IPv6 blocks for micro-allocation

Pekka Savola pekkas at netcore.fi
Tue Jun 3 21:25:20 CEST 2008


On Tue, 3 Jun 2008, Jeroen Massar wrote:
> First off, if you want it very narrow, just generate your filter from route6 
> objects in the RIR registries.

For reasons already mentioned this is probably not a useful idea. 
I'll mention a couple of others:

  - only RIPE DB has a sensible security model (AFAIK).  Anyone can add 
route6 objects to the other databases, and as such their usefulness is 
pretty close to zero for any purposes having to do with security.

  - if the point is to build prefix filters that intend to block more 
specific advertisements also from the owner of the netblock (which is 
one of reasons I'm using strict filters), building ACLs based on route 
objects won't help because more specific route6 objects can also be 
added.

FWIW, on my peer sessions, I apply both prefix filters based on route6 
objects (just using RIPE DB) and also check that the prefix lenghts 
are sane.  Both conditions must pass to accept the route from peer.

There is one exception to this, an operator who is outside RIPE 
region, and I maintain that prefix list manually.

Similarly, I rejected a v6 peering session with RIPE NCC's K-root as 
they only wanted to advertise a more specific /48 rather than their 
whole /32.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings


More information about the ipv6-ops mailing list