
- Prerequisite
: It is necessary to make the function of
Neighbor Discovery and Path MTU Discovery
work.
- Advantage
: Defending the attack with abused ICMPv6 packet
becomes possible to some degree.
- Weakness : It might become difficult to confirm the
reachability of the packet when traceroute
that pass the router that limits ICMPv6 packet
are executed.
4-2-1-2. Egress Packet Filters
[1] Reject the packets which contain following special-use
prefix in the source address field.
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8
- IETF reserved Address(formerly Site-local Address)
: fec0::/10
- Unique-local Address : fc00::/7
- Multicast Address : ff00::/8
- Documentation Address : 2001:db8::/32
* The communication with IPv6 requires using ICMPv6 packet
with Unspecified Address (::/128) in Duplicate Address
Detection (DAD) mechanism, don't reject such control
packets.
4-2-2. Route Filters
4-2-2-1. Ingress Prefix Filters
[1] Reject all fragmented prefixes (Long Prefix).
- Reject long prefix in the range where xSP that the
reachability is lost doesn't come out.
(Example)
Reject /33 or longer prefix
Reject /49 or longer prefix
[2] Accept only advertisement prefixes notified by the peering
partners.
- Configure the prefix filter referring to the prefix
update notification from the peering partners.
[3] Accept only prefix allocated from each RIRs to each xSPs.
- Accept only allocated prefix referring to the
delegated-latest list (Refer to 8-2-4) from each RIRs.
* Note that update your filter list occasionally when RIRs
updates their allocated address list(Refer to 8-2-4)
4-2-2-2. Egress Prefix Filters
- N/A -
4-2-2-3. Ingress AS-PATH Filters
[1] Reject the routes with the length of AS-PATH that it is
long more than the definite value.
- Reject the routes with the length of AS-PATH that it is
long more than the definite value in the range where xSP
that the reachability is lost doesn't come out.
(Example)
Reject the routes with the length of AS-PATH is 50hop or
more.
[2] Accept only advertisement routes with specific AS-PATH
notified by the peering partners.
- Configure the AS-PATH filter referring to the AS-PATH
update notification from the peering partners.
4-2-2-4. Egress AS-PATH Filters
- N/A -
4-3. Additional effective techniques for reduction of OAM on
filtering
[1] Max-Prefix-Limits
- Outline
: Set maximum number of receiving prefix from one BGP
neighbor, this controls threshold of receiving prefix.
- Effect
: When a large amount of routes advertisement is
generated from BGP neighbor by the trouble, the
overload of the router in your AS caused by the
receiving the routes can be prevented.
- Note
: The threshold value must be well-considered. The value
sometimes leads unexpected limitation.
5. For Customer Connection Interface
5-1. Minimum required filter set
5-1-1. Packet Filters
5-1-1-1. Ingress Packet Filters
[1] Accept all ICMPv6 packets for Neighbor Discovery and Path
MTU Discovery that is a function necessary for the
communication with IPv6.
[2] Reject the packets which contain following special-use
prefix in the source address field.
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8
- IETF reserved Address(formerly Site-local Address)
: fec0::/10
- Unique-local Address : fc00::/7
- Multicast Address : ff00::/8
- Documentation Address : 2001:db8::/32
* Attention not to reject ICMPv6 packet whose source
address used with Duplicate Address Detection is
unspecified address (::/128) is necessary.
(There is no problem if all ICMPv6 is accepted as shown
in the above-mentioned [1])
[3] (For the transit customers) Reject the packets which have
your own prefix in the source address field.
5-1-1-2. Egress Packet Filters
- N/A -
5-1-2. Route Filters
(Route filters intended for BGP connection customers)
5-1-2-1. Ingress Prefix Filters
[1] (For BGP connection customers using Private AS number)
Accept only prefix assigned to the customers.
(Example)
If 2001:db8::/32 is assigned to the customer, accept only
2001:db8::/32 exact prefix.
[2] (For transit customers) Accept only advertisement prefixes
notified by the customers.
(Example)
Accept 2001:db8::/32 exact prefix when there is a
notification said that the customer will advertise
2001:db8::/32.
5-1-2-2. Egress Prefix Filters
[1] Accept aggregated routes of your own prefix.
- Note that don't advertise fragmented prefixes to outside
from your internal AS system.
[2] Reject following special-use prefix.
- Default Route : ::/0 exact
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8 or longer
- Link-local Address : fe80::/10 or longer
- IETF reserved Address(formerly Site-local Address)
: fec0::/10 or longer
- Unique-local Address : fc00::/7 or longer
- Multicast Address : ff00::/8 or longer
- Documentation Address : 2001:db8::/32 or longer
5-1-2-3. Ingress AS-PATH Filters
- N/A -
5-1-2-4. Egress AS-PATH Filters
[1] Don't advertise Private AS number to outside.
- Outline
: If your network connects other BGP system with
Private AS number, you should remove its Private
AS Number from AS-PATH to the external system.
(example : utilize remove-private-as and the like.)
- Effect
: Prevent accidents from spreading wrong routes with
Private AS number in the AS-PATH.
5-2. Considered filter set on its necessity
Consideration required filter set by network
5-2-1. Packet Filters
5-2-1-1. Ingress Packet Filters
[1] Limit ICMPv6 packets to the interface used by the customer
connection.
(Example)
Accept ICMPv6 packets with selected type.
- Prerequisite
: It is necessary to make the function of
Neighbor Discovery and Path MTU Discovery
work.
- Advantage
: Defending the attack with abused ICMPv6 packet
becomes possible to some degree.
- Weakness : It might become difficult to confirm the
reachability of the packet when traceroute
that pass the router that limits ICMPv6 packet
are executed.
[2] Accept only the packets which have customer owned prefix
in the source address field.
- Note that this filter may interfere with asymmetric
routing protocol such as UDLR in the satellite internet
services.
Confirmation with customers might be required.
[3] Reject the BGP (179/TCP) packets which have the IX segment
address connected with your AS in the destination field.
(Or, there is a method of rejecting with the ingress
filter at the core side interface of the IX connection
router, too.)
- Effect : Prevent exploitation of the BGP vulnerability.
5-2-1-2. Egress Packet Filters
[1] Reject the packets which contain following special-use
prefix in the source address field.
- Prefix that contains Loop back Address (::1/128),
Unspecified Address (::/128), IETF reserved Address
(formerly IPv4-compatible IPv6 Address) (::/96), and
IPv4-mapped IPv6 Address (::ffff:0:0/96).
: ::/8
- IETF reserved Address(formerly Site-local Address)
: fec0::/10
- Unique-local Address : fc00::/7
- Multicast Address : ff00::/8
- Documentation Address : 2001:db8::/32
* The communication with IPv6 requires using ICMPv6 packet
with Unspecified Address (::/128) in Duplicate Address
Detection (DAD) mechanism, don't reject such control
packets.
5-2-2. Route Filters
(Route filters intended for BGP connection customers)
5-2-2-1. Ingress Prefix Filters
- N/A -
5-2-2-2. Egress Prefix Filters
- N/A -
5-2-2-3. Ingress AS-PATH Filters
[1] Accept only advertisement routes with specific AS-PATH
notified by the BGP customers.
- Configure the AS-PATH filter referring to the AS-PATH
update notification from the BGP customers.
5-2-2-4. Egress AS-PATH Filters
- N/A -
5-3. Additional effective techniques for reduction of OAM on
filtering
[1] Max-Prefix-Limits
- Outline
: Set maximum number of receiving prefix from one BGP
neighbor, this controls threshold of receiving prefix.
- Effect
: When a large amount of routes advertisement is
generated from BGP neighbor by the trouble, the
overload of the router in your AS caused by the
receiving the routes can be prevented.
- Note
: The threshold value must be well-considered. The value
sometimes leads unexpected limitation.
6. For Access to Router
6-1. Minimum required filter set
6-1-1. Packet Filters
6-1-1-1. Ingress Packet Filters
[1] Limit the source address that can access the following
services of the router, and accept only the packets from
the limited source address.
- telnet
- ssh
- snmp (ReadOnly / ReadWrite)
- ftp
- tftp
- ntp
* Stop the needless service not used.
(Example)
Limit the segment (ex. NOC segment) can access the
routers or limit the hosts can access the routers.
[2] Accept only the BGP (179/TCP) packets which have the
neighbor address of eBGP and iBGP in the source address
field.
[3] Accept the packets which have Link-local Address of
neighbor in the source address field.
- Accept the packets for Neighbor Discovery.
6-1-1-2. Egress Packet Filters
- N/A -
6-2. Considered filter set on its necessity
Consideration required filter set by network
6-2-1. Packet Filters
6-2-1-1. Ingress Packet Filters
[1] Limit ICMPv6 packets to the interface of the router.
(Example)
Accept ICMPv6 packets with selected type.
- Prerequisite
: It is necessary to make the function of
Neighbor Discovery and Path MTU Discovery
work.
- Advantage
: Defending the attack with abused ICMPv6 packet
becomes possible to some degree.
- Weakness : It might become difficult to confirm the
reachability of the packet when traceroute
that pass the router that limits ICMPv6 packet
are executed.
6-2-1-2. Egress Packet Filters
- N/A -
6-3. Additional effective techniques for reduction of OAM on
filtering
[1] System Protection ACL (IP Receive ACL, Loopback0 ACL)
- Outline
: This function is a filter technology to protect the
resource of the router (routing processor etc.).
- Effect
: This function is effective as measures of the attack
packets against the router.
7. Acknowledgments
This document was based on the information arranged by IRS
(Interdomain Routing Security Workshop), "Prefix Filter
Recommendation for IPv6 at xSP routers" presentation.
Thank all of you attending IRS and JANOG mailing list for great
support and cooperation.
Thank KONDO Kuniaki, YOSHIDA Tomoya and NAKANISHI Ryoko who gave
us the possibility of releasing this document.
8. References
8-1. Normative References
8-1-1. IPv6 BGP filter recommendations
http://www.space.net/~gert/RIPE/ipv6-filters.html
8-2. Informative References
8-2-1. RFC5156 : Special-Use IPv6 Addresses
http://www.ietf.org/rfc/rfc5156.txt
8-2-2. RFC4890 : Recommendations for Filtering ICMPv6 Messages in
Firewalls
http://www.ietf.org/rfc/rfc4890.txt
8-2-3. IANA IPv6 Allocated List
http://www.iana.org/assignments/ipv6-unicast-address-assignments
8-2-4. RIR allocated Address List
- APNIC
http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
- RIPE/NCC
ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
- ARIN
ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest
- LACNIC
ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
- AfriNIC
ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
9. Author's Address
Kiyoteru ISHIHARA
KDDI CORPORATION
EMail : ki-ishihara@kddi.com
Masaru MUKAI
KDDI CORPORATION
EMail : ms-mukai@kddi.com
Ruri HIROMI
Intec NetCore Inc.
EMail : hiromi@inetcore.com
Masataka MAWATARI
DREAM TRAIN INTERNET INC.
EMail : mawatari@dti.ad.jp
10. Disclaimer
We assume no responsibility whatsoever for any damages resulting
from the use of this document.
11. Distribution Policy of This Document
Copying and Distribution of this document is allowed under
conditions of no changes to this document.
Appendix A: About 6bone
6bone is a test bed network for IPv6 under definition of RFC2471.
It was drove with IPv6 Test Address(3ffe::/16).
The test bed ended in June 6th, 2006 with decision in RFC3701.
After the date, it is advised to filter out the Test Address
(3ffe::/16).
In this document, we assume that 3ffe::/16 related filters should
be determined with actual routes then applied.
A-1. Concerned Address Filter
A-1-1. Ingress and Egress Packet Filter
[1] All packets with 3ffe::/16 in the source address field
should be rejected.
A-1-2. Ingress and Egress Prefix Filter
[1] 3ffe::/16 or longer prefix should be rejected.
Appendix B: About 6to4
6to4 tunneling is defined in RFC3056. This mechanism uses IPv4
address into IPv6 address then provides auto configuration.
It carries out tunnel connection between IPv6 clouds through IPv4
networks with 6to4 relay routers.
RFC3056 also defines 2002::/16 as its dedicated prefix.
Therefore, if you filter out 2002::/16, there is a possibility to
intercept 6to4 communication.
Appendix C: Useful info on IANA IPv6 Special Purpose Address Registry
IANA provide us "IPv6 Special Purpose Address Registry - per
RFC4773" page on their web site with the following URL.
IANA IPv6 Special Purpose Address Registry - per [RFC4773]
http://www.iana.org/assignments/iana-ipv6-special-registry
Note that previous well-consideration and observation for each
technical specifications are desired before setting filter
regarding from the list. Also note that review the list constantly
because the list is subject to change.
----------------------------------------------------------------------
Update History
----------------------------------------------------------------------
August 23, 2006: published as jc1006
May 18, 2007: updated as follows
- modified description on "Special-Use Prefix"
a. added "IETF reserved Address" in the description of "::/8"
b. changed name of "::/96" from "IPv4-compatible IPv6 address" to
"formerly IPv4-comaptible IPv6 address" as it is deprecated
by RFC4291
c. changed description of "IPv4-mapped IPv6 address" from
"::ffff:/96" to "::ffff:0:0/96"
d. changed description of "fec0::/10" from "Site-local Address"
to "IETF reserved Address(formerly Site-local Address)" as
defined by RFC3879
- added notification about update-timing in 3-2-2-1 [2], 4-2-2-1 [3]
- added notification for "Max-Prefix-Limits" in 3-3 [1], 4-3 [1],
5-3 [1]
- modified URL for "IPv6 Routing Policies Guidelines" in 8-2
- added "RFC4890" in 8-2
- added "Appendix C"
June 26, 2007: modified URL for "RIR allocated Address List : LACNIC"
in 8-2
August 26, 2008: updated as follows
- deleted "IPv6 Routing Policies Guidelines" in 8-2
- added "RFC5156" in 8-2
----------------------------------------------------------------------
![[ Team Cymru Community Services ]](/images/csnav/community_on.png)
![[ Team Cymru Commercial Services ]](/images/csnav/commercial_off.png)
![[ Dragon Research Group ]](/images/csnav/drg_off.png)
