IPv6 network policies
Jim Burwell
jimb at jsbc.cc
Sun Apr 11 01:46:22 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 4/10/2010 07:47, Ole Troan wrote:
> note, that the ping pong problem isn't an IPv6 problem as such, the
same problem exists with IPv4.
>
> cheers,
> Ole
>
Yes. The ping-pong problem can be easily demonstrated on my 6in4
link. My simple solution is two ACL entries:
Router A:
ip6tables --append FORWARD --destination 2001:db8:1234:567::1/128
- -out-interface he6 --jump ACCEPT
ip6tables --append FORWARD --destination 2001:db8:1234:567::/64
- -out-interface he6 --jump REJECT --reject-with icmp6-adm-prohibited
Router B:
ip6tables --append FORWARD --destination 2001:db8:1234:567::2/128
- -out-interface he6 --jump ACCEPT
ip6tables --append FORWARD --destination 2001:db8:1234:567::/64
- -out-interface he6 --jump REJECT --reject-with icmp6-adm-prohibited
If this is done at both ends it eliminates the issue. Most routers
can do something similar. Be nice if the router could do it
automagically, but this works. :)
- -Jim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvBDc4ACgkQ2fXFxl4S7sRpTwCgi6XoMUZHCQKWNfJii1KyXs+k
7WUAn3B3hmXzfam2UnuT+sVFEe0Rc4bJ
=3UyU
-----END PGP SIGNATURE-----
More information about the ipv6-ops
mailing list