IPv6 ingress filter
amos at oasis-tech.net
Tue May 14 15:29:24 UTC 2019
As we are trying to tighten the security for IPv6 traffic in our network, I was looking for a reference IPv6 ingress filter.
I came up with Job Snijders suggestion (thank you Job) that can be conveniently found at whois -h whois.ripe.net fltr-martian-v6
After applying the filter I noticed some traffic from 6to4 addresses (2002::/16) to our native IPv6 prefixes (residential users in this case).
The traffic is a mix of both UDP and TCP but all on high port numbers on both destination and source.
It seems to me like some P2P traffic, but I really can’t tell.
This got me thinking, why should we filter these addresses at all ?
I know 6to4 is mostly dead, but is it inherently bad ?
And if so, why is the prefix (2002::/16) still being routed ?
I would love to hear some thoughts on this, and understand if others are actually filtering this at both data plane and control plane.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG