mapping public to private IPv6 networks when firewalling

[Cameron Byrne]

On Nov 24, 2011 1:36 AM, "Arturo Servin" <arturo.servin at gmail.com> wrote:
>
>
> <snip>
>
> On 24 Nov 2011, at 07:20, Eugen Leitl wrote:
>
>>  as the
>> fc00::/7 addresses will not be routed beyond that, correct?
>
> <snip>
>
> Incorrect or not necessary.
>

No

> ULAs are just as any other unicast addresses. As technical community we
had agreed to not route it in the internet, but If you leak it and somebody
else routes it, you are fried.
>

No, this rfc defined behavior. Please check your facts.

It is the same situation as rfc 1918 leaking. Saying that it is in any way
different from rfc 1918 is misleading people.  Ula is not in the dfz and if
it got leaked it would be fixed , just like 10/8.

Both ula and rfc 1918 should be part of any inter domain ingress and egress
filtering.

If you want to keep pushing that there is an operational difference from a
routing policy perspective, cite some facts

>From rfc 4193

Site border routers and firewalls should be configured to not forward any
packets with Local IPv6 source or destination addresses outside of the
site, unless they have been explicitly configured with routing information
about specific /48 or longer Local IPv6 prefixes. This will ensure that
packets with Local IPv6 destination addresses will not be forwarded outside
of the site via a default route. The default behavior of these devices
should be to install a "reject" route for these prefixes.

.....  And......


If BGP is being used at the site border with an ISP, the default BGP
configuration must filter out any Local IPv6 address prefixes, both
incoming and outgoing. It must be set both to keep any Local IPv6 address
prefixes from being advertised outside of the site as well as to keep these
prefixes from being learned from another site

Cb
> /as
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20111124/09ec2e90/attachment-0001.html