using ULA for 'hidden' v6 devices?

Mark Tinka mtinka at globaltransit.net
Fri Jan 27 22:53:25 CST 2012


On Thursday, January 26, 2012 08:19:07 PM George Bonser wrote:

> I filter the entire space at the borders.  Besides, if
> someone leaks the space, most people won't accept it,
> certainly any provider worth their salt won't.  But one
> of the problems with ULA and the U part.  With RFC 1918
> everyone is using the same space.  So let's say 10
> million networks are using 10/8 and 10,000 of them are
> leaking bits of it.  IF their providers accept their
> leaks and IF their providers' peers accept it, that
> leaves only 10,000 different places a 10/8 destined
> packet could go.

Just on this subject, we're peering with networks some
may call "worth their salt", and what we've been seeing
since we started peering with them is interesting. This
is an ACL applied on ingress across the peering 
interfaces (note that sequences 90 - 150 are our own APNIC 
allocations):

router-in-asia-1#sh ip access-lists filter-incoming
Extended IP access list filter-incoming
    10 deny ip 10.0.0.0 0.255.255.255 any (13685079 matches)
    20 deny ip 127.0.0.0 0.255.255.255 any (5380 matches)
    30 deny ip 169.254.0.0 0.0.255.255 any (270500 matches)
    40 deny ip 172.16.0.0 0.15.255.255 any (5367880 matches)
    50 deny ip 192.0.2.0 0.0.0.255 any (3478 matches)
    60 deny ip 192.42.172.0 0.0.0.255 any
    70 deny ip 192.168.0.0 0.0.255.255 any (10780785 matches)
    80 deny ip 198.18.0.0 0.1.255.255 any (1691 matches)
    90 deny ip 61.11.208.0 0.0.15.255 any (35 matches)
    100 deny ip 119.110.128.0 0.0.127.255 any (50 matches)
    110 deny ip 124.158.224.0 0.0.31.255 any (4667 matches)
    120 deny ip 202.76.224.0 0.0.15.255 any (7747449 matches)
    130 deny ip 116.0.96.0 0.0.31.255 any (124 matches)
    140 deny ip 119.110.0.0 0.0.63.255 any (67 matches)
    150 deny ip 203.223.128.0 0.0.31.255 any (7665942 matches)
    160 permit ip any any (3080575612 matches)
router-in-asia-1#


router-in-asia-2#sh ip access-lists filter-incoming
Extended IP access list filter-incoming
    10 deny ip 10.0.0.0 0.255.255.255 any (35529145 matches)
    20 deny ip 127.0.0.0 0.255.255.255 any (45 matches)
    30 deny ip 169.254.0.0 0.0.255.255 any (12950353 matches)
    40 deny ip 172.16.0.0 0.15.255.255 any (8902750 matches)
    50 deny ip 192.0.2.0 0.0.0.255 any (4495 matches)
    60 deny ip 192.42.172.0 0.0.0.255 any (7 matches)
    70 deny ip 192.168.0.0 0.0.255.255 any (8805796 matches)
    80 deny ip 198.18.0.0 0.1.255.255 any (3269 matches)
    90 deny ip 61.11.208.0 0.0.15.255 any (20 matches)
    100 deny ip 119.110.128.0 0.0.127.255 any
    110 deny ip 124.158.224.0 0.0.31.255 any (4436 matches)
    120 deny ip 202.76.224.0 0.0.15.255 any (6325852 matches)
    130 deny ip 116.0.96.0 0.0.31.255 any (857940 matches)
    140 deny ip 119.110.0.0 0.0.63.255 any (659 matches)
    150 deny ip 203.223.128.0 0.0.31.255 any (6618486 matches)
    160 permit ip any any (284108624 matches)
router-in-asia-2#


router-in-america#sh ip access-lists filter-incoming
Extended IP access list filter-incoming
    10 deny ip 10.0.0.0 0.255.255.255 any (1226939 matches)
    20 deny ip 127.0.0.0 0.255.255.255 any (36 matches)
    30 deny ip 169.254.0.0 0.0.255.255 any (2464 matches)
    40 deny ip 172.16.0.0 0.15.255.255 any (379730 matches)
    50 deny ip 192.0.2.0 0.0.0.255 any (4 matches)
    60 deny ip 192.42.172.0 0.0.0.255 any
    70 deny ip 192.168.0.0 0.0.255.255 any (987273 matches)
    80 deny ip 198.18.0.0 0.1.255.255 any (43 matches)
    90 deny ip 61.11.208.0 0.0.15.255 any
    100 deny ip 119.110.128.0 0.0.127.255 any (4 matches)
    110 deny ip 124.158.224.0 0.0.31.255 any (2514 matches)
    120 deny ip 202.76.224.0 0.0.15.255 any (644354 matches)
    130 deny ip 116.0.96.0 0.0.31.255 any (11 matches)
    140 deny ip 119.110.0.0 0.0.63.255 any (22 matches)
    150 deny ip 203.223.128.0 0.0.31.255 any (641830 matches)
    160 permit ip any any (84287716 matches)
router-in-america#


For our v6 ingress filters on the same interfaces, we're
seeing some matches for '3ffe::/16' and '2001:db8::/32'
from Asia and the U.S.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120128/c6702460/attachment-0001.bin>


More information about the NANOG mailing list