Time to add 2002::/16 to bogon filters?

Tue Jun 19 00:37:40 UTC 2018

On Mon, Jun 18, 2018 at 5:31 PM Mark Andrews <marka at isc.org> wrote:

> If you are using 2002::/16 you know are relying on third parties.

I highlly doubt most people using 6to4 know they are using it, let alone
the arbitrary nature of its routing.

Not that it is much
> different to any other address where you are relying on third parties.
>
> If one is going to filter 2002::/16 from BGP then install your own gateway
> to preserve
> the functionality.
>
> > On 19 Jun 2018, at 10:23 am, Ca By <cb.list6 at gmail.com> wrote:
> >
> >
> >
> > On Mon, Jun 18, 2018 at 4:37 PM Mark Andrews <marka at isc.org> wrote:
> > If a ASN is announcing 2002::/16 then they are are happy to get the
> traffic.  It
> > they don’t want it all they have to do is withdraw the prefix.  It is
> not up to
> > the rest of us to second guess their decision to keep providing support.
> >
> > That sounds like an interesting attack scenario where a malicious actor
> can insert themselves in a path, via bgp, announcing 6to4 space
> >
> >
> > If you filter 2002::/16 then you are performing a denial-of-service
> attack on
> > the few sites that are still using it DELIBERATELY.
> >
> > None of the problems required removing it from BGP.  There were end
> sites that
> > had firewalls that blocked 6to4 responses and the odd site that ran a
> gateway
> > and failed to properly manage it.  The rest could have been dealt with by
> > configuring more gateways.  If every dual stacked ASN had run their own
> gateways
> > there wouldn’t have been a scaling issue.  i.e. take the 2002::/16
> traffic and
> > dump it onto IPv4 as soon as possible and take the encapsulated traffic
> for the
> > rest of IPv6 and de-encapsulate it as soon as possible.
> >
> > Mark
> > > On 19 Jun 2018, at 8:56 am, McBride, Mack <C-Mack.McBride at charter.com>
> wrote:
> > >
> > > This should have been filtered before.
> > > Lots of people improperly implemented this so it caused issues.
> > >
> > > Mack
> > >
> > > -----Original Message-----
> > > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of John
> Kristoff
> > > Sent: Monday, June 18, 2018 3:48 PM
> > > To: Job Snijders <job at ntt.net>
> > > Cc: NANOG [nanog at nanog.org] <nanog at nanog.org>
> > > Subject: Re: Time to add 2002::/16 to bogon filters?
> > >
> > > On Mon, 18 Jun 2018 21:08:05 +0000
> > > Job Snijders <job at ntt.net> wrote:
> > >
> > >> TL;DR: Perhaps it is time to add 2002::/16 to our EBGP bogon filters?
> > >
> > > Hi Job,
> > >
> > > I've been asking people about this recently.  I don't particularly
> like having misdirected traffic or badly configured hosts sending junk to
> those who happen to be announcing addresses from this prefix.  I'm planning
> on adding this to a bogon filter here.
> > >
> > > John
> > > E-MAIL CONFIDENTIALITY NOTICE:
> > > The contents of this e-mail message and any attachments are intended
> solely for the addressee(s) and may contain confidential and/or legally
> privileged information. If you are not the intended recipient of this
> message or if this message has been addressed to you in error, please
> immediately alert the sender by reply e-mail and then delete this message
> and any attachments. If you are not the intended recipient, you are notified
> that any use, dissemination, distribution, cop
> <https://maps.google.com/?q=ed+that+any+use,+dissemination,+distribution,+cop&entry=gmail&source=g>ying,
> or storage of this message or any attachment is strictly prohibited.
> > >
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> >
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>
>