BCP for securing IPv6 Linux end node in AWS
JORDI PALET MARTINEZ
jordi.palet at consulintel.es
Mon May 15 11:18:29 UTC 2017
Just make sure that nothing breaks PTB as it happens if you don’t pay attention to ECMP.
RFC7690
1&1 in Germany has this issue since at least 18-24 months ago, so all their customers with IPv6 enabled are *broken* for anyone having a smaller MTU because tunnels or the ISP technology, etc. They are aware of that, I told them for many months, but is not yet fixed, so make sure you don’t use those data centers if you want to enable IPv6.
You can check this with any of their IPv6 enabled sites (thousands I guess), for example http://diskmakerx.com/
And a nice tool to check it:
https://nat64check.go6lab.si/
Regards,
Jordi
-----Mensaje original-----
De: NANOG <nanog-bounces at nanog.org> en nombre de Rich Kulawiec <rsk at gsp.org>
Responder a: <rsk at gsp.org>
Fecha: lunes, 15 de mayo de 2017, 12:57
Para: nanog list <nanog at nanog.org>
Asunto: Re: BCP for securing IPv6 Linux end node in AWS
On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> I???ve reviewed some of the stuff out there, but apparently I???m
> catching too many of the ICMP types in the rejection as routing eventually
> breaks. My guess is router discovery gets broken by too tight of filters.
That's a good guess, but I would also guess that path MTU discovery
may be breaking. (Or not.) I think you may want to implement RFC 4890,
with a look at RFC 4443.
---rsk
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
More information about the NANOG
mailing list