Time to add 2002::/16 to bogon filters?

Jared Mauch jared at puck.nether.net
Tue Jun 19 01:18:23 UTC 2018


> On Jun 18, 2018, at 8:31 PM, Mark Andrews <marka at isc.org> wrote:
> 
> If you are using 2002::/16 you know are relying on third parties.  Not that it is much
> different to any other address where you are relying on third parties.
> 
> If one is going to filter 2002::/16 from BGP then install your own gateway to preserve
> the functionality.

It does not appear the functionality is working at present, which I think is the more critical point.  Taking a quick sampling of where I see the packets going from two different networks, it doesn’t seem to be going where it’s expected, nor is it working as expected.  These appear to be at best routing leaks similar to leaking rfc6761 space that should be under your local control.  They could also be seen as a privacy issue by taking packets destined to 2002::/16 somewhere unexpected and off-continent.

I would expect even in the cases where it does work, it would be subject to the same challenges faced by people using VPN services (being blocked from your kids favorite streaming services) and much poorer performance than native IPv4.

There is also the problem noted by Wes George with 6to4 being used in DNS amplification, which may be interesting..

http://iepg.org/2018-03-18-ietf101/wes.pdf

I don’t believe most providers are intending to offer 6to4 as a global service.  Even the large providers (eg: Comcast) seem to have disabled it ~4+ years ago.  While I know there’s people on the internet that like to hang on to legacy things, this is one that should end.  The networks and devices today no longer require this sort of transition technology, and the networks where it’s left won’t want it as it will be used for various bad things(tm).

- Jared


More information about the NANOG mailing list