IPv6 ingress filtering

David Farmer farmer at umn.edu
Tue May 14 17:39:46 CEST 2019


While I happen to agree with you 2002::/16 SHOULD NOT be filtered, and RFC
7526 is quite clear that 2002::/16 is still valid. However, it is perfectly
permissible to filter it, if that is the policy a network operator wishes
to enforce.

On Tue, May 14, 2019 at 10:30 AM JORDI PALET MARTINEZ <
jordi.palet at consulintel.es> wrote:

> 6to4 is still a valid protocol. IT SHOULD NOT be filtered. 6to4 uses the
> same protocol as other tunnels such as 6in4 (protocol 41).
>
>
>
> https://www.ietf.org/rfc/rfc3056.txt
>
>
>
> It works fine for peer to peer applications.
>
>
>
> What the IETF deprecated is anycast for 6to4 relays:
>
>
>
> https://tools.ietf.org/html/rfc7526
>
>
>
> I believe Hurricane Electric still hosts 6to4 relays.
>
>
> Regards,
>
> Jordi
>
>
>
>
>
>
>
> El 14/5/19 17:25, "Amos Rosenboim" <
> ipv6-ops-bounces+jordi.palet=consulintel.es at lists.cluenet.de en nombre de
> amos at oasis-tech.net> escribió:
>
>
>
> Hello,
>
>
>
>
>
> As we are trying to tighten the security for IPv6 traffic in our network,
> I was looking for a reference IPv6 ingress filter.
>
> I came up with Job Snijders suggestion (thank you Job) that can be
> conveniently found at whois -h whois.ripe.net fltr-martian-v6
>
>
>
> After applying the filter I noticed some traffic from 6to4 addresses
> (2002::/16) to our native IPv6 prefixes (residential users in this case).
>
> The traffic is a mix of both UDP and TCP but all on high port numbers on
> both destination and source.
>
> It seems to me like some P2P traffic, but I really can’t tell.
>
>
>
> This got me thinking, why should we filter these addresses at all ?
>
> I know 6to4 is mostly dead, but is it inherently bad ?
>
>
>
> And if so, why is the prefix (2002::/16) still being routed ?
>
>
>
> Thanks,
>
>
>
> Amos Rosenboim
>
> --
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
>

-- 
===============================================
David Farmer               Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20190514/343618e4/attachment.htm>


More information about the ipv6-ops mailing list