mapping public to private IPv6 networks when firewalling

Arturo Servin arturo.servin at gmail.com
Thu Nov 24 15:35:15 CET 2011 

I am not saying otherwise.

as

Sent from my mobile device
(please excuse typos and brevity)


On 24 Nov 2011, at 08:56, Cameron Byrne <cb.list6 at gmail.com> wrote:

> 
> On Nov 24, 2011 1:36 AM, "Arturo Servin" <arturo.servin at gmail.com> wrote:
> >
> >
> > <snip>
> >
> > On 24 Nov 2011, at 07:20, Eugen Leitl wrote:
> >
> >>  as the 
> >> fc00::/7 addresses will not be routed beyond that, correct?
> >
> > <snip>
> >
> > Incorrect or not necessary.
> >
> 
> No
> 
> > ULAs are just as any other unicast addresses. As technical community we had agreed to not route it in the internet, but If you leak it and somebody else routes it, you are fried.
> >
> 
> No, this rfc defined behavior. Please check your facts.
> 
> It is the same situation as rfc 1918 leaking. Saying that it is in any way different from rfc 1918 is misleading people.  Ula is not in the dfz and if it got leaked it would be fixed , just like 10/8.
> 
> Both ula and rfc 1918 should be part of any inter domain ingress and egress filtering.
> 
> If you want to keep pushing that there is an operational difference from a routing policy perspective, cite some facts
> 
> From rfc 4193
> 
> Site border routers and firewalls should be configured to not forward any packets with Local IPv6 source or destination addresses outside of the site, unless they have been explicitly configured with routing information about specific /48 or longer Local IPv6 prefixes. This will ensure that packets with Local IPv6 destination addresses will not be forwarded outside of the site via a default route. The default behavior of these devices should be to install a "reject" route for these prefixes. 
> .....  And......
> 
> 
> If BGP is being used at the site border with an ISP, the default BGP configuration must filter out any Local IPv6 address prefixes, both incoming and outgoing. It must be set both to keep any Local IPv6 address prefixes from being advertised outside of the site as well as to keep these prefixes from being learned from another site 
> Cb
> > /as
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20111124/8f5e399d/attachment.html

More information about the ipv6-ops mailing list