IPv6 ingress filtering
Marc Blanchet
marc.blanchet at viagenie.ca
Tue May 14 18:14:00 CEST 2019
On 14 May 2019, at 11:50, JORDI PALET MARTINEZ wrote:
> Hi Marc,
>
>
>
> I don’t agree. There are many users with tunnel brokers that use
> 6in4. If you filter 6to4 as a protocol, you’re also filtering all
> those users’ traffic.
no. if you filter 2002::/16 on the IPv6 side, you are not filtering
tunnel broker users.
Marc (who did implement and make it available a tunnel broker for years)
>
>
>
> Not everybody is lucky enough to have native IPv6 support from its
> ISP.
>
>
> Saludos,
>
> Jordi
>
>
>
>
>
>
>
> El 14/5/19 17:46, "Marc Blanchet"
> <ipv6-ops-bounces+jordi.palet=consulintel.es at lists.cluenet.de en
> nombre de marc.blanchet at viagenie.ca> escribió:
>
>
>
> 6to4 has been a good transition technology to help deploy IPv6 in the
> early days. However, it has intrinsically bad latency issues as its
> routing is based on the underlying IPv4, which can be pretty bad for
> non 6to4 destinations (e.g. normal IPv6 addresses). Moreover, its IPv6
> in IPv4 tunnelling technology is likely to be filtered by various
> intermediate devices in the path. My take is that we shall declare
> 6to4 over and dead, thank you very much for your service. So I would
> suggest to filter it. If not, users may get latency issues that will
> go into support calls unncessarily.
>
> Marc.
>
> On 14 May 2019, at 11:24, Amos Rosenboim wrote:
>
> Hello,
>
>
>
>
>
> As we are trying to tighten the security for IPv6 traffic in our
> network, I was looking for a reference IPv6 ingress filter.
>
> I came up with Job Snijders suggestion (thank you Job) that can be
> conveniently found at whois -h whois.ripe.net fltr-martian-v6
>
>
>
> After applying the filter I noticed some traffic from 6to4 addresses
> (2002::/16) to our native IPv6 prefixes (residential users in this
> case).
>
> The traffic is a mix of both UDP and TCP but all on high port numbers
> on both destination and source.
>
> It seems to me like some P2P traffic, but I really can’t tell.
>
>
>
> This got me thinking, why should we filter these addresses at all ?
>
> I know 6to4 is mostly dead, but is it inherently bad ?
>
>
>
> And if so, why is the prefix (2002::/16) still being routed ?
>
>
>
> Thanks,
>
>
>
> Amos Rosenboim
>
> --
>
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged
> or confidential. The information is intended to be for the exclusive
> use of the individual(s) named above and further non-explicilty
> authorized disclosure, copying, distribution or use of the contents of
> this information, even if partially, including attached files, is
> strictly prohibited and will be considered a criminal offense. If you
> are not the intended recipient be aware that any disclosure, copying,
> distribution or use of the contents of this information, even if
> partially, including attached files, is strictly prohibited, will be
> considered a criminal offense, so you must reply to the original
> sender to inform about this communication and delete it.
More information about the ipv6-ops
mailing list