IPv6 Security

90 Chapter 3: IPv6 Internet SecurityBogon Filtering Challenges and AutomationFiltering what prefixes are advertised by an end-user organization is a best practice. It isalso a best practice to filter prefixes from a service provider’s other service provider peers.Most peers just permit the /32s that other peers have been allocated. Many service providerstrust the peers they connect to and do not perform the necessary filtering to protect theInternet from dramatic problems. These service providers know that filtering bogons frombeing advertised to them is the right thing to do. However, many service providers cite thefact that bogon filtering can be hard to maintain because it is likely to change. Some serviceproviders manually configure bogon filters, but the updating of the configurations can beautomated with some form of script. In fact, when new address space is allocated by theIANA or the registries, the address space is usually given to Tier 1 ISPs because they willstart to route the traffic appropriately for their customers.There are techniques that service providers can use to help alleviate the burden ofmaintaining peer filters. It is easy to set up an automated method of updating the bogon liston all peering routers. After the filter is updated, you do not need to reset the peer to havethe filter activate. When the peers are reset softly or the route flaps, the updates show up inthe routing table.Another technique for filtering routes to a peer is to leverage an Internet Routing Registry(IRR). These databases contain the registered address allocations for other ISPs, and theycan help you create the prefix list applied to that peer. Routing Policy SpecificationLanguage (RPSL) is defined in RFC 2622 as a language to send and receive informationfrom a registry. Recently, RPSLng (RFC 4012) added IPv6 and multicast support to its setof classes of objects. For example, one of the RPSL classes is called the ROUTE6 object,which contains the identification of the /32 addresses that service providers have beenallocated. With objects like this, an IRR can be used to create a specific import or exportroute filter for the prefixes that should be sent or received from a peer. This would add tothe security of IPv6 because filters could be automated and based on accurate sources ofallocated and assigned prefixes. For these reasons, the IRRs must be secured, and thevalidity of the data must be regularly checked.The historical challenges with IRRs were that the information was not accurate. Becausethe IPv6 Internet is in its early stages and the current Internet IPv6 routing table has fewentries, the data will be easy to validate. Currently the set of IPv6 information in the IRRswould be small and easy to start a clean slate and maintain it. IRRs can help avoid mistakesmade by humans and speed deployment through automation. Automation tools exist forIRRs (IRRToolSet, IRR Power Tools) to help create filters for peers and customerconnections.Securing BGP SessionsThe Border Gateway Protocol version 4 (BGP4) protocol has been in existence since 1994and has been updated several times over the past 15 years. BGP4, defined in RFC 4271, is