Re: Time to add 2002::/16 to bogon filters?

[Mark Andrews <marka () isc org>]

> On 20 Jun 2018, at 4:16 am, Wes George <wesgeorge () puck nether net> wrote:
>
> On 6/18/18 7:34 PM, Mark Andrews wrote:
>
> > If a ASN is announcing 2002::/16 then they are are happy to get the traffic.  It
> > they don’t want it all they have to do is withdraw the prefix.  It is not up to
> > the rest of us to second guess their decision to keep providing support.
> WG] I don't think that this is intentional in most cases anymore. It's
> most likely legacy cruft/zombie services. Because it mostly operates
> unattended and the few that are still using it probably don't notice
> when it breaks nor can they figure out to whom they should complain
> because anycast makes that nearly impossible, it continues operating
> quietly in the dusty and disused corners of the net below a sign saying
> "beware of the leopard" until the equipment gets retired or dies of old
> age. Also this argument would carry more weight if it hadn't already
> been had and concluded with RFC7526, and if it wasn't completely
> disabled on MS products now:
> https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-1803-removed-features#features-were-no-longer-developing
> > If you filter 2002::/16 then you are performing a denial-of-service attack on
> > the few sites that are still using it DELIBERATELY.
> WG] As opposed to the unintentional denial-of-service attacks that
> happen all the time because of the inherent flaws in the implementation
> and the low importance people place on first-class deployments of this
> service? Sites that are still using it deliberately should have found a
> more reliable solution years ago, even if it's a statically-provisioned
> GRE or 6in4 tunnel. Plenty of tunnel brokers out there to facilitate
> this if native IPv6 still isn't available. Keeping this around past its
> sell-by date is simply enabling bad behavior and a bad user experience
> for IPv6.

Actually there aren’t plenty of tunnel brokers anymore.  Lots have shut
up shop in the last couple of years.  HE is still there but the others
are gone or are not accepting new tunnels.

At the moment I’m waiting for sane routing between HE and Optus to move
my tunnel end point closer.  Crossing the Pacific twice to get to HE’s pop
in Sydney is insane.  If I used it for IPv6 traffic there would be 6 crossing
of the Pacific for most IPv6 traffic to get a IPv6 reply.  That’s 4 more than
there should be.

I don’t expect Optus to offer IPv6 any time soon.

Mark

> Wes George

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org