Thoughts about ipv6 white listing

Tore Anderson tore.anderson at redpill-linpro.com
Sun Dec 5 02:15:34 CET 2010


* Brian E Carpenter

> If all ISPs with content providers offering IPv6 service
> provide a 2002::/16 route to a properly working relay,
> we'd eliminate many of the return path problems.

For what it's worth we've been running 2002::/16 return relays in all
data centres from which we're serving IPv6 content.  It doesn't really
make any difference on the 6to4-related brokenness levels.  Even if we
did not run our own relays there are several other well-maintained
public relays in our vicinity, thanks to folks like Mikael Abrahamsson
for instance.  Lack of relays (either direction) isn't really a problem,
at least not here in Scandinavia.

> I agree that if people are filtering proto 41 there is
> a problem, and that is in the hands of the operators.

This is the main problem, yes.  In my experience, the majority of users
with 6to4-related problems are found in enterprise networks,
governmental networks, and university and research networks.  Broadband
ISPs, not so much.

This is likely the reason why I see brokenness dropping markedly during
public holidays, by the way.

> The point is that ISPs can fix these problems and we haven't yet
> documented how they should do so. We should do that rather than
> encouraging the lazy way out. And yes, I do plan to write an IETF
> draft.

I'll be happy to contribute to that if you want any input, but I have to
admit I'm rather pessimistic that it will any significant effect.

I did for a while attempt to reach out directly to those networks from
which I saw an excessive amount of 6to4 related brokenness.  The
responses I got could be classified into three rough categories:

1) Indifference - either simply ignoring me completely, or saying
essentially «we don't support IPv6 at this point so we do not consider
this a problem.  bye.»  This is the vast majority of cases.

2) Refusal - pretty much saying that allowing protocol 41 would create a
backdoor in their security policy/firewall setup and therefore they
cannot ssimply allow it.  Some of these were interested in making it so
that their end users would not attempt using 6to4 at all, but there is
unfortunately no way a network operator can accomplish this as far as I
know.  (Any suggestions here would be very much welcome!)

3) Fixing it:  «Oh, we're blocking this protocol 41 thingy you say? Must
be due to our default deny firewall config, sorry about that. Better
now?»  But this was the by far smallest group...

In the end I gave up this strategy of contacting problematic networks as
the results did not make it worth my while.  Working with the OS and
browser vendors to de-prefer 6to4 has proven a much more fruitful approach.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27


More information about the ipv6-ops mailing list