What are the IPV6 reserved address spaces?

I'm converting my good old IPV4 based iptables firewall script and would like to substitute the CLASS A/B/C/D/E reserved address spaces to the ones found in IPV6. My goal is to deny any packets that originate from these addresses, since these cannot reach the public net, so they must be spoofed.

I have found these so far, are there any more reserved spaces, where no data could come towards an IPV6 webserver?

Loopback ::1

Global Unicast (currently) 2000::/3

Unique Local Unicast FC00::/7

Link Local Unicast FE80::/10

Multicast FF00::/8


  • ::/8 - Reserved - deprecated IPv4 Compatible is ::/96
  • 0200::/7 - Reserved
  • 0400::/6 - Reserved
  • 0800::/5 - Reserved
  • 1000::/4 - Reserved
  • 2001:db8::/32 - Documentation
  • 2002::/24 - 6to4 0.0.0.0/8
  • 2002:0a00::/24 - 6to4 10.0.0.0/8
  • 2002:7f00::/24 - 6to4 127.0.0.0/8
  • 2002:a9fe::/32 - 6to4 169.254.0.0/16
  • 2002:ac10::/28 - 6to4 172.16.0.0/12
  • 2002:c000::/40 - 6to4 192.0.0.0/24
  • 2002:c0a8::/32 - 6to4 192.168.0.0/16
  • 2002:c612::/31 - 6to4 198.18.0.0/15
  • 2002:c633:6400::/40 - 6to4 198.51.100.0/24
  • 2002:cb00:7100::/40 - 6to4 203.0.113.0/24
  • 2002:e000::/20 - 6to4 224.0.0.0/4
  • 2002:f000::/20 - 6to4 240.0.0.0/4
  • 4000::/3 - Reserved
  • 6000::/3 - Reserved
  • 8000::/3 - Reserved
  • a000::/3 - Reserved
  • c000::/3 - Reserved
  • e000::/4 - Reserved
  • f000::/5 - Reserved
  • f800::/6 - Reserved
  • fc00::/7 - Unique Local
  • fe00::/9 - Reserved
  • fe80::/10 - Link Local
  • fec0::/10 - Site Local (deprecated, RFC3879)
  • ff00::/8 - Multicast

See RFC 5156 and IANA's reservation list for reference.


Do not block arbitrary IPv6 addresses without really knowing what you are doing. Stop, this is bad practice. This will certainly break your connectivity in ways you didn't expect. Some time later, you will see that your IPv6 doesn't behave correctly, then you will start blaming that "IPv6 doesn't work", etc.

Whatever your ISP is, your edge router already knows what packets it can send to you and what packets to accept from you (your concern about spoofed addresses is totally baseless), and your operating system also knows what to do with the rest. Whatever you read about writing firewall rules 15 or so years ago doesn't apply today anymore.

Nowadays, whenever you receive a packet from an address in any of these ranges you are intending to block, it is much more likely to be a legitimate packet that you are incorrectly blocking than any sort of attack. The people who manage the backbone of the Internet have a lot more experience than you, and they already did their homework properly.

Also, the list of reserved blocks and what to expect from each of them is not set on rock. They change over time. Whatever expectations you have today will not be the same tomorrow anymore, then your firewall will be wrong and breaking your connectivity.

Firewalls are supposed to protect and monitor what is on the inside of your network. The outside is an always-changing jungle.


You've basically got it. There was also an RFC for site-local addresses in fec0::/10 but this has been deprecated. The idea with IPv6 is that NAT is no longer needed, therefore even globally-routable addresses can be used on an internal network. You simply configure your firewall to block, as appropriate.

By the way, even in IPv4-land classes are not referred to anymore. CIDR is used instead.