<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body dir="auto">
Hi,
<div><br>
</div>
<div>All the mentioned reasons for filtering were focused on the performance of 6to4, user experience and so on.</div>
<div>As our users get native IPv6 they are probably not impacted by these problems when accessing interactive services.</div>
<div>If they are serving or getting the latest episode of GoT from other users who are using 6to4 I see no reason to interfere.</div>
<div><br>
</div>
<div>Thanks for all the advice.<br>
<br>
<div id="AppleMailSignature" dir="ltr">
<div style="text-align: left;direction: ltr; ">Amos</div>
<div><br>
</div>
Sent from my iPhone</div>
<div dir="ltr"><br>
On 15 May 2019, at 00:21, David Farmer <<a href="mailto:farmer@umn.edu">farmer@umn.edu</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, May 14, 2019 at 11:22 AM Amos Rosenboim <<a href="mailto:amos@oasis-tech.net">amos@oasis-tech.net</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">Let me just clarify few points:
<div>The suggested filter is not for the protocol, but for the 2002::/16 address space.</div>
<div><br>
</div>
<div>Also the traffic I am seeing is between addresses within this prefix to addresses of our native IPv6 users.</div>
<div><br>
</div>
<div>As for policy - we tend to be as permissive as we can, and we certainly wouldn’t like to restrict what is left from p2p apps.<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>If you don't filter traffic for 2002::/16 I would suggest you pay attention to the route you are accepting for 2002::/16. Maybe you shouldn't accept a route for this from an ASN on another continent or maybe just run your own gateway for this function.
Oh, and if you run your own gateway you, and your peers and providers, may need to allow traffic sourced from 192.88.99.1 to leave your network, depending on the gateway software you use. </div>
<div><br>
</div>
<div>If you do filter traffic for 2002::/16 you probably shouldn't accept a route for 2002::/16 either.</div>
<div><br>
</div>
<div>Doing this right is complicated, filtering it is easy. While I personally don't filter 2002::/16, I also don't condemn anyone that does filter it, there are good arguments on both sides.</div>
<div> <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div>
<div id="gmail-m_4509330196790483316AppleMailSignature" dir="ltr">
<div style="text-align:left;direction:ltr">Amos</div>
<div><br>
</div>
Sent from my iPhone</div>
<div dir="ltr"><br>
On 14 May 2019, at 18:50, JORDI PALET MARTINEZ <<a href="mailto:jordi.palet@consulintel.es" target="_blank">jordi.palet@consulintel.es</a>> wrote:<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail-m_4509330196790483316WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:12pt">Hi Marc,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12pt">I don’t agree. There are many users with tunnel brokers that use 6in4. If you filter 6to4 as a protocol, you’re also filtering all those users’ traffic.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12pt">Not everybody is lucky enough to have native IPv6 support from its ISP.<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;color:black"><br>
Saludos,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US" style="font-size:10.5pt;color:black">Jordi<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US" style="font-size:10.5pt;color:black"><u></u> <u></u></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12pt"><u></u> <u></u></span></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt">El 14/5/19 17:46, "Marc Blanchet" <<a href="mailto:ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de" target="_blank">ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de</a> en nombre de
<a href="mailto:marc.blanchet@viagenie.ca" target="_blank">marc.blanchet@viagenie.ca</a>> escribió:<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><u></u> <u></u></p>
</div>
<div>
<p style="margin-left:35.4pt">6to4 has been a good transition technology to help deploy IPv6 in the early days. However, it has intrinsically bad latency issues as its routing is based on the underlying IPv4, which can be pretty bad for non 6to4 destinations
(e.g. normal IPv6 addresses). Moreover, its IPv6 in IPv4 tunnelling technology is likely to be filtered by various intermediate devices in the path. My take is that we shall declare 6to4 over and dead, thank you very much for your service. So I would suggest
to filter it. If not, users may get latency issues that will go into support calls unncessarily.<u></u><u></u></p>
<p style="margin-left:35.4pt">Marc.<u></u><u></u></p>
<p style="margin-left:35.4pt">On 14 May 2019, at 11:24, Amos Rosenboim wrote:<u></u><u></u></p>
</div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1.5pt solid rgb(119,119,119);padding:0cm 0cm 0cm 4pt;margin-left:0cm;margin-right:0cm;margin-bottom:3.75pt">
<div>
<div>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">Hello,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">As we are trying to tighten the security for IPv6 traffic in our network, I was looking for a reference IPv6 ingress filter.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">I came up with Job Snijders suggestion (thank you Job) that can be conveniently found at whois -h
<a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a> fltr-martian-v6<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">After applying the filter I noticed some traffic from 6to4 addresses (2002::/16) to our native IPv6 prefixes (residential users in this case).<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">The traffic is a mix of both UDP and TCP but all on high port numbers on both destination and source.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">It seems to me like some P2P traffic, but I really can’t tell.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">This got me thinking, why should we filter these addresses at all ?<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">I know 6to4 is mostly dead, but is it inherently bad ?<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">And if so, why is the prefix (2002::/16) still being routed ?<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">Amos Rosenboim<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)">-- <u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><span lang="EN-US" style="color:rgb(119,119,119)"> <u></u><u></u></span></p>
</div>
</div>
</blockquote>
</div>
<br>
**********************************************<br>
IPv4 is over<br>
Are you ready for the new Internet ?<br>
<a href="http://www.theipv6company.com" target="_blank">http://www.theipv6company.com</a><br>
The IPv6 Company<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of
the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents
of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>
<br>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">===============================================<br>
David Farmer <a href="mailto:Email%3Afarmer@umn.edu" target="_blank">
Email:farmer@umn.edu</a><br>
Networking & Telecommunication Services<br>
Office of Information Technology<br>
University of Minnesota <br>
2218 University Ave SE Phone: 612-626-0815<br>
Minneapolis, MN 55414-3029 Cell: 612-812-9952<br>
=============================================== </div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</body>
</html>