[179888] in North American Network Operators' Group
Re: Updated prefix filtering
daemon@ATHENA.MIT.EDU (Frederik Kriewitz)
Sun May 10 12:57:27 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CAA93jw7NrW7D7YOM7gWj+2up3xPFZdv5u=9c3cTdm+wtaGTB6Q@mail.gmail.com>
From: Frederik Kriewitz <frederik@kriewitz.eu>
Date: Sun, 10 May 2015 18:55:07 +0200
To: Dave Taht <dave.taht@gmail.com>
Reply-To: frederik@kriewitz.eu
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hello Dave,
On Sun, May 10, 2015 at 1:49 AM, Dave Taht <dave.taht@gmail.com> wrote:
> I have had a piece long on the spike on how we implemented bcp38 for
> linux (openwrt) devices using the ipset facility.
>
> We had a different use case (preventing all possible internal rfc1918
> network addresses from escaping, while still allowing punching through
> one layer of nat ), but the underlying ipset facility was easily
> extendible to actually do bcp38 and fast to use, so that is what we
> ended up calling the openwrt package. Please contact me offlist if you
> would like a peek at that piece, because the article had some
> structural problems and we never got around to finishing/publishing
> it, and I would like to....
>
> has there been a bcp38 equivalent published for ipv6?
I don't see how this is related to the OPs problem.
But there's the rpfilter iptables module which can be used for BCP38
IPv4 and IPv6 implementations on linux routers.
