Re: IPv6 ingress filtering

2019-05-16 Thread Brian E Carpenter 
On 17-May-19 06:34, David Farmer wrote:
> 
> 
> On Thu, May 16, 2019 at 1:20 PM Sander Steffann  > wrote:
> 
> Hi David,
> 
> > While I happen to agree with you 2002::/16 SHOULD NOT be filtered, and 
> RFC 7526 is quite clear that 2002::/16 is still valid. However, it is 
> perfectly permissible to filter it, if that is the policy a network operator 
> wishes to enforce.
> 
> With the 6to4 anycast relays deprecated the only 6to4 traffic should be 
> src 2002::/16 and dst 2002::/16. Sites that are not using 6to4 themselves can 
> filter 2002::/16. Everybody else will only see IPv4+proto41 traffic, which is 
> not impacted by that filter.
> 
> 
> NO! RFC3056 Includes a gateway functionality it is just not Anycast.  

Indeed. The Anycast hack was invented some time after 6to4 was standardised, 
and for a completely different purpose. Filtering the 6to4 IPv4 anycast address 
is a sensible thing to do for an IPv6-supporting ISP. Filtering 2002::/16 is 
unnecessary and breaks harmless traffic. (And there is so little such traffic 
that it is truly harmless.)

   Brian

> It is possible to locally gateway traffic to native IPv6 and then you would 
> get traffic sourced from 2002::/16 and then you need to send traffic to a 
> return gateway.  Now, most traffic you are seeing is probably coming from the 
> public anycast gateways that are still running, but it doesn't have to be. As 
> I said elsewhere in the thread, it complicated and filtering is easy. Read 
> RFC7526 very carefully, if you care, if you don't just filter it.
> 
> Thanks
> -- 
> ===
> David Farmer               Email:far...@umn.edu 
> 
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota  
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===

Re: IPv6 ingress filtering

2019-05-16 Thread David Farmer 
On Thu, May 16, 2019 at 1:20 PM Sander Steffann  wrote:

> Hi David,
>
> > While I happen to agree with you 2002::/16 SHOULD NOT be filtered, and
> RFC 7526 is quite clear that 2002::/16 is still valid. However, it is
> perfectly permissible to filter it, if that is the policy a network
> operator wishes to enforce.
>
> With the 6to4 anycast relays deprecated the only 6to4 traffic should be
> src 2002::/16 and dst 2002::/16. Sites that are not using 6to4 themselves
> can filter 2002::/16. Everybody else will only see IPv4+proto41 traffic,
> which is not impacted by that filter.
>

NO! RFC3056 Includes a gateway functionality it is just not Anycast.  It is
possible to locally gateway traffic to native IPv6 and then you would get
traffic sourced from 2002::/16 and then you need to send traffic to a
return gateway.  Now, most traffic you are seeing is probably coming from
the public anycast gateways that are still running, but it doesn't have to
be. As I said elsewhere in the thread, it complicated and filtering is
easy. Read RFC7526 very carefully, if you care, if you don't just filter it.

Thanks
-- 
===
David Farmer   Email:far...@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SEPhone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===

Re: IPv6 ingress filtering

2019-05-16 Thread Sander Steffann 
Hi David,

> While I happen to agree with you 2002::/16 SHOULD NOT be filtered, and RFC 
> 7526 is quite clear that 2002::/16 is still valid. However, it is perfectly 
> permissible to filter it, if that is the policy a network operator wishes to 
> enforce.

With the 6to4 anycast relays deprecated the only 6to4 traffic should be src 
2002::/16 and dst 2002::/16. Sites that are not using 6to4 themselves can 
filter 2002::/16. Everybody else will only see IPv4+proto41 traffic, which is 
not impacted by that filter.

Cheers,
Sander



signature.asc
Description: Message signed with OpenPGP