How to Announce IPv6 Prefixes in BGP

Overview

Border Gateway Protocol (BGP) is the routing protocol that powers the Internet's inter-domain routing system. Announcing IPv6 prefixes via BGP allows your network to be globally reachable over IPv6. This guide provides a comprehensive technical walkthrough of the configuration steps, best practices, and security measures required to successfully announce IPv6 prefixes.

Prerequisites

Before you can announce IPv6 prefixes in BGP, you must have the following in place:

1. IPv6 Address Allocation

You need a Provider Independent (PI) or Provider Aggregatable (PA) IPv6 address block allocated from one of the Regional Internet Registries (RIRs):

• ARIN (North America)
• RIPE NCC (Europe, Middle East, Central Asia)
• APNIC (Asia Pacific)
• LACNIC (Latin America and Caribbean)
• AFRINIC (Africa)

Most organizations receive a /32 or /48 allocation. The /48 prefix is the recommended minimum size for global BGP routing announcements.

2. Autonomous System Number (ASN)

You must have your own ASN, either:

• 16-bit ASN (legacy range: 1-65535)
• 32-bit ASN (range: 65536-4294967295)

Your ASN uniquely identifies your network in the global routing system and is required for originating BGP announcements.

3. BGP-Capable Router

Your network requires at least one router or routing platform that supports:

• Multiprotocol BGP (MP-BGP) extensions for IPv6
• IPv6 unicast address family configuration
• Modern BGP security features (prefix filtering, RPKI validation)

Common platforms include Cisco IOS/IOS-XE/IOS-XR, Juniper Junos, Arista EOS, Nokia SR OS, and open-source solutions like FRRouting (FRR) and BIRD.

4. IPv6 Connectivity

Your router must have native IPv6 connectivity to your upstream provider(s) or Internet Exchange Point (IXP) peers. This typically requires:

• IPv6-enabled interfaces
• IPv6 addresses from link-local or global scope
• Working IPv6 routing to BGP peer addresses

Basic BGP Configuration for IPv6

BGP treats IPv4 and IPv6 as separate address families within the same protocol. Here's how to configure IPv6 BGP announcements on major platforms:

Cisco IOS/IOS-XE Configuration

! Configure BGP with your ASN
router bgp 64500

 ! Configure BGP router ID (uses IPv4 format)
 bgp router-id 203.0.113.1

 ! Enable BGP neighbor using IPv6 address
 neighbor 2001:db8:100::1 remote-as 64501
 neighbor 2001:db8:100::1 description Upstream-Provider

 ! Enter IPv6 unicast address family
 address-family ipv6 unicast

  ! Activate the neighbor for IPv6
  neighbor 2001:db8:100::1 activate

  ! Announce your IPv6 prefix
  network 2001:db8::/32

  ! Apply outbound prefix filter (recommended)
  neighbor 2001:db8:100::1 prefix-list IPV6-OUT out

  ! Apply inbound prefix filter
  neighbor 2001:db8:100::1 prefix-list IPV6-IN in

 exit-address-family
!

! Define prefix list for outbound announcements
ipv6 prefix-list IPV6-OUT seq 5 permit 2001:db8::/32

! Define prefix list for inbound filtering
ipv6 prefix-list IPV6-IN seq 5 deny ::/0
ipv6 prefix-list IPV6-IN seq 10 deny ::/0 ge 49
ipv6 prefix-list IPV6-IN seq 15 permit ::/0 le 48

Juniper Junos Configuration

# Configure BGP group and neighbor
set protocols bgp group upstream-provider type external
set protocols bgp group upstream-provider peer-as 64501
set protocols bgp group upstream-provider neighbor 2001:db8:100::1

# Configure IPv6 unicast family
set protocols bgp group upstream-provider family inet6 unicast

# Announce your IPv6 prefix with route policy
set policy-options policy-statement announce-ipv6 term export-prefix from route-filter 2001:db8::/32 exact
set policy-options policy-statement announce-ipv6 term export-prefix then accept
set policy-options policy-statement announce-ipv6 term reject-all then reject

# Apply export policy
set protocols bgp group upstream-provider export announce-ipv6

# Configure static route to null0 (best practice)
set routing-options rib inet6.0 static route 2001:db8::/32 discard

FRRouting (FRR) Configuration

router bgp 64500
 bgp router-id 203.0.113.1

 neighbor 2001:db8:100::1 remote-as 64501
 neighbor 2001:db8:100::1 description Upstream-Provider

 address-family ipv6 unicast
  network 2001:db8::/32
  neighbor 2001:db8:100::1 activate
  neighbor 2001:db8:100::1 prefix-list ipv6-out out
  neighbor 2001:db8:100::1 prefix-list ipv6-in in
 exit-address-family
!

ipv6 prefix-list ipv6-out seq 5 permit 2001:db8::/32
ipv6 prefix-list ipv6-in seq 5 deny ::/0
ipv6 prefix-list ipv6-in seq 10 deny ::/0 ge 49
ipv6 prefix-list ipv6-in seq 15 permit ::/0 le 48

Network Statements and Prefix Lists

Network Statement Method

The network statement tells BGP which prefixes to announce. For the prefix to be advertised, it must exist in the router's routing table (RIB). Best practice is to create a static route to null0/discard:

! Cisco IOS
ipv6 route 2001:db8::/32 Null0

! Juniper Junos
set routing-options rib inet6.0 static route 2001:db8::/32 discard

! FRR
ipv6 route 2001:db8::/32 Null0

This ensures the prefix is always present in the routing table even if more specific routes are not yet configured.

Prefix List Best Practices

Outbound Filtering - Only announce prefixes you own:

! Explicitly permit only your allocated prefixes
ipv6 prefix-list IPV6-OUT seq 5 permit 2001:db8::/32
ipv6 prefix-list IPV6-OUT seq 10 deny ::/0 le 128

Inbound Filtering - Protect against bogus announcements:

! Deny default route
ipv6 prefix-list IPV6-IN seq 5 deny ::/0

! Deny documentation prefix
ipv6 prefix-list IPV6-IN seq 10 deny 2001:db8::/32

! Deny unique local addresses
ipv6 prefix-list IPV6-IN seq 15 deny fc00::/7 le 128

! Deny link-local
ipv6 prefix-list IPV6-IN seq 20 deny fe80::/10 le 128

! Deny 6to4
ipv6 prefix-list IPV6-IN seq 25 deny 2002::/16 le 128

! Deny prefixes longer than /48
ipv6 prefix-list IPV6-IN seq 30 deny ::/0 ge 49

! Accept everything else up to /48
ipv6 prefix-list IPV6-IN seq 35 permit ::/0 le 48

Route Aggregation Strategies

Route aggregation reduces the size of the global BGP routing table and improves routing efficiency. The RIPE Routing Working Group (RIPE-532) provides specific recommendations for IPv6 aggregation:

General Principles

1. Advertise aggregate prefixes - Announce your allocation boundary (typically /32 or /48) rather than more specific prefixes unless required
2. Use BGP communities - Control propagation of more specific routes using NO_EXPORT (65535:65281) or provider-specific communities
3. Limit specifics to /48 - Most networks filter prefixes longer than /48 to prevent routing table bloat

Aggregation Configuration Examples

Cisco IOS with aggregate-address:

router bgp 64500
 address-family ipv6 unicast
  ! Create aggregate (suppresses more specific routes)
  aggregate-address 2001:db8::/32 summary-only

  ! Or create aggregate while advertising specifics
  aggregate-address 2001:db8::/32 as-set
 exit-address-family

Juniper Junos with aggregate route:

set routing-options aggregate route 2001:db8::/32
set policy-options policy-statement announce-aggregate term 1 from protocol aggregate
set policy-options policy-statement announce-aggregate term 1 from route-filter 2001:db8::/32 exact
set policy-options policy-statement announce-aggregate term 1 then accept

When to Announce More Specifics

Only announce prefixes more specific than your aggregate when:

• Traffic engineering - Directing traffic to specific entry points
• Multihoming - Advertising different prefixes through different providers
• Geographic routing - Optimizing latency for regional destinations

In these cases, always use BGP communities to control propagation and prevent unnecessary global visibility.

Prefix Filtering Best Practices

Minimum Prefix Length

Configure maximum prefix length filtering to reject overly specific routes:

• Standard practice: Reject prefixes longer than /48
• Conservative approach: Only accept /32 through /48

This protects against:

• Routing table bloat
• Prefix hijacking via more specific announcements
• Misconfiguration by remote networks

Bogon Filtering

Always filter reserved and special-use IPv6 prefixes:

Prefix	Purpose	Action
::/0	Default route	Deny (unless from upstream)
::/8	Reserved	Deny
::1/128	Loopback	Deny
::ffff:0:0/96	IPv4-mapped	Deny
2001:db8::/32	Documentation	Deny
fc00::/7	Unique Local Addresses	Deny
fe80::/10	Link-local	Deny
ff00::/8	Multicast	Deny
2002::/16	6to4	Deny

Maximum Prefix Limits

Configure per-neighbor maximum prefix limits to protect against routing table overflow attacks or misconfigurations:

router bgp 64500
 address-family ipv6 unicast
  neighbor 2001:db8:100::1 maximum-prefix 200000 90 restart 30
 exit-address-family

This example warns at 90% (180,000 prefixes) and tears down the session with 30-minute automatic restart if 200,000 prefixes are received.

Route Origin Authorization (ROA)

ROA is a cryptographically signed object that authorizes a specific AS to originate an IP prefix. It's part of the Resource Public Key Infrastructure (RPKI) framework.

Creating ROAs

Create ROAs through your RIR's web portal:

1. Log in to your RIR resource management portal (ARIN Online, RIPE NCC LIR Portal, APNIC MyAPNIC, etc.)
2. Navigate to RPKI/ROA management section
3. Create ROA specifying:
   • IPv6 prefix (e.g., 2001:db8::/32)
   • Origin ASN (e.g., AS64500)
   • Maximum prefix length (typically same as prefix length)

Important: Avoid liberal use of maxLength. Setting maxLength longer than your actual announcements exposes you to forged-origin sub-prefix hijacking. Per RFC 9319, only set maxLength when you actually plan to announce more specific prefixes.

ROA Example

For prefix 2001:db8::/32 originated by AS64500:

ROA:
  Prefix: 2001:db8::/32
  Max Length: /48
  Origin AS: 64500

This ROA authorizes AS64500 to announce 2001:db8::/32 and any more specific prefix up to /48 (e.g., 2001:db8:1::/48, 2001:db8:2::/48).

RPKI Validation

RPKI validation allows routers to verify that BGP announcements match published ROAs, preventing prefix hijacking and route leaks.

Configuring RPKI Validation

Cisco IOS-XE with RTR Protocol:

! Configure RPKI cache server
router bgp 64500
 bgp rpki server tcp 2001:db8:rpki::1 port 8282 refresh 600

! Create route-map to validate RPKI
route-map RPKI-VALIDATE permit 10
 match rpki valid
 set local-preference 200

route-map RPKI-VALIDATE permit 20
 match rpki not-found
 set local-preference 100

route-map RPKI-VALIDATE permit 30
 match rpki invalid
 set local-preference 50

! Apply to neighbor
router bgp 64500
 address-family ipv6 unicast
  neighbor 2001:db8:100::1 route-map RPKI-VALIDATE in
 exit-address-family

FRRouting with RPKI:

rpki
 rpki cache 2001:db8:rpki::1 8282 preference 1
 exit
!
router bgp 64500
 address-family ipv6 unicast
  neighbor 2001:db8:100::1 route-map rpki-validate in
 exit-address-family
!
route-map rpki-validate permit 10
 match rpki valid
 set local-preference 200
!
route-map rpki-validate permit 20
 match rpki notfound
 set local-preference 100
!
route-map rpki-validate permit 30
 match rpki invalid
 set local-preference 50

RPKI Validation States

• Valid: Announcement matches a ROA (prefix, origin AS, and max length match)
• Invalid: Announcement contradicts a ROA (wrong origin AS or exceeds max length)
• Not Found: No ROA exists for this prefix

Best practice is to prefer valid routes, accept not-found routes with lower preference, and either reject or significantly deprioritize invalid routes.

Verification and Monitoring

Verify BGP Session

Cisco IOS:

show bgp ipv6 unicast summary
show bgp ipv6 unicast neighbors 2001:db8:100::1

Juniper Junos:

show bgp summary
show bgp neighbor 2001:db8:100::1

FRRouting:

show bgp ipv6 summary
show bgp ipv6 neighbor 2001:db8:100::1

Verify Prefix Announcement

Check that your prefix is being advertised:

show bgp ipv6 unicast 2001:db8::/32
show bgp ipv6 unicast neighbors 2001:db8:100::1 advertised-routes

External Verification Tools

After configuration, verify global reachability using external tools:

1. Looking Glass servers - Query BGP routing tables at various points on the Internet
2. BGP route collectors - Check route-views.org, RIPE RIS, or PCH for your prefix
3. RIPE Stat - https://stat.ripe.net/ provides detailed prefix visibility analysis
4. Hurricane Electric BGP Toolkit - https://bgp.he.net/ shows propagation and AS path
5. test-ipv6.run - Verify end-to-end IPv6 reachability from end-user perspective

The test-ipv6.run connectivity testing tool is particularly useful for validating that your IPv6 announcement results in working end-to-end connectivity. It tests dual-stack behavior, IPv6-only connectivity, and protocol preference from a user's browser.

Monitor BGP Health

Implement monitoring for:

• BGP session state - Alert on session flaps or down states
• Prefix count - Detect unexpected changes in received/advertised routes
• Route withdrawals - Track stability of your announced prefixes
• RPKI validation statistics - Monitor invalid route percentage
• Prefix visibility - Regularly check that your prefix is visible globally

Tools like Prometheus with BGP exporters, Grafana dashboards, or commercial BGP monitoring services can provide comprehensive visibility.

Common Pitfalls and Troubleshooting

Session Won't Establish

• IPv6 connectivity: Verify IPv6 reachability to peer address with ping6
• Firewall rules: Ensure TCP port 179 is allowed in both directions
• Address family mismatch: Confirm both sides activated IPv6 unicast family
• Authentication: Check MD5 or TCP-AO passwords match if configured

Prefix Not Advertised

• Route not in table: Verify prefix exists in routing table before BGP will announce it
• Prefix filter blocking: Check outbound prefix-lists and route-maps
• No export community: Ensure NO_EXPORT community is not accidentally applied
• Aggregate configuration: Verify aggregate-address or summary route is correct

Prefix Not Visible Globally

• Upstream filtering: Your provider may filter prefixes longer than /48 or outside allocated ranges
• Missing ROA: Create ROA if networks are performing RPKI validation
• AS path filtering: Some networks filter specific ASNs or path patterns
• No peer advertisement: Confirm upstream provider is actually announcing your prefix

RPKI Invalid State

• ROA mismatch: Verify ROA origin ASN matches your announcing ASN
• Max length exceeded: Ensure announced prefix length doesn't exceed ROA maxLength
• Stale ROA: Check for outdated ROAs after renumbering or AS migration
• Multiple conflicting ROAs: Remove duplicate or conflicting ROA objects

Conclusion

Announcing IPv6 prefixes in BGP requires careful configuration of routing protocol settings, security measures, and validation mechanisms. Key takeaways:

• Always implement strict inbound and outbound prefix filtering
• Create ROAs for all announced prefixes to enable RPKI validation
• Prefer aggregate announcements over more specific routes when possible
• Monitor BGP session health and prefix visibility continuously
• Use external verification tools like test-ipv6.run to validate end-to-end connectivity

Following these best practices ensures your IPv6 network is secure, efficient, and properly integrated into the global Internet routing system.

Additional Resources

• RFC 4271: Border Gateway Protocol 4
• RFC 4760: Multiprotocol Extensions for BGP-4
• RFC 9582: RPKI Profile for BGP Origin Validation
• RFC 9319: The Use of maxLength in RPKI
• RIPE-532: RIPE Routing WG Recommendations on IPv6 Route Aggregation
• MANRS: Mutually Agreed Norms for Routing Security (https://manrs.org)