Re: IPv6 ingress filter

[Amos Rosenboim <amos () oasis-tech net>]

Hello Jordi,

Thank you for your feedback on both lists.
It's important to note that the filter suggestion is not about the protocol, but about the 2002::/16 prefix.



Amos

Sent from my iPhone

On 14 May 2019, at 18:52, JORDI PALET MARTINEZ <jordi.palet () consulintel es<mailto:jordi.palet () consulintel es>> 
wrote:

Hi Amos,

Just responded in another mailing list on this:

6to4 is still a valid protocol. IT SHOULD NOT be filtered. 6to4 uses the same protocol as other tunnels such as 6in4 
(protocol 41).

https://www.ietf.org/rfc/rfc3056.txt

It works fine for peer to peer applications.

What the IETF deprecated is anycast for 6to4 relays:

https://tools.ietf.org/html/rfc7526

I believe Hurricane Electric still hosts 6to4 relays.

Regards,
Jordi



El 14/5/19 17:32, "NANOG en nombre de Amos Rosenboim" <nanog-bounces () nanog org<mailto:nanog-bounces () nanog org> en 
nombre de amos () oasis-tech net<mailto:amos () oasis-tech net>> escribi?:

Hello,

As we are trying to tighten the security for IPv6 traffic in our network, I was looking for a reference IPv6 ingress 
filter.
I came up with Job Snijders suggestion (thank you Job) that can be conveniently found at whois -h 
whois.ripe.net<http://whois.ripe.net> fltr-martian-v6

After applying the filter I noticed some traffic from 6to4 addresses (2002::/16) to our native IPv6 prefixes 
(residential users in this case).
The traffic is a mix of both UDP and TCP but all on high port numbers on both destination and source.
It seems to me like some P2P traffic, but I really can't tell.

This got me thinking, why should we filter these addresses at all ?
I know 6to4 is mostly dead, but is it inherently bad ?

And if so, why is the prefix (2002::/16) still being routed ?

I would love to hear some thoughts on this, and understand if others are actually filtering this at both data plane and 
control plane.

Thanks,

Amos Rosenboim
--


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be 
for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, 
distribution or use of the contents of this information, even if partially, including attached files, is strictly 
prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any 
disclosure, copying, distribution or use of the contents of this information, even if partially, including attached 
files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to 
inform about this communication and delete it.