Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ::::Hello again,
- ::::I think that thanks to [[:en:Classless Inter-Domain Routing|CIDR notation]], it should be easy to block the rest of the range only with a few rules.
- ::::Consider that CIDR prefixes allow you to block a prefix of bits contained in an address. There are 6 bits of difference between the two prefixes. Hence, you should be able to block only six prefixes to block all addresses except the ones from OVH Telecom.
- ::::For illustration, here are how both prefixes convert to binary:
- ::::<syntaxhighlight>Large prefix:
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (32 digits)
- 00100000000000010100000111010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- = 2001:41d0::
- Narrow prefix:
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (38 digits)
- 00100000000000010100000111010000111111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- = 2001:41d0:fc00::
- </syntaxhighlight>
- ::::You should just have to truncate the narrow prefix at different points, then flip the last bit that comes just before the end of the prefix to block a range that pertains to the large but NOT the narrow concerned range.
- ::::I have written a small Python script that does this automatically for the example.
- ::::<syntaxhighlight lang="Python">#!/usr/bin/python3
- #-*- encoding: Utf-8 -*-
- from ipaddress import IPv6Network, IPv6Address
- from argparse import ArgumentParser
- args = ArgumentParser(description = 'Find how to block a large IPv6 range excluding a narrow IPv6 range only while blacklisting a few prefixes.')
- args.add_argument('narrow_prefix')
- args.add_argument('narrow_prefix_size')
- args.add_argument('large_prefix_size')
- args = args.parse_args()
- narrow = IPv6Address(args.narrow_prefix)
- IPV6_BIT_SIZE = 128
- for intermediary_size in range(int(args.narrow_prefix_size) + 1, int(args.large_prefix_size) + 1):
- mask = ((1 << intermediary_size) - 1) << (IPV6_BIT_SIZE - intermediary_size)
- bit_to_invert = (1 << (IPV6_BIT_SIZE - intermediary_size))
- print(str(IPv6Address((int(narrow) & mask) ^ bit_to_invert)) + '/' + str(intermediary_size))
- </syntaxhighlight>
- ::::You can execute it with :
- ::::<syntaxhighlight>./generate_addresses.py 2001:41d0:fc00:: 32 38</syntaxhighlight>
- ::::Here is what the concerned script outputs:
- ::::<syntaxhighlight>2001:41d0::/33
- 2001:41d0:8000::/34
- 2001:41d0:c000::/35
- 2001:41d0:e000::/36
- 2001:41d0:f000::/37
- 2001:41d0:f800::/38
- </syntaxhighlight>
- ::::Do you think that it is okay to block these only six ranges?
- ::::Regards, --~~~~
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement