Time to add 2002::/16 to bogon filters?
jsklein at gmail.com
Tue Jun 19 01:32:51 UTC 2018
This week I began mapping IPv6 SPAM headers "Received:" and "X-Received:"
and have discovered over 50% are from:
10.0.0.0 – 10.255.255.255
2002:0a00:: - 2002:aff:ffff:ffff:ffff:ffff:ffff:ffff
172.16.0.0 – 172.31.255.255
2002:ac10:: - 2002:ac10:ffff:ffff:ffff:ffff:ffff:ffff
192.168.0.0 – 192.168.255.255
2002:c0A8:: - 2002:c0A8:ffff:ffff:ffff:ffff:ffff:ffff
Can anyone else confirm my findings?
"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
On Mon, Jun 18, 2018 at 9:18 PM, Jared Mauch <jared at puck.nether.net> wrote:
> > On Jun 18, 2018, at 8:31 PM, Mark Andrews <marka at isc.org> wrote:
> > If you are using 2002::/16 you know are relying on third parties. Not
> that it is much
> > different to any other address where you are relying on third parties.
> > If one is going to filter 2002::/16 from BGP then install your own
> gateway to preserve
> > the functionality.
> It does not appear the functionality is working at present, which I think
> is the more critical point. Taking a quick sampling of where I see the
> packets going from two different networks, it doesn’t seem to be going
> where it’s expected, nor is it working as expected. These appear to be at
> best routing leaks similar to leaking rfc6761 space that should be under
> your local control. They could also be seen as a privacy issue by taking
> packets destined to 2002::/16 somewhere unexpected and off-continent.
> I would expect even in the cases where it does work, it would be subject
> to the same challenges faced by people using VPN services (being blocked
> from your kids favorite streaming services) and much poorer performance
> than native IPv4.
> There is also the problem noted by Wes George with 6to4 being used in DNS
> amplification, which may be interesting..
> I don’t believe most providers are intending to offer 6to4 as a global
> service. Even the large providers (eg: Comcast) seem to have disabled it
> ~4+ years ago. While I know there’s people on the internet that like to
> hang on to legacy things, this is one that should end. The networks and
> devices today no longer require this sort of transition technology, and the
> networks where it’s left won’t want it as it will be used for various bad
> - Jared
More information about the NANOG