어떤 IPv6 접두사를 라우팅해서는 안됩니까?


12

Link Local 및 Unique Local 주소는 최소한 필터링해야한다는 것이 분명합니다.

  1. 필터링해야하는 LLA / ULA 이외의 것이 있습니까?

  2. LLA의 경우 전체 fe80 :: / 10을 블랭킷 필터링하거나 fe80 :: / 64를 필터링하는 것이 표준 관행입니까?

답변:


12

RFC 6890 섹션 2.2.3은 IPv6의 특수 목적 접두사를 설명합니다. 링크는 여기 :

http://tools.ietf.org/html/rfc6890#page-14

포함 할 접두사는 다음과 같습니다.

               +----------------------+------------------+
               | Attribute            | Value            |
               +----------------------+------------------+
               | Address Block        | ::1/128          |
               | Name                 | Loopback Address |
               | RFC                  | [RFC4291]        |
               | Allocation Date      | February 2006    |
               | Termination Date     | N/A              |
               | Source               | False            |
               | Destination          | False            |
               | Forwardable          | False            |
               | Global               | False            |
               | Reserved-by-Protocol | True             |
               +----------------------+------------------+

                    Table 17: Loopback Address

             +----------------------+---------------------+
             | Attribute            | Value               |
             +----------------------+---------------------+
             | Address Block        | ::/128              |
             | Name                 | Unspecified Address |
             | RFC                  | [RFC4291]           |
             | Allocation Date      | February 2006       |
             | Termination Date     | N/A                 |
             | Source               | True                |
             | Destination          | False               |
             | Forwardable          | False               |
             | Global               | False               |
             | Reserved-by-Protocol | True                |
             +----------------------+---------------------+

                   Table 18: Unspecified Address

            +----------------------+---------------------+
            | Attribute            | Value               |
            +----------------------+---------------------+
            | Address Block        | 64:ff9b::/96        |
            | Name                 | IPv4-IPv6 Translat. |
            | RFC                  | [RFC6052]           |
            | Allocation Date      | October 2010        |
            | Termination Date     | N/A                 |
            | Source               | True                |
            | Destination          | True                |
            | Forwardable          | True                |
            | Global               | True                |
            | Reserved-by-Protocol | False               |
            +----------------------+---------------------+

              Table 19: IPv4-IPv6 Translation Address

             +----------------------+---------------------+
             | Attribute            | Value               |
             +----------------------+---------------------+
             | Address Block        | ::ffff:0:0/96       |
             | Name                 | IPv4-mapped Address |
             | RFC                  | [RFC4291]           |
             | Allocation Date      | February 2006       |
             | Termination Date     | N/A                 |
             | Source               | False               |
             | Destination          | False               |
             | Forwardable          | False               |
             | Global               | False               |
             | Reserved-by-Protocol | True                |
             +----------------------+---------------------+

                   Table 20: IPv4-Mapped Address

          +----------------------+----------------------------+
          | Attribute            | Value                      |
          +----------------------+----------------------------+
          | Address Block        | 100::/64                   |
          | Name                 | Discard-Only Address Block |
          | RFC                  | [RFC6666]                  |
          | Allocation Date      | June 2012                  |
          | Termination Date     | N/A                        |
          | Source               | True                       |
          | Destination          | True                       |
          | Forwardable          | True                       |
          | Global               | False                      |
          | Reserved-by-Protocol | False                      |
          +----------------------+----------------------------+

                   Table 21: Discard-Only Prefix

          +----------------------+---------------------------+
          | Attribute            | Value                     |
          +----------------------+---------------------------+
          | Address Block        | 2001::/23                 |
          | Name                 | IETF Protocol Assignments |
          | RFC                  | [RFC2928]                 |
          | Allocation Date      | September 2000            |
          | Termination Date     | N/A                       |
          | Source               | False[1]                  |
          | Destination          | False[1]                  |
          | Forwardable          | False[1]                  |
          | Global               | False[1]                  |
          | Reserved-by-Protocol | False                     |
          +----------------------+---------------------------+

         [1] Unless allowed by a more specific allocation.

                +----------------------+----------------+
                | Attribute            | Value          |
                +----------------------+----------------+
                | Address Block        | 2001::/32      |
                | Name                 | TEREDO         |
                | RFC                  | [RFC4380]      |
                | Allocation Date      | January 2006   |
                | Termination Date     | N/A            |
                | Source               | True           |
                | Destination          | True           |
                | Forwardable          | True           |
                | Global               | False          |
                | Reserved-by-Protocol | False          |
                +----------------------+----------------+

                         Table 23: TEREDO

                +----------------------+----------------+
                | Attribute            | Value          |
                +----------------------+----------------+
                | Address Block        | 2001:2::/48    |
                | Name                 | Benchmarking   |
                | RFC                  | [RFC5180]      |
                | Allocation Date      | April 2008     |
                | Termination Date     | N/A            |
                | Source               | True           |
                | Destination          | True           |
                | Forwardable          | True           |
                | Global               | False          |
                | Reserved-by-Protocol | False          |
                +----------------------+----------------+

                      Table 24: Benchmarking

                +----------------------+---------------+
                | Attribute            | Value         |
                +----------------------+---------------+
                | Address Block        | 2001:db8::/32 |
                | Name                 | Documentation |
                | RFC                  | [RFC3849]     |
                | Allocation Date      | July 2004     |
                | Termination Date     | N/A           |
                | Source               | False         |
                | Destination          | False         |
                | Forwardable          | False         |
                | Global               | False         |
                | Reserved-by-Protocol | False         |
                +----------------------+---------------+

                      Table 25: Documentation

                 +----------------------+--------------+
                 | Attribute            | Value        |
                 +----------------------+--------------+
                 | Address Block        | 2001:10::/28 |
                 | Name                 | ORCHID       |
                 | RFC                  | [RFC4843]    |
                 | Allocation Date      | March 2007   |
                 | Termination Date     | March 2014   |
                 | Source               | False        |
                 | Destination          | False        |
                 | Forwardable          | False        |
                 | Global               | False        |
                 | Reserved-by-Protocol | False        |
                 +----------------------+--------------+

                         Table 26: ORCHID

                +----------------------+---------------+
                | Attribute            | Value         |
                +----------------------+---------------+
                | Address Block        | 2002::/16 [2] |
                | Name                 | 6to4          |
                | RFC                  | [RFC3056]     |
                | Allocation Date      | February 2001 |
                | Termination Date     | N/A           |
                | Source               | True          |
                | Destination          | True          |
                | Forwardable          | True          |
                | Global               | N/A [2]       |
                | Reserved-by-Protocol | False         |
                +----------------------+---------------+

                  [2] See [RFC3056] for details.

                          Table 27: 6to4

                 +----------------------+--------------+
                 | Attribute            | Value        |
                 +----------------------+--------------+
                 | Address Block        | fc00::/7     |
                 | Name                 | Unique-Local |
                 | RFC                  | [RFC4193]    |
                 | Allocation Date      | October 2005 |
                 | Termination Date     | N/A          |
                 | Source               | True         |
                 | Destination          | True         |
                 | Forwardable          | True         |
                 | Global               | False        |
                 | Reserved-by-Protocol | False        |
                 +----------------------+--------------+

                      Table 28: Unique-Local

            +----------------------+-----------------------+
            | Attribute            | Value                 |
            +----------------------+-----------------------+
            | Address Block        | fe80::/10             |
            | Name                 | Linked-Scoped Unicast |
            | RFC                  | [RFC4291]             |
            | Allocation Date      | February 2006         |
            | Termination Date     | N/A                   |
            | Source               | True                  |
            | Destination          | True                  |
            | Forwardable          | False                 |
            | Global               | False                 |
            | Reserved-by-Protocol | True                  |
            +----------------------+-----------------------+

                      Table 29: Linked-Scoped Unicast

이것으로 충분합니다. bogon을 필터링하는 옵션도 있지만 Team Cymru와 같은 피어링을 설정하지 않으면 약간 과잉이라고 느낍니다.


모든 특수 목적 주소가 "라우팅해서는 안됩니다"또는 "적어도 필터링되어야"한다는 데 동의하지 않습니다. 예를 들어, "전달 가능"및 "전역"으로 표시된 플래그 중 일부, 특히 NAT64의 경우 64 : ff9b :: / 96이 있습니다.
zevlag

분명히 이러한 접두사를 사용하는 경우 접두사를 필터링해서는 안됩니다. 아마도 Teredo 등을 사용하고 있지만 NAT 또는 터널링을 실행하지 않는 한 기본 자세로 필터링해야합니다.
Daniel Dib

2
왜 2002 :: / 16을 필터링 하시겠습니까? 전환 메커니즘으로 6to4를 사용하는 사람이 나와 통신하는 것을 막을 수 있습니다.
Paul Gear

6

세 가지 옵션이 있습니다.

첫 번째로 가장 정확한 것은 SimonJGreen이 설명하는 것처럼 Team Cymru와 피어링을 설정하는 것입니다. 가장 정확한 목록, 피어링 유지의 단점, 정책 설명 / 경로 맵 등의 이점이 있습니다.

두 번째 경로는 링크 로컬 접두사, 이전 6Bone 3FFE :: / 16 접두사 등 "와일드에서는 절대 볼 수없는"접두사를 거부하고 접두사와 접두사를 결합하는 것입니다. 예는 아래를 참조하십시오. 장점은 이것이 가장 쉬운 구성이고 단점은 첫 번째 옵션만큼 정확하지 않다는 것입니다.

구현 하지 말아야 할 세 번째 경로 는 Team Cymru에서 게시 한 현재 ipv6 bogon 목록을 가져 와서 구성에서 정적 필터로 붙여 넣는 것입니다. 이것은 몇 년 전에 많은 사람들이 ipv4로 한 일이며 오늘날 많은 고통을 겪습니다 ...이 옵션을 사용하지 마십시오. 이제까지.

예를 들어 다음은 ipv6 접두사를 허용하고 접두사가 거부 할 수있는 적절한 목록입니다.

ipv6 prefix-list in-filter-v6 seq 5 deny 3ffe::/16 le 128 
ipv6 prefix-list in-filter-v6 seq 10 deny 2001:db8::/32 le 128 
ipv6 prefix-list in-filter-v6 seq 15 permit 2001::/32 
ipv6 prefix-list in-filter-v6 seq 20 deny 2001::/32 le 128 
ipv6 prefix-list in-filter-v6 seq 25 permit 2002::/16 
ipv6 prefix-list in-filter-v6 seq 30 deny 2002::/16 le 128 
ipv6 prefix-list in-filter-v6 seq 35 deny ::/8 le 128 
ipv6 prefix-list in-filter-v6 seq 40 deny fe00::/9 le 128 
ipv6 prefix-list in-filter-v6 seq 45 deny ff00::/8 le 128 
ipv6 prefix-list in-filter-v6 seq 50 permit 2000::/3 le 48 
ipv6 prefix-list in-filter-v6 seq 55 deny ::/0 le 128 

4

http://www.team-cymru.org/Services/Bogons/http.html 의 IPv6 Fullbogons 목록을 참조하십시오.

자동 필터링을 수행하려는 경우 DNS , RADB , RIPE 또는 BGP 를 통해 사용할 수 있습니다 .

Cisco에서 자동으로 필터링하는 예는 다음과 같습니다.

router bgp <your asn>
 ! Session 1
 neighbor A.B.C.D remote-as 65332
 neighbor A.B.C.D description <your description>
 neighbor A.B.C.D ebgp-multihop 255
 neighbor A.B.C.D password <your password>
 ! Session 2
 neighbor E.F.G.H remote-as 65332
 neighbor E.F.G.H description <your description>
 neighbor E.F.G.H ebgp-multihop 255
 neighbor E.F.G.H password <your password>
!
 address-family ipv4
  ! Session 1
  neighbor A.B.C.D activate
  neighbor A.B.C.D soft-reconfiguration inbound
  neighbor A.B.C.D prefix-list cymru-out-v4 out
  neighbor A.B.C.D route-map CYMRUBOGONS-V4 in
  ! Session 2
  neighbor E.F.G.H activate
  neighbor E.F.G.H soft-reconfiguration inbound
  neighbor E.F.G.H prefix-list cymru-out-v4 out
  neighbor E.F.G.H route-map CYMRUBOGONS-V4 in
!
 address-family ipv6
  ! Session 1
  neighbor A.B.C.D activate
  neighbor A.B.C.D soft-reconfiguration inbound
  neighbor A.B.C.D prefix-list cymru-out-v6 out
  neighbor A.B.C.D route-map CYMRUBOGONS-V6 in
  ! Session 2
  neighbor E.F.G.H activate
  neighbor E.F.G.H soft-reconfiguration inbound
  neighbor E.F.G.H prefix-list cymru-out-v6 out
  neighbor E.F.G.H route-map CYMRUBOGONS-V6 in
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
ip community-list 100 permit 65332:888
!
ip route 192.0.2.1 255.255.255.255 Null0
!
ip prefix-list cymru-out-v4 seq 5 deny 0.0.0.0/0 le 32
!
ipv6 route 2001:DB8:0:DEAD:BEEF::1/128 Null0
!
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
!
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ip next-hop 192.0.2.1

그리고 JunOS를위한 것이 하나 있습니다 :

/*
* Define BGP peer group
*/
delete protocols bgp group cymru-bogons
set protocols bgp group cymru-bogons type external
set protocols bgp group cymru-bogons description "cymru fullbogon bgp feed (ipv4 + 6)"
set protocols bgp group cymru-bogons multihop ttl 255
set protocols bgp group cymru-bogons import cymru-bogons-in
/*
* Define MD5 password in quotes
*/
set protocols bgp group cymru-bogons authentication-key "<YOUR PASSWORD>"
set protocols bgp group cymru-bogons export deny-all
set protocols bgp group cymru-bogons peer-as 65332
/*
* Replace values below as appropriate
*/
set protocols bgp group cymru-bogons neighbor A.B.C.D local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet unicast
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet6 unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet6 unicast
/*
* Define CYMRU import policy
*/
delete policy-options policy-statement cymru-bogons-in
set policy-options policy-statement cymru-bogons-in term 1 from family inet
set policy-options policy-statement cymru-bogons-in term 1 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 1 then community add no-export
set policy-options policy-statement cymru-bogons-in term 1 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 1 then accept
set policy-options policy-statement cymru-bogons-in term 2 from family inet6
set policy-options policy-statement cymru-bogons-in term 2 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 2 then community add no-export
set policy-options policy-statement cymru-bogons-in term 2 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 2 then accept
set policy-options policy-statement cymru-bogons-in then reject
/*
* Define deny-all export policy
*/
delete policy-options policy-statement deny-all
set policy-options policy-statement deny-all then reject
/*
* Define CYMRU Bogon community
*/
delete policy-options community comm-cymru-bogon
set policy-options community comm-cymru-bogon members no-export
set policy-options community comm-cymru-bogon members 65332:888
/*
* Define internal no-export community
*/
delete policy-options community comm-no-export
set policy-options community comm-no-export members no-export


당사 사이트를 사용함과 동시에 당사의 쿠키 정책개인정보 보호정책을 읽고 이해하였음을 인정하는 것으로 간주합니다.
Licensed under cc by-sa 3.0 with attribution required.