IPv6 ingress filtering

Nick Hilliard nick at foobar.org
Fri May 17 22:46:19 CEST 2019


Brian E Carpenter wrote on 17/05/2019 21:06:
> And surely the question is "What would produce the most help desk calls?".
> Filtering something that is presumably working for its remaining users
> might not be a good idea from that point of view.

6to4 connectivity is probably already too broken to use.  Here are some 
atlas measurements from a couple of days ago:

https://atlas.ripe.net/measurements/21449877/
https://atlas.ripe.net/measurements/21449878/
https://atlas.ripe.net/measurements/21449879/

This was 3-packet ping from the same 1000 probes to three ipv6 hosts. 
The results were:

server in IE: 14.5% unreachability
www.kame.net: 15.0% unreachability
random 6to4 address: 23.1% unreachability

What's also unfortunate is after downloading the json results:

> % cat *.txt | jq '.[] | select (.rcvd == 0) | .from' | cut -d\" -f2 | grep ^2002 | sort | uniq -c
>    2 2002:2ea7:331c:0:1ad6:c7ff:fe2a:1a7c
>    1 2002:4e1a:aba9:10:fa1a:67ff:fe4d:7ee9
>    1 2002:4e79:421e:0:a62b:b0ff:fee0:ae0
>    1 2002:5253:a51b:0:1:e3ff:febb:121b
>    2 2002:55d4:648c:0:f6f2:6dff:fe5d:a19c
>    1 2002:566:3896:0:6666:b3ff:feb0:e87a
>    3 2002:568:1047:1:220:4aff:fee0:20ac
>    2 2002:592:4daf:0:1:7dff:feac:317e
>    2 2002:5aba:3e12:1:eade:27ff:fe69:b644
>    1 2002:5b64:65f8:0:a62b:b0ff:fee0:1572
>    2 2002:5b73:5fdd:ffff:c66e:1fff:fe3a:d118
>    2 2002:8603:d75b:0:280:a3ff:fe91:408d
>    1 2002:b2f8:fe64:0:a2f3:c1ff:fec4:591c
>    2 2002:d58f:794c:0:eade:27ff:fe69:c8fa
>    2 2002:d5d1:57ac:1:c24a:ff:fecc:99fa
> %

I.e. 1.5% of the sample probes were using 6to4.  Of these, 8 had 
connectivity to the two control hosts, but not to the 6to4 host.  This 
is awful!

Anyway, none of this exceeds the level of "anecdatum", but it's 
potentially interesting nonetheless, and it does suggest connectivity 
problems between the 6to4 network and chunks of the native ipv6 internet.

Nick



More information about the ipv6-ops mailing list