IPv6 ingress filtering
Marc Blanchet
marc.blanchet at viagenie.ca
Tue May 14 17:46:44 CEST 2019
6to4 has been a good transition technology to help deploy IPv6 in the
early days. However, it has intrinsically bad latency issues as its
routing is based on the underlying IPv4, which can be pretty bad for non
6to4 destinations (e.g. normal IPv6 addresses). Moreover, its IPv6 in
IPv4 tunnelling technology is likely to be filtered by various
intermediate devices in the path. My take is that we shall declare 6to4
over and dead, thank you very much for your service. So I would suggest
to filter it. If not, users may get latency issues that will go into
support calls unncessarily.
Marc.
On 14 May 2019, at 11:24, Amos Rosenboim wrote:
> Hello,
>
>
> As we are trying to tighten the security for IPv6 traffic in our
> network, I was looking for a reference IPv6 ingress filter.
> I came up with Job Snijders suggestion (thank you Job) that can be
> conveniently found at whois -h whois.ripe.net fltr-martian-v6
>
> After applying the filter I noticed some traffic from 6to4 addresses
> (2002::/16) to our native IPv6 prefixes (residential users in this
> case).
> The traffic is a mix of both UDP and TCP but all on high port numbers
> on both destination and source.
> It seems to me like some P2P traffic, but I really can’t tell.
>
> This got me thinking, why should we filter these addresses at all ?
> I know 6to4 is mostly dead, but is it inherently bad ?
>
> And if so, why is the prefix (2002::/16) still being routed ?
>
> Thanks,
>
> Amos Rosenboim
> --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20190514/8ba85659/attachment.html
More information about the ipv6-ops
mailing list