Usage of Teredo and IPv6 for P2P on Windows 10 and Xbox One
marka at isc.org
Mon May 18 22:25:53 UTC 2015
In message <20150518180445.GB15755 at puck.nether.net>, Jared Mauch writes:
> On Mon, May 18, 2015 at 04:57:59PM +0000, Darrin Veit wrote:
> > Also, some networking hardware and operators apply firewall policy to
> > the IPv6 path contrary to RFC 6092 recommendations. Of particular concern
> > are configurations where unsolicited inbound IKE/IPsec traffic is not
> > permitted in the default operating mode. Growth of these non-conformant
> > configurations puts the P2P benefit of the next generation Internet in
> > jeopardy. It would be incredibly regrettable if IPv6 necessitated the
> > high level of configuration and inefficiency currently required for IPv4.
> Many self-appointed IT experts have shot themselves in the foot
> in this regard. After 5+ years of trying to get sensible pMTU working
> inside an organization, or get IPv6 there people need to undertake other
> methods to address these shortcomings. Stateful inspection devices
> (or packet eaters as I call them) improperly generate spurious warnings
> when they are presented with data they don't understand or expect.
And they also eat DNS packets with "unexpected" DNS opcodes.
They eat DNS packets with EDNS version != 0.
They eat DNS packets with a EDNS flag set that is not DO.
They eat DNS packets with EDNS options (less so than EDNS version != 0
or EDNS flag).
Different != bad. Different != malformed. Different should not equal drop.
Nameservers return NOTIMP (RFC 103), BADVER or ignore and ignore
(RFC 6891) respectively. There are no valid reasons to stop any
of these extensions getting through to the nameserver as they handle
them. 25 years ago blocking these may have been "reasonable" as
some implementations were not up to scratch but we are not in the
1990's anymore. Nameservers have been attacked to 25 years. They
have been hardened over that period.
All dropping a so called "bad" DNS packets does is make it harder
to deploy extensions. It doesn't save the nameserver. It doesn't
"protect" the nameserver.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG