I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? What I'm really asking, is for folks thoughts on using this - is it too restrictive ? How long until it's obsolete ? Should be a really long time no ? Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun."
On 6/14/2010 16:37, Brandon Applegate wrote:
I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ?
What I'm really asking, is for folks thoughts on using this - is it too restrictive ?
How long until it's obsolete ?
Should be a really long time no ?
Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job.
Now with IPv6: http://www.team-cymru.org/Services/Bogons/ ~Seth
On Mon, 14 Jun 2010, Brandon Applegate wrote:
I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ?
Been using that on the advanced networks side for ... OK, years. Seems to work. Kept unseemingly bogons like 1000::/3 out, except for the deprecated 6bone pTLA, 3FFF::
What I'm really asking, is for folks thoughts on using this - is it too restrictive ?
For leaks of old 6bone space, which I haven't seen for a long while, probably not. But filter aginst that, and maybe it will be fine. It's all in the RIR allocations....
How long until it's obsolete ?
Should be a really long time no ?
Mmm...Last table entry in my table is: 2C0F:FE18::/32. Maybe 2000::/4 will do, but that might not last very long as an ACL, given the proximty of 2Cxx:: to 2FFF::
Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job.
-- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun."
wfms
On 2010-06-15 01:37, Brandon Applegate wrote:
I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ?
At the current time and hopefully for the next 20 years at least yes ;)
What I'm really asking, is for folks thoughts on using this - is it too restrictive ?
You should be fine for the lifetime of your job plus several other years. Like any configuration you need to document it and the reasoning behind it and if possible flag it in a way that people will re-examine it in time. google(ipv6 filter) if you want a set of filters which are tighter than that and actually there is another keyword that you should be using: RPSL See RFC2622/2650 there are various tools that can provide you with filters based on that data. Please also tell your customers/peers/transits to use it, many already do and it is the proper way to do filtering on your network. As for routes that are not in the RPSL databases, make a local registry with them and just feed your tools from it, kicking the folks to put them in RPSL though is a better method ;) Greets, Jeroen
Hi Brandon, On 6/15/10 9:02 AM, Jeroen Massar wrote:
RPSL
See RFC2622/2650 there are various tools that can provide you with filters based on that data. Please also tell your customers/peers/transits to use it, many already do and it is the proper way to do filtering on your network.
... and if you do want to learn about that, RIPE NCC has a "Routing Registry training course": http://www.ripe.net/training/rr/outline.html The participation to this hands-on workshop is limited to the LIRS (members of the RIPE NCC), but one of them could invite you as a guest; we also do presentations and workshops at conferences; and the material is free to download, and to re-use for educational purposes. Regards, Vesna (RIPE NCC trainer)
This would be another alternative: http://www.space.net/~gert/RIPE/ipv6-filters.html Slightly more than 1 line, but the loose case would nuke a few more things than just filtering on 2000::/3 without requiring frequent updates. The strict case requires keeping after it for updates, and you'd probably be better off with Cymru. Thanks, Wes George -----Original Message----- From: Brandon Applegate [mailto:brandon@burn.net] Sent: Monday, June 14, 2010 7:38 PM To: nanog@nanog.org Subject: ipv6 bogon / martian filter - simple I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? What I'm really asking, is for folks thoughts on using this - is it too restrictive ? How long until it's obsolete ? Should be a really long time no ? Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." This e-mail may contain Sprint Nextel Company proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
participants (6)
-
Brandon Applegate -
George, Wes E IV [NTK] -
Jeroen Massar -
Seth Mattinen -
Vesna Manojlovic -
William F. Maton Sotomayor