[Dnsmasq-discuss] stop-dns-rebind and IPv6
Mark Cross
markcross.gpg.01 at gmx.com
Fri Sep 10 01:02:04 BST 2010
Jan 'RedBully' Seiffert wrote:
>> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
>> ::1 also?
>> What about the fe80:: link-local addresses.
> I would say yes.
> sitelocal are deprecated (but better safe then sorry?),
> hmmm, what's with unique local?
I would propose this blocking:
V4COMPAT ::0/96
"being deprecated is no longer valid, and that range
includes the ::/0/128 and ::1/128 already. This will prevent
older software from using such addresses at no connectivity
cost (until this range gets reassigned)"
LINKLOCAL fe80::/10
UNIQUELOCAL fc00::/7
Some unroutable addresses:
DOCUMENT 2001:db8::/32
BMWG 2001:0002::/48
ORCHID 2001:10::/28
If the system has IPv6 assigned from the ISP, this addresses make no sense in the LAN:
6TO4 2002::/16
TEREDO 2001::/32
If the address is (or):
V4MAPPED ::ffff:0:0/96
BEHAVE 64:ff9b::/96 "Well Known Prefix"
Extract the IPv4 address and do IPv4 testing:
Any RFC1918 10/8, 172.16/12,192.168/16
Loopback 127.0.0.0/8
"This network" 0.0.0.0/8
Link Local 169.254.0.0/16
Multicast 224.0.0.0/4 maybe not?
Future 240.0.0.0/4 Which includes 255.255.255.255
This addresses may? be also interesting to block, ( probably not?).
MULTICAST ff00::/8
SITELOCAL fec0::/10 (deprecated definition)
References:
From: http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
V4COMPAT This definition has been deprecated by [RFC4291].
SITELOCAL has been deprecated as of September 2004 [RFC3879].
BEHAVE The "Well Known Prefix" 64:ff9b::/96
From: http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml
DOCUMENT 2001:0DB8::/32 [RFC3849].
6TO4 2002::/16 [RFC3056].
TEREDO 2001::/32 [RFC4380].
From: http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml
BMWG 2001:0002::/48
ORCHID 2001:10::/28
--
Mark Cross
More information about the Dnsmasq-discuss
mailing list