IPv6 ingress filtering

Marc Blanchet marc.blanchet at viagenie.ca
Tue May 14 17:46:44 CEST 2019

6to4 has been a good transition technology to help deploy IPv6 in the 
early days. However, it has intrinsically bad latency issues as its 
routing is based on the underlying IPv4, which can be pretty bad for non 
6to4 destinations (e.g. normal IPv6 addresses). Moreover, its IPv6 in 
IPv4 tunnelling technology is likely to be filtered by various 
intermediate devices in the path.  My take is that we shall declare 6to4 
over and dead, thank you very much for your service. So I would suggest 
to filter it. If not, users may get latency issues that will go into 
support calls unncessarily.


On 14 May 2019, at 11:24, Amos Rosenboim wrote:

> Hello,
> As we are trying to tighten the security for IPv6 traffic in our 
> network, I was looking for a reference IPv6 ingress filter.
> I came up with Job Snijders suggestion (thank you Job) that can be 
> conveniently found at whois -h whois.ripe.net fltr-martian-v6
> After applying the filter I noticed some traffic from 6to4 addresses 
> (2002::/16) to our native IPv6 prefixes (residential users in this 
> case).
> The traffic is a mix of both UDP and TCP but all on high port numbers 
> on both destination and source.
> It seems to me like some P2P traffic, but I really can’t tell.
> This got me thinking, why should we filter these addresses at all ?
> I know 6to4 is mostly dead, but is it inherently bad ?
> And if so, why is the prefix (2002::/16) still being routed ?
> Thanks,
> Amos Rosenboim
> --

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20190514/8ba85659/attachment.html 

More information about the ipv6-ops mailing list