IPv6 ingress filtering
Kurt Buff - GSEC, GCIH
kurt.buff at gmail.com
Fri May 17 22:45:56 CEST 2019
Forgive the intrusion, as I seek a bit of clarity.
MSFT DirectAccess seems to use the address range in question:
Tunnel adapter iphttpsinterface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2
Default Gateway . . . . . . . . . :
It seems to me that filtering this range might hurt a bit, unless I'm
mistaking what some are proposing.
Kurt
On Fri, May 17, 2019 at 1:06 PM Brian E Carpenter
<brian.e.carpenter at gmail.com> wrote:
>
> On 18-May-19 06:12, Gert Doering wrote:
> > Hi,
> >
> > On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
> >> A few questions;
> >>
> >> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
> >> to 2002::/16?
> >> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
> >> non-2002::/16?
> >> For the later, where are you getting the route for 2002::/16 from?
> >
> > Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
> > can fail over quickly [if HE is not in use]) is hard.
> >
> > We still run our own relay, so do not filter today. Mostly because I
> > know it works and (since it's our relay) I can rely on it to not break
> > things for people - and haven't had time to change that to "filter".
>
> And surely the question is "What would produce the most help desk calls?".
> Filtering something that is presumably working for its remaining users
> might not be a good idea from that point of view.
>
> Brian
More information about the ipv6-ops
mailing list