Adrian Kennard wrote: [..] > What is not clear to me is what this the best practice and workable IPv6 > next hop to specify. Seems to me it could be:- > > ::x.x.x.x That one was deprecated by RFC4291. I used to use ::/96 for storing IPv4 addresses inside IPv6, but then you don't know if :: is 0.0.0.0 or IPv6 ::, as such I am now using the ::ffff::/96 in the places where I was using that and the code that I have updated. Then ::ffff:0.0.0.0/96 is for sure the IPv4 variant. > ::FFFF:x.x.x.x > 2002:xxxx:xxxx:: > > The latter seems to express that we want to use simple protocol 41 IPv6 > over IPv4 tunnelling. The first two seem to me to just indicate an IPv4 > address as the next hop without saying how the traffic is to be sent to > it (e.g. GRE, protocol 41, whatever). I would go for ::ffff:x.x.x.x, as then you have the properties you describe above, but also know for sure that the 2002::/16 prefix can't be hijacked by some routing entry, next to it being clear that this is really on the wire as IPv4 and not as IPv6. > FYI, I'll make our routers understand any of the above as a next hop to > send over protocol 41 when received, but need to know what I should used > when generating this as a next hop to send. I do sincerely hope that you will be looking heavily at the security concerns here, especially a line saying "only accept packets from known prefixes" and "filter those prefixes out at the border" aka BCP38. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature