Il me semble clair que les adresses Link Local et Unique Local doivent au moins être filtrées.
Y a-t-il autre chose que LLA / ULA qui devrait être filtré?
Pour LLA, est-il courant de filtrer le fe80 :: / 10 complet, ou simplement de filtrer le fe80 :: / 64?
Réponses:
La section 2.2.3 de la RFC 6890 décrit des préfixes spéciaux pour IPv6. Le lien est ici:
http://tools.ietf.org/html/rfc6890#page-14
Les préfixes à inclure sont:
+----------------------+------------------+
| Attribute | Value |
+----------------------+------------------+
| Address Block | ::1/128 |
| Name | Loopback Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+------------------+
Table 17: Loopback Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | ::/128 |
| Name | Unspecified Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+---------------------+
Table 18: Unspecified Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | 64:ff9b::/96 |
| Name | IPv4-IPv6 Translat. |
| RFC | [RFC6052] |
| Allocation Date | October 2010 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | True |
| Reserved-by-Protocol | False |
+----------------------+---------------------+
Table 19: IPv4-IPv6 Translation Address
+----------------------+---------------------+
| Attribute | Value |
+----------------------+---------------------+
| Address Block | ::ffff:0:0/96 |
| Name | IPv4-mapped Address |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+---------------------+
Table 20: IPv4-Mapped Address
+----------------------+----------------------------+
| Attribute | Value |
+----------------------+----------------------------+
| Address Block | 100::/64 |
| Name | Discard-Only Address Block |
| RFC | [RFC6666] |
| Allocation Date | June 2012 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------------------+
Table 21: Discard-Only Prefix
+----------------------+---------------------------+
| Attribute | Value |
+----------------------+---------------------------+
| Address Block | 2001::/23 |
| Name | IETF Protocol Assignments |
| RFC | [RFC2928] |
| Allocation Date | September 2000 |
| Termination Date | N/A |
| Source | False[1] |
| Destination | False[1] |
| Forwardable | False[1] |
| Global | False[1] |
| Reserved-by-Protocol | False |
+----------------------+---------------------------+
[1] Unless allowed by a more specific allocation.
+----------------------+----------------+
| Attribute | Value |
+----------------------+----------------+
| Address Block | 2001::/32 |
| Name | TEREDO |
| RFC | [RFC4380] |
| Allocation Date | January 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------+
Table 23: TEREDO
+----------------------+----------------+
| Attribute | Value |
+----------------------+----------------+
| Address Block | 2001:2::/48 |
| Name | Benchmarking |
| RFC | [RFC5180] |
| Allocation Date | April 2008 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+----------------+
Table 24: Benchmarking
+----------------------+---------------+
| Attribute | Value |
+----------------------+---------------+
| Address Block | 2001:db8::/32 |
| Name | Documentation |
| RFC | [RFC3849] |
| Allocation Date | July 2004 |
| Termination Date | N/A |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+---------------+
Table 25: Documentation
+----------------------+--------------+
| Attribute | Value |
+----------------------+--------------+
| Address Block | 2001:10::/28 |
| Name | ORCHID |
| RFC | [RFC4843] |
| Allocation Date | March 2007 |
| Termination Date | March 2014 |
| Source | False |
| Destination | False |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+--------------+
Table 26: ORCHID
+----------------------+---------------+
| Attribute | Value |
+----------------------+---------------+
| Address Block | 2002::/16 [2] |
| Name | 6to4 |
| RFC | [RFC3056] |
| Allocation Date | February 2001 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | N/A [2] |
| Reserved-by-Protocol | False |
+----------------------+---------------+
[2] See [RFC3056] for details.
Table 27: 6to4
+----------------------+--------------+
| Attribute | Value |
+----------------------+--------------+
| Address Block | fc00::/7 |
| Name | Unique-Local |
| RFC | [RFC4193] |
| Allocation Date | October 2005 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | True |
| Global | False |
| Reserved-by-Protocol | False |
+----------------------+--------------+
Table 28: Unique-Local
+----------------------+-----------------------+
| Attribute | Value |
+----------------------+-----------------------+
| Address Block | fe80::/10 |
| Name | Linked-Scoped Unicast |
| RFC | [RFC4291] |
| Allocation Date | February 2006 |
| Termination Date | N/A |
| Source | True |
| Destination | True |
| Forwardable | False |
| Global | False |
| Reserved-by-Protocol | True |
+----------------------+-----------------------+
Table 29: Linked-Scoped Unicast
Cela devrait suffire. Il existe également la possibilité de filtrer les bogons, mais cela semble un peu exagéré, sauf si vous configurez le peering vers Team Cymru ou autre.
Vous pouvez choisir entre trois options.
Le premier, et le plus précis, consiste à configurer le peering avec Team Cymru, comme l'explique SimonJGreen. Vous avez l'avantage d'avoir la liste la plus précise, l'inconvénient de maintenir l'homologation, les déclarations de politique / les itinéraires, etc.
La deuxième voie, serait de refuser les préfixes que "vous ne devriez jamais voir dans la nature", tels que le préfixe link-local, l'ancien préfixe 6Bone 3FFE :: / 16, etc. et le combiner avec les préfixes que vous devriez voir. Voir ci-dessous pour un exemple. L'avantage est qu'il s'agit de la configuration la plus simple, l'inconvénient est qu'elle n'est pas aussi précise que la première option.
La troisième route, que vous ne devriez jamais implémenter, consiste à prendre la liste des bogons ipv6 actuelle, telle que publiée par Team Cymru, et à la coller en tant que filtres statiques dans votre configuration. C'est ce que beaucoup de gens ont fait avec ipv4 il y a quelques années, et cela fait beaucoup souffrir aujourd'hui ... Ne faites pas cette option. Déjà.
À titre d'exemple, voici une liste décente de préfixes ipv6 à autoriser et de préfixes à refuser:
ipv6 prefix-list in-filter-v6 seq 5 deny 3ffe::/16 le 128
ipv6 prefix-list in-filter-v6 seq 10 deny 2001:db8::/32 le 128
ipv6 prefix-list in-filter-v6 seq 15 permit 2001::/32
ipv6 prefix-list in-filter-v6 seq 20 deny 2001::/32 le 128
ipv6 prefix-list in-filter-v6 seq 25 permit 2002::/16
ipv6 prefix-list in-filter-v6 seq 30 deny 2002::/16 le 128
ipv6 prefix-list in-filter-v6 seq 35 deny ::/8 le 128
ipv6 prefix-list in-filter-v6 seq 40 deny fe00::/9 le 128
ipv6 prefix-list in-filter-v6 seq 45 deny ff00::/8 le 128
ipv6 prefix-list in-filter-v6 seq 50 permit 2000::/3 le 48
ipv6 prefix-list in-filter-v6 seq 55 deny ::/0 le 128
Voir la liste IPv6 Fullbogons sur http://www.team-cymru.org/Services/Bogons/http.html
Ceci est également disponible via DNS , RADB , RIPE ou BGP si vous souhaitez effectuer un filtrage automatique.
Voici un exemple de filtrage automatique sur Cisco:
router bgp <your asn>
! Session 1
neighbor A.B.C.D remote-as 65332
neighbor A.B.C.D description <your description>
neighbor A.B.C.D ebgp-multihop 255
neighbor A.B.C.D password <your password>
! Session 2
neighbor E.F.G.H remote-as 65332
neighbor E.F.G.H description <your description>
neighbor E.F.G.H ebgp-multihop 255
neighbor E.F.G.H password <your password>
!
address-family ipv4
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v4 out
neighbor A.B.C.D route-map CYMRUBOGONS-V4 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v4 out
neighbor E.F.G.H route-map CYMRUBOGONS-V4 in
!
address-family ipv6
! Session 1
neighbor A.B.C.D activate
neighbor A.B.C.D soft-reconfiguration inbound
neighbor A.B.C.D prefix-list cymru-out-v6 out
neighbor A.B.C.D route-map CYMRUBOGONS-V6 in
! Session 2
neighbor E.F.G.H activate
neighbor E.F.G.H soft-reconfiguration inbound
neighbor E.F.G.H prefix-list cymru-out-v6 out
neighbor E.F.G.H route-map CYMRUBOGONS-V6 in
!
! Depending on IOS version, you may need to configure your router
! for new-style community syntax.
ip bgp-community new-format
!
ip community-list 100 permit 65332:888
!
ip route 192.0.2.1 255.255.255.255 Null0
!
ip prefix-list cymru-out-v4 seq 5 deny 0.0.0.0/0 le 32
!
ipv6 route 2001:DB8:0:DEAD:BEEF::1/128 Null0
!
ipv6 prefix-list cymru-out-v6 seq 5 deny ::/0 le 128
!
route-map CYMRUBOGONS-V6 permit 10
description IPv6 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ipv6 next-hop 2001:DB8:0:DEAD:BEEF::1
!
route-map CYMRUBOGONS-V4 permit 10
description IPv4 Filter bogons learned from cymru.com bogon route-servers
match community 100
set ip next-hop 192.0.2.1
Et en voici un pour JunOS:
/*
* Define BGP peer group
*/
delete protocols bgp group cymru-bogons
set protocols bgp group cymru-bogons type external
set protocols bgp group cymru-bogons description "cymru fullbogon bgp feed (ipv4 + 6)"
set protocols bgp group cymru-bogons multihop ttl 255
set protocols bgp group cymru-bogons import cymru-bogons-in
/*
* Define MD5 password in quotes
*/
set protocols bgp group cymru-bogons authentication-key "<YOUR PASSWORD>"
set protocols bgp group cymru-bogons export deny-all
set protocols bgp group cymru-bogons peer-as 65332
/*
* Replace values below as appropriate
*/
set protocols bgp group cymru-bogons neighbor A.B.C.D local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet unicast
set protocols bgp group cymru-bogons neighbor A.B.C.D family inet6 unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H local-address <YOUR IP>
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet unicast
set protocols bgp group cymru-bogons neighbor E.F.G.H family inet6 unicast
/*
* Define CYMRU import policy
*/
delete policy-options policy-statement cymru-bogons-in
set policy-options policy-statement cymru-bogons-in term 1 from family inet
set policy-options policy-statement cymru-bogons-in term 1 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 1 then community add no-export
set policy-options policy-statement cymru-bogons-in term 1 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 1 then accept
set policy-options policy-statement cymru-bogons-in term 2 from family inet6
set policy-options policy-statement cymru-bogons-in term 2 from community comm-cymru-bogon
set policy-options policy-statement cymru-bogons-in term 2 then community add no-export
set policy-options policy-statement cymru-bogons-in term 2 then next-hop discard
set policy-options policy-statement cymru-bogons-in term 2 then accept
set policy-options policy-statement cymru-bogons-in then reject
/*
* Define deny-all export policy
*/
delete policy-options policy-statement deny-all
set policy-options policy-statement deny-all then reject
/*
* Define CYMRU Bogon community
*/
delete policy-options community comm-cymru-bogon
set policy-options community comm-cymru-bogon members no-export
set policy-options community comm-cymru-bogon members 65332:888
/*
* Define internal no-export community
*/
delete policy-options community comm-no-export
set policy-options community comm-no-export members no-export
Cette recommandation de filtrage IPv6 est un peu datée, mais elle a toujours les principes fondamentaux, je pense: http://www.space.net/~gert/RIPE/ipv6-filters.html
si vous voulez faire un filtrage "en profondeur" vous pouvez jeter un œil au projet de cymru et de bogons de l'équipe cymru: