リンクローカルアドレスと一意のローカルアドレスを少なくともフィルタリングする必要があることは明らかです。
LLA / ULA以外にフィルタリングする必要があるものはありますか?
LLAの場合、fe80 :: / 10全体をブランケットフィルター処理するのが標準的な方法ですか、それともfe80 :: / 64のみをフィルター処理するのですか?
リンクローカルアドレスと一意のローカルアドレスを少なくともフィルタリングする必要があることは明らかです。
LLA / ULA以外にフィルタリングする必要があるものはありますか?
LLAの場合、fe80 :: / 10全体をブランケットフィルター処理するのが標準的な方法ですか、それともfe80 :: / 64のみをフィルター処理するのですか?
回答:
RFC 6890セクション2.2.3では、IPv6の特別な目的のプレフィックスについて説明しています。リンクはこちら:
http://tools.ietf.org/html/rfc6890#page-14
含めるプレフィックスは次のとおりです。
+----------------------+------------------+
| Attribute | Value |
+----------------------+------------------+
| Address Block | ::1/128 |
| Name | Loopback Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+------------------+
Table 17: Loopback Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | ::/128 |
| Name | Unspecified Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+---------------------+
Table 18: Unspecified Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | 64:ff9b::/96 |
| Name | IPv4-IPv6 Translat. |
| RFC | [RFC6052] |
| Allocation Date | October 2010 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | True |
| Reserved-by-Protocol | False |
+----------------------+---------------------+
Table 19: IPv4-IPv6 Translation Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | ::ffff:0:0/96 |
| Name | IPv4-mapped Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+---------------------+
Table 20: IPv4-Mapped Address
+----------------------+----------------------------+
| Attribute | Value |
+----------------------+----------------------------+
| Address Block | 100::/64 |
| Name | Discard-Only Address Block |
| RFC | [RFC6666] |
| Allocation Date | June 2012 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------------------+
Table 21: Discard-Only Prefix
+----------------------+---------------------------+
| Attribute | Value |
+----------------------+---------------------------+
| Address Block | 2001::/23 |
| Name | IETF Protocol Assignments |
| RFC | [RFC2928] |
| Allocation Date | September 2000 |
| Termination Date | N/A |
| Source | False[1] |
| Destination | False[1] |
| Forwardable | False[1] |
| Global | False[1] |
| Reserved-by-Protocol | False |
+----------------------+---------------------------+
[1] Unless allowed by a more specific allocation.
+----------------------+----------------+
| Attribute | Value |
+----------------------+----------------+
| Address Block | 2001::/32 |
| Name | TEREDO |
| RFC | [RFC4380] |
| Allocation Date | January 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------+
Table 23: TEREDO
+----------------------+----------------+
| Attribute | Value |
+----------------------+----------------+
| Address Block | 2001:2::/48 |
| Name | Benchmarking |
| RFC | [RFC5180] |
| Allocation Date | April 2008 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------+
Table 24: Benchmarking
+----------------------+---------------+
| Attribute | Value |
+----------------------+---------------+
| Address Block | 2001:db8::/32 |
| Name | Documentation |
| RFC | [RFC3849] |
| Allocation Date | July 2004 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+---------------+
Table 25: Documentation
+----------------------+--------------+
| Attribute | Value |
+----------------------+--------------+
| Address Block | 2001:10::/28 |
| Name | ORCHID |
| RFC | [RFC4843] |
| Allocation Date | March 2007 |
| Termination Date | March 2014 |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+--------------+
Table 26: ORCHID
+----------------------+---------------+
| Attribute | Value |
+----------------------+---------------+
| Address Block | 2002::/16 [2] |
| Name | 6to4 |
| RFC | [RFC3056] |
| Allocation Date | February 2001 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | N/A [2] |
| Reserved-by-Protocol | False |
+----------------------+---------------+
[2] See [RFC3056] for details.
Table 27: 6to4
+----------------------+--------------+
| Attribute | Value |
+----------------------+--------------+
| Address Block | fc00::/7 |
| Name | Unique-Local |
| RFC | [RFC4193] |
| Allocation Date | October 2005 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+--------------+
Table 28: Unique-Local
+----------------------+-----------------------+
| Attribute | Value |
+----------------------+-----------------------+
| Address Block | fe80::/10 |
| Name | Linked-Scoped Unicast |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+-----------------------+
Table 29: Linked-Scoped Unicast
これで十分でしょう。bogonをフィルタリングするオプションもありますが、Team Cymruなどへのピアリングをセットアップしない限り、少しやり過ぎです。
あなたが行くことができる3つのオプションがあります。
最初の、そして最も正確なものは、SimonJGreenが説明するように、Team Cymruとのピアリングをセットアップすることです。最も正確なリストを持つという利点、ピアリングを維持するという欠点、ポリシーステートメント/ルートマップなどがあります。
2番目のルートは、リンクローカルプレフィックス、古い6Bone 3FFE :: / 16プレフィックスなど、「野生では見られない」プレフィックスを拒否し、表示されるプレフィックスと組み合わせることです。例については、以下を参照してください。利点は、これが最も簡単な構成であり、欠点は最初のオプションほど正確ではないことです。
実装すべきではない 3番目のルートは、Team Cymruが公開している現在のipv6 bogonリストを取得し、構成に静的フィルターとして貼り付けることです。これは、多くの人が数年前にipv4で行ったことであり、今日多くの苦しみにつながります。このオプションを使用しないでください。今まで。
例として、許可するプレフィックスと拒否するプレフィックスの適切なリストを次に示します。
ipv6 prefix-list in-filter-v6 seq 5 deny 3ffe::/16 le 128
ipv6 prefix-list in-filter-v6 seq 10 deny 2001:db8::/32 le 128
ipv6 prefix-list in-filter-v6 seq 15 permit 2001::/32
ipv6 prefix-list in-filter-v6 seq 20 deny 2001::/32 le 128
ipv6 prefix-list in-filter-v6 seq 25 permit 2002::/16
ipv6 prefix-list in-filter-v6 seq 30 deny 2002::/16 le 128
ipv6 prefix-list in-filter-v6 seq 35 deny ::/8 le 128
ipv6 prefix-list in-filter-v6 seq 40 deny fe00::/9 le 128
ipv6 prefix-list in-filter-v6 seq 45 deny ff00::/8 le 128
ipv6 prefix-list in-filter-v6 seq 50 permit 2000::/3 le 48
ipv6 prefix-list in-filter-v6 seq 55 deny ::/0 le 128
http://www.team-cymru.org/Services/Bogons/http.htmlの IPv6 Fullbogonsリストを参照してください。
これは、自動フィルタリングを実行する場合、DNS、RADB、RIPE、またはBGPからも利用できます。
シスコで自動的にフィルタリングする例を次に示します。
router bgp <your asn>
! Session 1
neighbor A.B.C.D remote-as 65332
neighbor A.B.C.D description <your description>
neighbor A.B.C.D ebgp-multihop 255
neighbor A.B.C.D password <your password>
! Session 2
neighbor E.F.G.H remote-as 65332
neighbor E.F.G.H description <your description>
neighbor E.F.G.H ebgp-multihop 255
neighbor E.F.G.H password <your password>
!
address-family ipv4
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v4 out
neighbor A.B.C.D route-map CYMRUBOGONS-V4 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v4 out
neighbor E.F.G.H route-map CYMRUBOGONS-V4 in
!
address-family ipv6
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v6 out
neighbor A.B.C.D route-map CYMRUBOGONS-V6 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v6 out
neighbor E.F.G.H route-map CYMRUBOGONS-V6 in
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
ip community-list 100 permit 65332:888
!
ip route 192.0.2.1 255.255.255.255 Null0
!
ip prefix-list cymru-out-v4 seq 5 deny 0.0.0.0/0 le 32
!
ipv6 route 2001:DB8:0:DEAD:BEEF::1/128 Null0
!
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
!
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ip next-hop 192.0.2.1
そして、JunOSの1つです。
/*
* Define BGP peer group
*/
delete protocols bgp group cymru-bogons
set protocols bgp group cymru-bogons type external
set protocols bgp group cymru-bogons description "cymru fullbogon bgp feed (ipv4 + 6)"
set protocols bgp group cymru-bogons multihop ttl 255
set protocols bgp group cymru-bogons import cymru-bogons-in
/*
* Define MD5 password in quotes
*/
set protocols bgp group cymru-bogons authentication-key "<YOUR PASSWORD>"
set protocols bgp group cymru-bogons export deny-all
set protocols bgp group cymru-bogons peer-as 65332
/*
* Replace values below as appropriate
*/
set protocols bgp group cymru-bogons neighbor A.B.C.D local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet unicast
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet6 unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet6 unicast
/*
* Define CYMRU import policy
*/
delete policy-options policy-statement cymru-bogons-in
set policy-options policy-statement cymru-bogons-in term 1 from family inet
set policy-options policy-statement cymru-bogons-in term 1 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 1 then community add no-export
set policy-options policy-statement cymru-bogons-in term 1 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 1 then accept
set policy-options policy-statement cymru-bogons-in term 2 from family inet6
set policy-options policy-statement cymru-bogons-in term 2 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 2 then community add no-export
set policy-options policy-statement cymru-bogons-in term 2 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 2 then accept
set policy-options policy-statement cymru-bogons-in then reject
/*
* Define deny-all export policy
*/
delete policy-options policy-statement deny-all
set policy-options policy-statement deny-all then reject
/*
* Define CYMRU Bogon community
*/
delete policy-options community comm-cymru-bogon
set policy-options community comm-cymru-bogon members no-export
set policy-options community comm-cymru-bogon members 65332:888
/*
* Define internal no-export community
*/
delete policy-options community comm-no-export
set policy-options community comm-no-export members no-export
このIPv6フィルタリングの推奨事項は少し古いですが、まだ基本的な権利があると思います:http : //www.space.net/~gert/RIPE/ipv6-filters.html
「深い」フィルタリングを行いたい場合は、チームcymruテンプレートとbogonsプロジェクトをご覧ください。