[Dnsmasq-discuss] stop-dns-rebind and IPv6
markcross.gpg.01 at gmx.com
Fri Sep 10 01:02:04 BST 2010
Jan 'RedBully' Seiffert wrote:
>> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
>> ::1 also?
>> What about the fe80:: link-local addresses.
> I would say yes.
> sitelocal are deprecated (but better safe then sorry?),
> hmmm, what's with unique local?
I would propose this blocking:
"being deprecated is no longer valid, and that range
includes the ::/0/128 and ::1/128 already. This will prevent
older software from using such addresses at no connectivity
cost (until this range gets reassigned)"
Some unroutable addresses:
If the system has IPv6 assigned from the ISP, this addresses make no sense in the LAN:
If the address is (or):
BEHAVE 64:ff9b::/96 "Well Known Prefix"
Extract the IPv4 address and do IPv4 testing:
Any RFC1918 10/8, 172.16/12,192.168/16
"This network" 0.0.0.0/8
Link Local 169.254.0.0/16
Multicast 184.108.40.206/4 maybe not?
Future 240.0.0.0/4 Which includes 255.255.255.255
This addresses may? be also interesting to block, ( probably not?).
SITELOCAL fec0::/10 (deprecated definition)
V4COMPAT This definition has been deprecated by [RFC4291].
SITELOCAL has been deprecated as of September 2004 [RFC3879].
BEHAVE The "Well Known Prefix" 64:ff9b::/96
DOCUMENT 2001:0DB8::/32 [RFC3849].
6TO4 2002::/16 [RFC3056].
TEREDO 2001::/32 [RFC4380].
More information about the Dnsmasq-discuss