IPv6 blocks for micro-allocation
Pekka Savola
pekkas at netcore.fi
Tue Jun 3 21:25:20 CEST 2008
On Tue, 3 Jun 2008, Jeroen Massar wrote:
> First off, if you want it very narrow, just generate your filter from route6
> objects in the RIR registries.
For reasons already mentioned this is probably not a useful idea.
I'll mention a couple of others:
- only RIPE DB has a sensible security model (AFAIK). Anyone can add
route6 objects to the other databases, and as such their usefulness is
pretty close to zero for any purposes having to do with security.
- if the point is to build prefix filters that intend to block more
specific advertisements also from the owner of the netblock (which is
one of reasons I'm using strict filters), building ACLs based on route
objects won't help because more specific route6 objects can also be
added.
FWIW, on my peer sessions, I apply both prefix filters based on route6
objects (just using RIPE DB) and also check that the prefix lenghts
are sane. Both conditions must pass to accept the route from peer.
There is one exception to this, an operator who is outside RIPE
region, and I maintain that prefix list manually.
Similarly, I rejected a v6 peering session with RIPE NCC's K-root as
they only wanted to advertise a more specific /48 rather than their
whole /32.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the ipv6-ops
mailing list