Updated prefix filtering

• Previous message (by thread): Updated prefix filtering
• Next message (by thread): Any AWS folk on the list?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <CAA93jw7NrW7D7YOM7gWj+2up3xPFZdv5u=9c3cTdm+wtaGTB6Q at mail.gmail.com>
, Dave Taht writes:
> On Fri, May 8, 2015 at 3:41 PM, Chaim Rieger <chaim.rieger at gmail.com> wrote=
> :
> >
> > Best example  I=E2=80=99ve found is located at http://jonsblog.lewis.org/=
>  <http://jonsblog.lewis.org/>
> >
> > I too ran out of space, Brocade, not Cisco though, and am looking to filt=
> er prefixes. did anybody do a more recent or updated filter list  since 200=
> 8 ?
> >
> > Offlist is fine.
> >
> > Oh and happy friday to all.
> 
> I have had a piece long on the spike on how we implemented bcp38 for
> linux (openwrt) devices using the ipset facility.
> 
> We had a different use case (preventing all possible internal rfc1918
> network addresses from escaping, while still allowing punching through
> one layer of nat ), but the underlying ipset facility was easily
> extendible to actually do bcp38 and fast to use, so that is what we
> ended up calling the openwrt package. Please contact me offlist if you
> would like a peek at that piece, because the article had some
> structural problems and we never got around to finishing/publishing
> it, and I would like to....
> 
> has there been a bcp38 equivalent published for ipv6?

Yes, BCP 38.  BCP 38 is address family agnostic.  Just because the
examples use IPv4 addresses doesn't mean that the concepts don't
just map straight over onto IPv6.

Source based routing is really only needed because BCP 38 filtering
is being poorly implemented.  Rather than collecting the full set
of legitimate source addresses ISP's are only accepting the set of
source addresses that they have allocated to the customer.

With SIDR it should be possible to pass certs to the other ISP's
that say "I am a legitimate source of these addresses" and do this
all automatically.

> Along the way source specific routing showed up for ipv6 and we ended
> up obsoleting the concept of an ipv6 global default route entirely on
> a linux based CPE router.
> 
> see: http://arxiv.org/pdf/1403.0445.pdf and some relevant homenet wg stuff.
> 
> d at nuc-client:~/babeld-1.6.0 $ ip -6 route
> 
> default from 2001:558:6045:e9:251a:738a:ac86:eaf6 via
> fe80::28c6:8eff:febb:9ff0 dev eth0  proto babel  metric 1024
> default from 2601:9:4e00:4cb0::/60 via fe80::28c6:8eff:febb:9ff0 dev
> eth0  proto babel  metric 1024
> default from fde5:dfb9:df90:fff0::/60 via fe80::225:90ff:fef4:a5c5 dev
> eth0  proto babel  metric 1024
> 
> So this box will not forward any ipv6 not in the from(src) table.
> 
> --=20
> Dave T=C3=A4ht
> https://plus.google.com/u/0/explore/makewififast
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Updated prefix filtering
• Next message (by thread): Any AWS folk on the list?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]