IPv6 ingress filtering

Brian E Carpenter brian.e.carpenter at gmail.com
Fri May 17 22:06:00 CEST 2019

On 18-May-19 06:12, Gert Doering wrote:
> Hi,
> On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
>> A few questions;
>> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
>> to 2002::/16?
>> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
>> non-2002::/16?
>> For the later, where are you getting the route for 2002::/16 from?
> Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
> can fail over quickly [if HE is not in use]) is hard.
> We still run our own relay, so do not filter today.  Mostly because I 
> know it works and (since it's our relay) I can rely on it to not break
> things for people - and haven't had time to change that to "filter".

And surely the question is "What would produce the most help desk calls?".
Filtering something that is presumably working for its remaining users
might not be a good idea from that point of view.


More information about the ipv6-ops mailing list