IPv6 ingress filtering

Gert Doering gert at space.net
Fri May 17 20:12:00 CEST 2019


On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
> A few questions;
> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
> to 2002::/16?
> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
> non-2002::/16?
> For the later, where are you getting the route for 2002::/16 from?

Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
can fail over quickly [if HE is not in use]) is hard.

We still run our own relay, so do not filter today.  Mostly because I 
know it works and (since it's our relay) I can rely on it to not break
things for people - and haven't had time to change that to "filter".

Gert Doering
        -- NetMaster
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20190517/64b0b657/attachment.bin 

More information about the ipv6-ops mailing list