Time to add 2002::/16 to bogon filters?
jared at puck.nether.net
Wed Jun 20 03:34:22 UTC 2018
> On Jun 19, 2018, at 8:03 PM, Mark Andrews <marka at isc.org> wrote:
>> On 20 Jun 2018, at 4:16 am, Wes George <wesgeorge at puck.nether.net> wrote:
>> On 6/18/18 7:34 PM, Mark Andrews wrote:
>>> If a ASN is announcing 2002::/16 then they are are happy to get the traffic. It
>>> they don’t want it all they have to do is withdraw the prefix. It is not up to
>>> the rest of us to second guess their decision to keep providing support.
>> WG] I don't think that this is intentional in most cases anymore. It's
>> most likely legacy cruft/zombie services. Because it mostly operates
>> unattended and the few that are still using it probably don't notice
>> when it breaks nor can they figure out to whom they should complain
>> because anycast makes that nearly impossible, it continues operating
>> quietly in the dusty and disused corners of the net below a sign saying
>> "beware of the leopard" until the equipment gets retired or dies of old
>> age. Also this argument would carry more weight if it hadn't already
>> been had and concluded with RFC7526, and if it wasn't completely
>> disabled on MS products now:
>>> If you filter 2002::/16 then you are performing a denial-of-service attack on
>>> the few sites that are still using it DELIBERATELY.
>> WG] As opposed to the unintentional denial-of-service attacks that
>> happen all the time because of the inherent flaws in the implementation
>> and the low importance people place on first-class deployments of this
>> service? Sites that are still using it deliberately should have found a
>> more reliable solution years ago, even if it's a statically-provisioned
>> GRE or 6in4 tunnel. Plenty of tunnel brokers out there to facilitate
>> this if native IPv6 still isn't available. Keeping this around past its
>> sell-by date is simply enabling bad behavior and a bad user experience
>> for IPv6.
> Actually there aren’t plenty of tunnel brokers anymore. Lots have shut
> up shop in the last couple of years. HE is still there but the others
> are gone or are not accepting new tunnels.
> At the moment I’m waiting for sane routing between HE and Optus to move
> my tunnel end point closer. Crossing the Pacific twice to get to HE’s pop
> in Sydney is insane. If I used it for IPv6 traffic there would be 6 crossing
> of the Pacific for most IPv6 traffic to get a IPv6 reply. That’s 4 more than
> there should be.
> I don’t expect Optus to offer IPv6 any time soon.
Vote with your wallet? Does Optus offer a good 6to4 gateway? Right now the 6to4 gateway
I’m routed to is too far away to even make sense. Going from a US national eyeball provider
to Prague isn’t the right solution either.
At a previous job we tried to figure out if there was value in offering commercial IPv6
tunnels that would workaround some of the problems you speak of. The problem is the
market wasn’t large enough to really justify it. I know a few folks working on offering
some commercial IPv6 transition solutions, perhaps they would be willing to sell it to
you or offer it for a freemium so you can provide feedback? I’d love to solve the physics
problem for you as well, but that’s perhaps a bit harder.
More information about the NANOG