IPv6 ingress filtering

Marc Blanchet marc.blanchet at viagenie.ca
Tue May 14 18:14:00 CEST 2019 


On 14 May 2019, at 11:50, JORDI PALET MARTINEZ wrote:

> Hi Marc,
>
>
>
> I don’t agree. There are many users with tunnel brokers that use 
> 6in4. If you filter 6to4 as a protocol, you’re also filtering all 
> those users’ traffic.

no. if you filter 2002::/16 on the IPv6 side, you are not filtering 
tunnel broker users.


Marc (who did implement and make it available a tunnel broker for years)

>
>
>
> Not everybody is lucky enough to have native IPv6 support from its 
> ISP.
>
>
> Saludos,
>
> Jordi
>
>
>
>
>
>
>
> El 14/5/19 17:46, "Marc Blanchet" 
> <ipv6-ops-bounces+jordi.palet=consulintel.es at lists.cluenet.de en 
> nombre de marc.blanchet at viagenie.ca> escribió:
>
>
>
> 6to4 has been a good transition technology to help deploy IPv6 in the 
> early days. However, it has intrinsically bad latency issues as its 
> routing is based on the underlying IPv4, which can be pretty bad for 
> non 6to4 destinations (e.g. normal IPv6 addresses). Moreover, its IPv6 
> in IPv4 tunnelling technology is likely to be filtered by various 
> intermediate devices in the path. My take is that we shall declare 
> 6to4 over and dead, thank you very much for your service. So I would 
> suggest to filter it. If not, users may get latency issues that will 
> go into support calls unncessarily.
>
> Marc.
>
> On 14 May 2019, at 11:24, Amos Rosenboim wrote:
>
> Hello,
>
>
>
>
>
> As we are trying to tighten the security for IPv6 traffic in our 
> network, I was looking for a reference IPv6 ingress filter.
>
> I came up with Job Snijders suggestion (thank you Job) that can be 
> conveniently found at whois -h whois.ripe.net fltr-martian-v6
>
>
>
> After applying the filter I noticed some traffic from 6to4 addresses 
> (2002::/16) to our native IPv6 prefixes (residential users in this 
> case).
>
> The traffic is a mix of both UDP and TCP but all on high port numbers 
> on both destination and source.
>
> It seems to me like some P2P traffic, but I really can’t tell.
>
>
>
> This got me thinking, why should we filter these addresses at all ?
>
> I know 6to4 is mostly dead, but is it inherently bad ?
>
>
>
> And if so, why is the prefix (2002::/16) still being routed ?
>
>
>
> Thanks,
>
>
>
> Amos Rosenboim
>
> -- 
>
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged 
> or confidential. The information is intended to be for the exclusive 
> use of the individual(s) named above and further non-explicilty 
> authorized disclosure, copying, distribution or use of the contents of 
> this information, even if partially, including attached files, is 
> strictly prohibited and will be considered a criminal offense. If you 
> are not the intended recipient be aware that any disclosure, copying, 
> distribution or use of the contents of this information, even if 
> partially, including attached files, is strictly prohibited, will be 
> considered a criminal offense, so you must reply to the original 
> sender to inform about this communication and delete it.

More information about the ipv6-ops mailing list