IPv6 ingress filtering
Nick Hilliard
nick at foobar.org
Fri May 17 22:46:19 CEST 2019
Brian E Carpenter wrote on 17/05/2019 21:06:
> And surely the question is "What would produce the most help desk calls?".
> Filtering something that is presumably working for its remaining users
> might not be a good idea from that point of view.
6to4 connectivity is probably already too broken to use. Here are some
atlas measurements from a couple of days ago:
https://atlas.ripe.net/measurements/21449877/
https://atlas.ripe.net/measurements/21449878/
https://atlas.ripe.net/measurements/21449879/
This was 3-packet ping from the same 1000 probes to three ipv6 hosts.
The results were:
server in IE: 14.5% unreachability
www.kame.net: 15.0% unreachability
random 6to4 address: 23.1% unreachability
What's also unfortunate is after downloading the json results:
> % cat *.txt | jq '.[] | select (.rcvd == 0) | .from' | cut -d\" -f2 | grep ^2002 | sort | uniq -c
> 2 2002:2ea7:331c:0:1ad6:c7ff:fe2a:1a7c
> 1 2002:4e1a:aba9:10:fa1a:67ff:fe4d:7ee9
> 1 2002:4e79:421e:0:a62b:b0ff:fee0:ae0
> 1 2002:5253:a51b:0:1:e3ff:febb:121b
> 2 2002:55d4:648c:0:f6f2:6dff:fe5d:a19c
> 1 2002:566:3896:0:6666:b3ff:feb0:e87a
> 3 2002:568:1047:1:220:4aff:fee0:20ac
> 2 2002:592:4daf:0:1:7dff:feac:317e
> 2 2002:5aba:3e12:1:eade:27ff:fe69:b644
> 1 2002:5b64:65f8:0:a62b:b0ff:fee0:1572
> 2 2002:5b73:5fdd:ffff:c66e:1fff:fe3a:d118
> 2 2002:8603:d75b:0:280:a3ff:fe91:408d
> 1 2002:b2f8:fe64:0:a2f3:c1ff:fec4:591c
> 2 2002:d58f:794c:0:eade:27ff:fe69:c8fa
> 2 2002:d5d1:57ac:1:c24a:ff:fecc:99fa
> %
I.e. 1.5% of the sample probes were using 6to4. Of these, 8 had
connectivity to the two control hosts, but not to the 6to4 host. This
is awful!
Anyway, none of this exceeds the level of "anecdatum", but it's
potentially interesting nonetheless, and it does suggest connectivity
problems between the 6to4 network and chunks of the native ipv6 internet.
Nick
More information about the ipv6-ops
mailing list