[6bone] RE: [ipv6-wg@ripe.net] Update on IPv6 filter recommendation

[Michel Py]

Gert,

> Gert Doering wrote:
> I have just added an update to the "strict" filter list of
> my IPv6 filter list recommendations on
> http://www.space.net/~gert/RIPE/ipv6-filters.html

Thanks for the heads-up.
Some comments:

> ipv6 prefix-list ipv6-ebgp-strict permit 3ffe::/18 ge 24 le 24
> ipv6 prefix-list ipv6-ebgp-strict permit 3ffe:4000::/18 ge 32 le 32
> ipv6 prefix-list ipv6-ebgp-strict permit 3ffe:8000::/22 ge 28 le 28

This part is fine.


> ipv6 prefix-list ipv6-ebgp-strict permit 2001:500::/32 ge 48 le 48

It would be interesting to have more refinement here. What I mean is
that I would be open to allow a /48 that contains a root server but not
a /48 that serves an IXP. More details/specifics to what is inside
2001:500::/32 would be appreciated.


> ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 35 le 35

I think this could be refined too. The range where /35s were originally
allocated from is much smaller than 2001::/16.


> ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 24 le 32

This could also be refined. Not all 2001::/16 has been delegated to
RIRs. ARIN got a block, RIPE got a block, APNIC got a block, but there
still is some undelegated space. The drawback of refining to that level
is that it will inevitably induce a situation similar to 69/8 and will
require maintenance, but the other side of that coin is that it would
prevent people from hijacking prefixes from undelegated space.

As an example and please correct me if wrong in the address I picked
because it's all from memory, if I hijack and announce 2001:FEED::/32
that would pass your filter but this prefix can't be assigned to anybody
now as it is not part of a larger block that has been delegated to a
RIR, so it must be a hijack.

Michel.