Atlas probes and 6to4 [Re: IPv6 ingress filtering]
nick at foobar.org
Sat May 18 15:32:26 CEST 2019
Brian E Carpenter wrote on 18/05/2019 05:05:
>>> % cat *.txt | jq '. | select (.rcvd == 0) | .from' | cut -d\" -f2 | grep ^2002 | sort | uniq -c
>>> 2 2002:2ea7:331c:0:1ad6:c7ff:fe2a:1a7c
>>> 1 2002:4e1a:aba9:10:fa1a:67ff:fe4d:7ee9
>>> 1 2002:4e79:421e:0:a62b:b0ff:fee0:ae0
>>> 1 2002:5253:a51b:0:1:e3ff:febb:121b
>>> 2 2002:55d4:648c:0:f6f2:6dff:fe5d:a19c
>>> 1 2002:566:3896:0:6666:b3ff:feb0:e87a
>>> 3 2002:568:1047:1:220:4aff:fee0:20ac
>>> 2 2002:592:4daf:0:1:7dff:feac:317e
>>> 2 2002:5aba:3e12:1:eade:27ff:fe69:b644
>>> 1 2002:5b64:65f8:0:a62b:b0ff:fee0:1572
>>> 2 2002:5b73:5fdd:ffff:c66e:1fff:fe3a:d118
>>> 2 2002:8603:d75b:0:280:a3ff:fe91:408d
>>> 1 2002:b2f8:fe64:0:a2f3:c1ff:fec4:591c
>>> 2 2002:d58f:794c:0:eade:27ff:fe69:c8fa
>>> 2 2002:d5d1:57ac:1:c24a:ff:fecc:99fa
> What does the leading digit (1, 2 or 3) mean? Because all
> those with "1" are pingable from here, but none of the others.
Of the three testing hosts, that's how many found the destination host
to be unreachable.
>> I.e. 1.5% of the sample probes were using 6to4. Of these, 8 had
>> connectivity to the two control hosts, but not to the 6to4 host. This
>> is awful!
> If they are nodes using the deprecated anycast solution to get their
> 6to4 connectivity, this is unfortunately the expected result, and exactly
> why we deprecated it. But in any case, Atlas probes with 6to4 addresses
> seems pathological to me.
I'd blame laziness more than pathology. But it is inappropriate, no
doubt about it.
> But the ones tagged "1" seem to work. For example,
> 2002:566:3896:0:6666:b3ff:feb0:e87a works. Its embeded IPv4
> address is 18.104.22.168, which allegedly belongs to BSKYB in
> the UK. (It's probably probe #13420 whose details are private.)
It turned out that the ones tagged "1" were unable to contact the 6to4
endpoint, not the native ipv6 destinations. I.e. there was some loss of
connectivity, but anything involving 6to4 exacerbated things.
> Dear he.net, RFC3056 says that a site MUST NOT advertise a route
> to 2002::/16 unless it's willing to act as a relay router, which
> means relaying to *any* IPv4 address. Could it be that 6to4.tyo1.he.net
> is only willing to relay to a limited set of IPv4 addresses?
Naah, HE operate open relays. It's hard to diagnose what the exact
underlying problem is; perhaps overzealous application of urpf? Ingress
filtering of 2002::/16? Not sure it matters much at this stage.
> (Why do I bother, not being an operator? Maybe some slight guilt
> at having propagated 6to4 in the first place...)
No need for guilt - many of us happily used it for years!
More information about the ipv6-ops