IPv6 ingress filtering
Brian E Carpenter
brian.e.carpenter at gmail.com
Thu May 16 22:50:03 CEST 2019
On 17-May-19 06:34, David Farmer wrote:
> On Thu, May 16, 2019 at 1:20 PM Sander Steffann <sander at steffann.nl <mailto:sander at steffann.nl>> wrote:
> Hi David,
> > While I happen to agree with you 2002::/16 SHOULD NOT be filtered, and RFC 7526 is quite clear that 2002::/16 is still valid. However, it is perfectly permissible to filter it, if that is the policy a network operator wishes to enforce.
> With the 6to4 anycast relays deprecated the only 6to4 traffic should be src 2002::/16 and dst 2002::/16. Sites that are not using 6to4 themselves can filter 2002::/16. Everybody else will only see IPv4+proto41 traffic, which is not impacted by that filter.
> NO! RFC3056 Includes a gateway functionality it is just not Anycast.
Indeed. The Anycast hack was invented some time after 6to4 was standardised, and for a completely different purpose. Filtering the 6to4 IPv4 anycast address is a sensible thing to do for an IPv6-supporting ISP. Filtering 2002::/16 is unnecessary and breaks harmless traffic. (And there is so little such traffic that it is truly harmless.)
> It is possible to locally gateway traffic to native IPv6 and then you would get traffic sourced from 2002::/16 and then you need to send traffic to a return gateway. Now, most traffic you are seeing is probably coming from the public anycast gateways that are still running, but it doesn't have to be. As I said elsewhere in the thread, it complicated and filtering is easy. Read RFC7526 very carefully, if you care, if you don't just filter it.
> David Farmer Email:farmer at umn.edu <mailto:Email%3Afarmer at umn.edu>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
More information about the ipv6-ops