K. Ishihara KDDI CORPORATION M. Mukai KDDI CORPORATION R. Hiromi Intec NetCore Inc. M. Mawatari DREAM TRAIN INTERNET INC. Date. 2008/08/26 Packet Filter and Route Filter Recommendation for IPv6 at xSP routers Abstract This document describes about filtering techniques for the border routers at xSPs. In this document we define recommendations of filtering rules. In this document we categorize two types of filtering rules. The One "Minimum set of recommended filtering" means all of you encouraged to use described filtering rules as minimum sets of xSP's basic router operation. The other "Considered filtering set on its necessity" will be used under the consideration of your network operation, management and resources. All rule sets are stands for the following ideas and we strongly recommend all of xSP networks to apply this to their routers. o Only IPv6 network is considered. IPv4 case is out of scope. o No influence upon the user transmission. (Purpose of filter would be a prevention from attack, intrusion or theft) o Don't send/receive unnecessary/garbage packets/route information. o Specific application port filter, ex)OP25B, P2P applications, is out of scope. Table of Contents 1. Introduction 2. Terminology 3. For Transit Connection Interface 3-1. Minimum required filter set 3-1-1. Packet Filters 3-1-1-1. Ingress Packet Filters 3-1-1-2. Egress Packet Filters 3-1-2. Route Filters 3-1-2-1. Ingress Prefix Filters 3-1-2-2. Egress Prefix Filters 3-1-2-3. Ingress AS-PATH Filters 3-1-2-4. Egress AS-PATH Filters 3-2. Considered filter set on its necessity Consideration required filter set by network 3-2-1. Packet Filters 3-2-1-1. Ingress Packet Filters 3-2-1-2. Egress Packet Filters 3-2-2. Route Filters 3-2-2-1. Ingress Prefix Filters 3-2-2-2. Egress Prefix Filters 3-2-2-3. Ingress AS-PATH Filters 3-2-2-4. Egress AS-PATH Filters 3-3. Additional effective techniques for reduction of OAM on filtering 4. For Public and Private Peering Connection Interface 4-1. Minimum required filter set 4-1-1. Packet Filters 4-1-1-1. Ingress Packet Filters 4-1-1-2. Egress Packet Filters 4-1-2. Route Filters 4-1-2-1. Ingress Prefix Filters 4-1-2-2. Egress Prefix Filters 4-1-2-3. Ingress AS-PATH Filters 4-1-2-4. Egress AS-PATH Filters 4-2. Considered filter set on its necessity Consideration required filter set by network 4-2-1. Packet Filters 4-2-1-1. Ingress Packet Filters 4-2-1-2. Egress Packet Filters 4-2-2. Route Filters 4-2-2-1. Ingress Prefix Filters 4-2-2-2. Egress Prefix Filters 4-2-2-3. Ingress AS-PATH Filters 4-2-2-4. Egress AS-PATH Filters 4-3. Additional effective techniques for reduction of OAM on filtering 5. For Customer Connection Interface 5-1. Minimum required filter set 5-1-1. Packet Filters 5-1-1-1. Ingress Packet Filters 5-1-1-2. Egress Packet Filters 5-1-2. Route Filters 5-1-2-1. Ingress Prefix Filters 5-1-2-2. Egress Prefix Filters 5-1-2-3. Ingress AS-PATH Filters 5-1-2-4. Egress AS-PATH Filters 5-2. Considered filter set on its necessity Consideration required filter set by network 5-2-1. Packet Filters 5-2-1-1. Ingress Packet Filters 5-2-1-2. Egress Packet Filters 5-2-2. Route Filters 5-2-2-1. Ingress Prefix Filters 5-2-2-2. Egress Prefix Filters 5-2-2-3. Ingress AS-PATH Filters 5-2-2-4. Egress AS-PATH Filters 5-3. Additional effective techniques for reduction of OAM on filtering 6. For Access to Router 6-1. Minimum required filter set 6-1-1. Packet Filters 6-1-1-1. Ingress Packet Filters 6-1-1-2. Egress Packet Filters 6-2. Considered filter set on its necessity Consideration required filter set by network 6-2-1. Packet Filters 6-2-1-1. Ingress Packet Filters 6-2-1-2. Egress Packet Filters 6-3. Additional effective techniques for reduction of OAM on filtering 7. Acknowledgments 8. References 8-1. Normative References 8-2. Informative References 9. Author's Address 10. Disclaimer 11. Distribution Policy of This Document Appendix A: About 6bone Appendix B: About 6to4 Appendix C: Useful info on IANA IPv6 Special Purpose Address Registry Update History 1. Introduction With IPv6 network operation is getting practical, the security consideration is required as same level as IPv4 network. There is little difference between IPv4 and IPv6 in the way of packet filtering and route filtering. But operators are encouraged to know about the difference from protocol specification and additional features that brought to us by IPv6 and its effect on filtering. This document describes current best practice on filter. Therefore, this will be revised with additional operating experience. 2. Terminology 1. xSP : a service provider which o provides internet connectivity o is a (global) ASN holder o interconnects with other AS with BGP 2. Packet Filter : Filtering Technique in a router with IP header information. In this document, it indicates using of source and destination address field. 3. Prefix Filter : Filter with prefix length information. It is also called as "Prefix Based Filter" 4. AS-PATH Filter : Filter with AS-PATH attribute 5. Route Filter : Generic term for Filter, it includes both "Prefix Filter" and "AS-PATH Filter" 6. Transit : Exchange "Full Route" routing information with other BGP systems. 7. Peer : a neighbor BGP speaker. A router/switch which announces its AS related routes in BGP. 3. For Transit Connection Interface 3-1. Minimum required filter set 3-1-1. Packet Filters 3-1-1-1. Ingress Packet Filters [1] Accept all ICMPv6 packets for Neighbor Discovery and Path MTU Discovery that is a function necessary for the communication with IPv6. [2] Reject the packets which contain following special-use prefix in the source address field. - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 - IETF reserved Address(formerly Site-local Address) : fec0::/10 - Unique-local Address : fc00::/7 - Multicast Address : ff00::/8 - Documentation Address : 2001:db8::/32 * Attention not to reject ICMPv6 packet whose source address used with Duplicate Address Detection is unspecified address (::/128) is necessary. (There is no problem if all ICMPv6 is accepted as shown in the above-mentioned [1]) [3] Reject the packets which have your own prefix in the source address field. - Note that this filter may interfere with asymmetric routing protocol such as UDLR in the satellite internet services. 3-1-1-2. Egress Packet Filters - N/A - 3-1-2. Route Filters 3-1-2-1. Ingress Prefix Filters [1] Reject following special-use prefix. - Default Route : ::/0 exact - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 or longer - Link-local Address : fe80::/10 or longer - IETF reserved Address(formerly Site-local Address) : fec0::/10 or longer - Unique-local Address : fc00::/7 or longer - Multicast Address : ff00::/8 or longer - Documentation Address : 2001:db8::/32 or longer [2] Reject your own prefix. (Example) You have 2001:db8::/32 for your xSP network, you should reject 2001:db8::/32 or longer prefix. 3-1-2-2. Egress Prefix Filters [1] Accept aggregated routes of your own prefix. - Note that don't advertise fragmented prefixes to outside from your internal AS system. [2] Reject following special-use prefix. - Default Route : ::/0 exact - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 or longer - Link-local Address : fe80::/10 or longer - IETF reserved Address(formerly Site-local Address) : fec0::/10 or longer - Unique-local Address : fc00::/7 or longer - Multicast Address : ff00::/8 or longer - Documentation Address : 2001:db8::/32 or longer 3-1-2-3. Ingress AS-PATH Filters - N/A - 3-1-2-4. Egress AS-PATH Filters [1] Don't advertise Private AS number to outside. - Outline : If your network connects other BGP system with Private AS number, you should remove its Private AS Number from AS-PATH to the external system. (example : utilize remove-private-as and the like.) - Effect : Prevent accidents from spreading wrong routes with Private AS number in the AS-PATH. 3-2. Considered filter set on its necessity Consideration required filter set by network 3-2-1. Packet Filters 3-2-1-1. Ingress Packet Filters [1] Limit ICMPv6 packets to the interface used by the transit connection. (Example) Accept ICMPv6 packets with selected type. - Prerequisite : It is necessary to make the function of Neighbor Discovery and Path MTU Discovery work. - Advantage : Defending the attack with abused ICMPv6 packet becomes possible to some degree. - Weakness : It might become difficult to confirm the reachability of the packet when traceroute that pass the router that limits ICMPv6 packet are executed. 3-2-1-2. Egress Packet Filters [1] Reject the packets which contain following special-use prefix in the source address field. - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 - IETF reserved Address(formerly Site-local Address) : fec0::/10 - Unique-local Address : fc00::/7 - Multicast Address : ff00::/8 - Documentation Address : 2001:db8::/32 * The communication with IPv6 requires using ICMPv6 packet with Unspecified Address (::/128) in Duplicate Address Detection (DAD) mechanism, don't reject such control packets. 3-2-2. Route Filters 3-2-2-1. Ingress Prefix Filters [1] Reject all fragmented prefixes (Long Prefix). - Reject long prefix in the range where xSP that the reachability is lost doesn't come out. (Example) Reject /33 or longer prefix Reject /49 or longer prefix [2] Accept only prefix allocated from each RIRs to each xSPs. - Accept only allocated prefix referring to the delegated-latest list (Refer to 8-2-3.) from each RIRs. * Note that update your filter list occasionally when RIRs updates their allocated address list(Refer to 8-2-4) 3-2-2-2. Egress Prefix Filters - N/A - 3-2-2-3. Ingress AS-PATH Filters [1] Reject the routes with the length of AS-PATH that it is long more than the definite value. - Reject the routes with the length of AS-PATH that it is long more than the definite value in the range where xSP that the reachability is lost doesn't come out. (Example) Reject the routes with the length of AS-PATH is 50hop or more. 3-2-2-4. Egress AS-PATH Filters - N/A - 3-3. Additional effective techniques for reduction of OAM on filtering [1] Max-Prefix-Limits - Outline : Set maximum number of receiving prefix from one BGP neighbor, this controls threshold of receiving prefix. - Effect : When a large amount of routes advertisement is generated from BGP neighbor by the trouble, the overload of the router in your AS caused by the receiving the routes can be prevented. - Note : The threshold value must be well-considered. The value sometimes leads unexpected limitation. 4. For Public and Private Peering Connection Interface 4-1. Minimum required filter set 4-1-1. Packet Filters 4-1-1-1. Ingress Packet Filters [1] Accept all ICMPv6 packets for Neighbor Discovery and Path MTU Discovery that is a function necessary for the communication with IPv6. [2] Reject the packets which contain following special-use prefix in the source address field. - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 - IETF reserved Address(formerly Site-local Address) : fec0::/10 - Unique-local Address : fc00::/7 - Multicast Address : ff00::/8 - Documentation Address : 2001:db8::/32 * Attention not to reject ICMPv6 packet whose source address used with Duplicate Address Detection is unspecified address (::/128) is necessary. (There is no problem if all ICMPv6 is accepted as shown in the above-mentioned [1]) [3] Reject the packets which have your own prefix in the source address field. - Note that this filter may interfere with asymmetric routing protocol such as UDLR in the satellite internet services. 4-1-1-2. Egress Packet Filters - N/A - 4-1-2. Route Filters 4-1-2-1. Ingress Prefix Filters [1] Reject following special-use prefix. - Default Route : ::/0 exact - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 or longer - Link-local Address : fe80::/10 or longer - IETF reserved Address(formerly Site-local Address) : fec0::/10 or longer - Unique-local Address : fc00::/7 or longer - Multicast Address : ff00::/8 or longer - Documentation Address : 2001:db8::/32 or longer [2] Reject your own prefix. (Example) You have 2001:db8::/32 for your xSP network, you should reject 2001:db8::/32 or longer prefix. 4-1-2-2. Egress Prefix Filters [1] Accept aggregated routes of your own prefix. - Note that don't advertise fragmented prefixes to outside from your internal AS system. [2] Reject following special-use prefix. - Default Route : ::/0 exact - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 or longer - Link-local Address : fe80::/10 or longer - IETF reserved Address(formerly Site-local Address) : fec0::/10 or longer - Unique-local Address : fc00::/7 or longer - Multicast Address : ff00::/8 or longer - Documentation Address : 2001:db8::/32 or longer 4-1-2-3. Ingress AS-PATH Filters - N/A - 4-1-2-4. Egress AS-PATH Filters [1] Don't advertise Private AS number to outside. - Outline : If your network connects other BGP system with Private AS number, you should remove its Private AS Number from AS-PATH to the external system. (example : utilize remove-private-as and the like.) - Effect : Prevent accidents from spreading wrong routes with Private AS number in the AS-PATH. 4-2. Considered filter set on its necessity Consideration required filter set by network 4-2-1. Packet Filters 4-2-1-1. Ingress Packet Filters [1] Limit ICMPv6 packets to the interface used by the IX connection or the private peer connection. (Example) Accept ICMPv6 packets with selected type. - Prerequisite : It is necessary to make the function of Neighbor Discovery and Path MTU Discovery work. - Advantage : Defending the attack with abused ICMPv6 packet becomes possible to some degree. - Weakness : It might become difficult to confirm the reachability of the packet when traceroute that pass the router that limits ICMPv6 packet are executed. 4-2-1-2. Egress Packet Filters [1] Reject the packets which contain following special-use prefix in the source address field. - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 - IETF reserved Address(formerly Site-local Address) : fec0::/10 - Unique-local Address : fc00::/7 - Multicast Address : ff00::/8 - Documentation Address : 2001:db8::/32 * The communication with IPv6 requires using ICMPv6 packet with Unspecified Address (::/128) in Duplicate Address Detection (DAD) mechanism, don't reject such control packets. 4-2-2. Route Filters 4-2-2-1. Ingress Prefix Filters [1] Reject all fragmented prefixes (Long Prefix). - Reject long prefix in the range where xSP that the reachability is lost doesn't come out. (Example) Reject /33 or longer prefix Reject /49 or longer prefix [2] Accept only advertisement prefixes notified by the peering partners. - Configure the prefix filter referring to the prefix update notification from the peering partners. [3] Accept only prefix allocated from each RIRs to each xSPs. - Accept only allocated prefix referring to the delegated-latest list (Refer to 8-2-4) from each RIRs. * Note that update your filter list occasionally when RIRs updates their allocated address list(Refer to 8-2-4) 4-2-2-2. Egress Prefix Filters - N/A - 4-2-2-3. Ingress AS-PATH Filters [1] Reject the routes with the length of AS-PATH that it is long more than the definite value. - Reject the routes with the length of AS-PATH that it is long more than the definite value in the range where xSP that the reachability is lost doesn't come out. (Example) Reject the routes with the length of AS-PATH is 50hop or more. [2] Accept only advertisement routes with specific AS-PATH notified by the peering partners. - Configure the AS-PATH filter referring to the AS-PATH update notification from the peering partners. 4-2-2-4. Egress AS-PATH Filters - N/A - 4-3. Additional effective techniques for reduction of OAM on filtering [1] Max-Prefix-Limits - Outline : Set maximum number of receiving prefix from one BGP neighbor, this controls threshold of receiving prefix. - Effect : When a large amount of routes advertisement is generated from BGP neighbor by the trouble, the overload of the router in your AS caused by the receiving the routes can be prevented. - Note : The threshold value must be well-considered. The value sometimes leads unexpected limitation. 5. For Customer Connection Interface 5-1. Minimum required filter set 5-1-1. Packet Filters 5-1-1-1. Ingress Packet Filters [1] Accept all ICMPv6 packets for Neighbor Discovery and Path MTU Discovery that is a function necessary for the communication with IPv6. [2] Reject the packets which contain following special-use prefix in the source address field. - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 - IETF reserved Address(formerly Site-local Address) : fec0::/10 - Unique-local Address : fc00::/7 - Multicast Address : ff00::/8 - Documentation Address : 2001:db8::/32 * Attention not to reject ICMPv6 packet whose source address used with Duplicate Address Detection is unspecified address (::/128) is necessary. (There is no problem if all ICMPv6 is accepted as shown in the above-mentioned [1]) [3] (For the transit customers) Reject the packets which have your own prefix in the source address field. 5-1-1-2. Egress Packet Filters - N/A - 5-1-2. Route Filters (Route filters intended for BGP connection customers) 5-1-2-1. Ingress Prefix Filters [1] (For BGP connection customers using Private AS number) Accept only prefix assigned to the customers. (Example) If 2001:db8::/32 is assigned to the customer, accept only 2001:db8::/32 exact prefix. [2] (For transit customers) Accept only advertisement prefixes notified by the customers. (Example) Accept 2001:db8::/32 exact prefix when there is a notification said that the customer will advertise 2001:db8::/32. 5-1-2-2. Egress Prefix Filters [1] Accept aggregated routes of your own prefix. - Note that don't advertise fragmented prefixes to outside from your internal AS system. [2] Reject following special-use prefix. - Default Route : ::/0 exact - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 or longer - Link-local Address : fe80::/10 or longer - IETF reserved Address(formerly Site-local Address) : fec0::/10 or longer - Unique-local Address : fc00::/7 or longer - Multicast Address : ff00::/8 or longer - Documentation Address : 2001:db8::/32 or longer 5-1-2-3. Ingress AS-PATH Filters - N/A - 5-1-2-4. Egress AS-PATH Filters [1] Don't advertise Private AS number to outside. - Outline : If your network connects other BGP system with Private AS number, you should remove its Private AS Number from AS-PATH to the external system. (example : utilize remove-private-as and the like.) - Effect : Prevent accidents from spreading wrong routes with Private AS number in the AS-PATH. 5-2. Considered filter set on its necessity Consideration required filter set by network 5-2-1. Packet Filters 5-2-1-1. Ingress Packet Filters [1] Limit ICMPv6 packets to the interface used by the customer connection. (Example) Accept ICMPv6 packets with selected type. - Prerequisite : It is necessary to make the function of Neighbor Discovery and Path MTU Discovery work. - Advantage : Defending the attack with abused ICMPv6 packet becomes possible to some degree. - Weakness : It might become difficult to confirm the reachability of the packet when traceroute that pass the router that limits ICMPv6 packet are executed. [2] Accept only the packets which have customer owned prefix in the source address field. - Note that this filter may interfere with asymmetric routing protocol such as UDLR in the satellite internet services. Confirmation with customers might be required. [3] Reject the BGP (179/TCP) packets which have the IX segment address connected with your AS in the destination field. (Or, there is a method of rejecting with the ingress filter at the core side interface of the IX connection router, too.) - Effect : Prevent exploitation of the BGP vulnerability. 5-2-1-2. Egress Packet Filters [1] Reject the packets which contain following special-use prefix in the source address field. - Prefix that contains Loop back Address (::1/128), Unspecified Address (::/128), IETF reserved Address (formerly IPv4-compatible IPv6 Address) (::/96), and IPv4-mapped IPv6 Address (::ffff:0:0/96). : ::/8 - IETF reserved Address(formerly Site-local Address) : fec0::/10 - Unique-local Address : fc00::/7 - Multicast Address : ff00::/8 - Documentation Address : 2001:db8::/32 * The communication with IPv6 requires using ICMPv6 packet with Unspecified Address (::/128) in Duplicate Address Detection (DAD) mechanism, don't reject such control packets. 5-2-2. Route Filters (Route filters intended for BGP connection customers) 5-2-2-1. Ingress Prefix Filters - N/A - 5-2-2-2. Egress Prefix Filters - N/A - 5-2-2-3. Ingress AS-PATH Filters [1] Accept only advertisement routes with specific AS-PATH notified by the BGP customers. - Configure the AS-PATH filter referring to the AS-PATH update notification from the BGP customers. 5-2-2-4. Egress AS-PATH Filters - N/A - 5-3. Additional effective techniques for reduction of OAM on filtering [1] Max-Prefix-Limits - Outline : Set maximum number of receiving prefix from one BGP neighbor, this controls threshold of receiving prefix. - Effect : When a large amount of routes advertisement is generated from BGP neighbor by the trouble, the overload of the router in your AS caused by the receiving the routes can be prevented. - Note : The threshold value must be well-considered. The value sometimes leads unexpected limitation. 6. For Access to Router 6-1. Minimum required filter set 6-1-1. Packet Filters 6-1-1-1. Ingress Packet Filters [1] Limit the source address that can access the following services of the router, and accept only the packets from the limited source address. - telnet - ssh - snmp (ReadOnly / ReadWrite) - ftp - tftp - ntp * Stop the needless service not used. (Example) Limit the segment (ex. NOC segment) can access the routers or limit the hosts can access the routers. [2] Accept only the BGP (179/TCP) packets which have the neighbor address of eBGP and iBGP in the source address field. [3] Accept the packets which have Link-local Address of neighbor in the source address field. - Accept the packets for Neighbor Discovery. 6-1-1-2. Egress Packet Filters - N/A - 6-2. Considered filter set on its necessity Consideration required filter set by network 6-2-1. Packet Filters 6-2-1-1. Ingress Packet Filters [1] Limit ICMPv6 packets to the interface of the router. (Example) Accept ICMPv6 packets with selected type. - Prerequisite : It is necessary to make the function of Neighbor Discovery and Path MTU Discovery work. - Advantage : Defending the attack with abused ICMPv6 packet becomes possible to some degree. - Weakness : It might become difficult to confirm the reachability of the packet when traceroute that pass the router that limits ICMPv6 packet are executed. 6-2-1-2. Egress Packet Filters - N/A - 6-3. Additional effective techniques for reduction of OAM on filtering [1] System Protection ACL (IP Receive ACL, Loopback0 ACL) - Outline : This function is a filter technology to protect the resource of the router (routing processor etc.). - Effect : This function is effective as measures of the attack packets against the router. 7. Acknowledgments This document was based on the information arranged by IRS (Interdomain Routing Security Workshop), "Prefix Filter Recommendation for IPv6 at xSP routers" presentation. Thank all of you attending IRS and JANOG mailing list for great support and cooperation. Thank KONDO Kuniaki, YOSHIDA Tomoya and NAKANISHI Ryoko who gave us the possibility of releasing this document. 8. References 8-1. Normative References 8-1-1. IPv6 BGP filter recommendations http://www.space.net/~gert/RIPE/ipv6-filters.html 8-2. Informative References 8-2-1. RFC5156 : Special-Use IPv6 Addresses http://www.ietf.org/rfc/rfc5156.txt 8-2-2. RFC4890 : Recommendations for Filtering ICMPv6 Messages in Firewalls http://www.ietf.org/rfc/rfc4890.txt 8-2-3. IANA IPv6 Allocated List http://www.iana.org/assignments/ipv6-unicast-address-assignments 8-2-4. RIR allocated Address List - APNIC http://ftp.apnic.net/stats/apnic/delegated-apnic-latest - RIPE/NCC ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest - ARIN ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest - LACNIC ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest - AfriNIC ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest 9. Author's Address Kiyoteru ISHIHARA KDDI CORPORATION EMail : ki-ishihara@kddi.com Masaru MUKAI KDDI CORPORATION EMail : ms-mukai@kddi.com Ruri HIROMI Intec NetCore Inc. EMail : hiromi@inetcore.com Masataka MAWATARI DREAM TRAIN INTERNET INC. EMail : mawatari@dti.ad.jp 10. Disclaimer We assume no responsibility whatsoever for any damages resulting from the use of this document. 11. Distribution Policy of This Document Copying and Distribution of this document is allowed under conditions of no changes to this document. Appendix A: About 6bone 6bone is a test bed network for IPv6 under definition of RFC2471. It was drove with IPv6 Test Address(3ffe::/16). The test bed ended in June 6th, 2006 with decision in RFC3701. After the date, it is advised to filter out the Test Address (3ffe::/16). In this document, we assume that 3ffe::/16 related filters should be determined with actual routes then applied. A-1. Concerned Address Filter A-1-1. Ingress and Egress Packet Filter [1] All packets with 3ffe::/16 in the source address field should be rejected. A-1-2. Ingress and Egress Prefix Filter [1] 3ffe::/16 or longer prefix should be rejected. Appendix B: About 6to4 6to4 tunneling is defined in RFC3056. This mechanism uses IPv4 address into IPv6 address then provides auto configuration. It carries out tunnel connection between IPv6 clouds through IPv4 networks with 6to4 relay routers. RFC3056 also defines 2002::/16 as its dedicated prefix. Therefore, if you filter out 2002::/16, there is a possibility to intercept 6to4 communication. Appendix C: Useful info on IANA IPv6 Special Purpose Address Registry IANA provide us "IPv6 Special Purpose Address Registry - per RFC4773" page on their web site with the following URL. IANA IPv6 Special Purpose Address Registry - per [RFC4773] http://www.iana.org/assignments/iana-ipv6-special-registry Note that previous well-consideration and observation for each technical specifications are desired before setting filter regarding from the list. Also note that review the list constantly because the list is subject to change. ---------------------------------------------------------------------- Update History ---------------------------------------------------------------------- August 23, 2006: published as jc1006 May 18, 2007: updated as follows - modified description on "Special-Use Prefix" a. added "IETF reserved Address" in the description of "::/8" b. changed name of "::/96" from "IPv4-compatible IPv6 address" to "formerly IPv4-comaptible IPv6 address" as it is deprecated by RFC4291 c. changed description of "IPv4-mapped IPv6 address" from "::ffff:/96" to "::ffff:0:0/96" d. changed description of "fec0::/10" from "Site-local Address" to "IETF reserved Address(formerly Site-local Address)" as defined by RFC3879 - added notification about update-timing in 3-2-2-1 [2], 4-2-2-1 [3] - added notification for "Max-Prefix-Limits" in 3-3 [1], 4-3 [1], 5-3 [1] - modified URL for "IPv6 Routing Policies Guidelines" in 8-2 - added "RFC4890" in 8-2 - added "Appendix C" June 26, 2007: modified URL for "RIR allocated Address List : LACNIC" in 8-2 August 26, 2008: updated as follows - deleted "IPv6 Routing Policies Guidelines" in 8-2 - added "RFC5156" in 8-2 ----------------------------------------------------------------------