Filtering ULA?
david.freedman at uk.clara.net
david.freedman at uk.clara.net
Sat Sep 6 00:09:12 CEST 2008
Is there any good reason why I shouldn't be filtering the ULA (RFC4193)
range at the edge (FC00::/7) ?
I was looking over http://www.space.net/~gert/RIPE/ipv6-filters.html today
and didn't spot it in the relaxed filter,
The RFC (section 4.3) is a bit vague on filtering and just says
"Routers that maintain peering arrangements between Autonomous Systems
throughout the Internet should obey the recommendations for site
border routers, unless configured otherwise."
The RIPE policy proposal 2007-05
(http://www.ripe.net/ripe/policies/proposals/2007-05.html)
mentions:
"It is also important to reinforce that the ULA prefix (FC00::/7) it is
not routable in the global Internet (i.e. not designed to be used as IPv6
PI) and consequently must be filtered."
As much as I would guess the answer to this would be "if you are
concerned, use the strict filter", I'm in the process of revisiting my
IPv6 edge security and would be interested if anybody can think of a
good reason not to do this, or if by doing this one *should* as the RFC
suggests provide ICMP6 feedback to the client indicating the filtered
nature of the space (*shudder*)
Dave.
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
More information about the ipv6-ops
mailing list