IPv6 ingress filtering
David Farmer
farmer at umn.edu
Thu May 16 20:34:13 CEST 2019
On Thu, May 16, 2019 at 1:20 PM Sander Steffann <sander at steffann.nl> wrote:
> Hi David,
>
> > While I happen to agree with you 2002::/16 SHOULD NOT be filtered, and
> RFC 7526 is quite clear that 2002::/16 is still valid. However, it is
> perfectly permissible to filter it, if that is the policy a network
> operator wishes to enforce.
>
> With the 6to4 anycast relays deprecated the only 6to4 traffic should be
> src 2002::/16 and dst 2002::/16. Sites that are not using 6to4 themselves
> can filter 2002::/16. Everybody else will only see IPv4+proto41 traffic,
> which is not impacted by that filter.
>
NO! RFC3056 Includes a gateway functionality it is just not Anycast. It is
possible to locally gateway traffic to native IPv6 and then you would get
traffic sourced from 2002::/16 and then you need to send traffic to a
return gateway. Now, most traffic you are seeing is probably coming from
the public anycast gateways that are still running, but it doesn't have to
be. As I said elsewhere in the thread, it complicated and filtering is
easy. Read RFC7526 very carefully, if you care, if you don't just filter it.
Thanks
--
===============================================
David Farmer Email:farmer at umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20190516/9e7573d2/attachment.htm>
More information about the ipv6-ops
mailing list