IPv6 ingress filter

Amos Rosenboim amos at oasis-tech.net
Tue May 14 15:29:24 UTC 2019


As we are trying to tighten the security for IPv6 traffic in our network, I was looking for a reference IPv6 ingress filter.
I came up with Job Snijders suggestion (thank you Job) that can be conveniently found at whois -h whois.ripe.net fltr-martian-v6

After applying the filter I noticed some traffic from 6to4 addresses (2002::/16) to our native IPv6 prefixes (residential users in this case).
The traffic is a mix of both UDP and TCP but all on high port numbers on both destination and source.
It seems to me like some P2P traffic, but I really can’t tell.

This got me thinking, why should we filter these addresses at all ?
I know 6to4 is mostly dead, but is it inherently bad ?

And if so, why is the prefix (2002::/16) still being routed ?

I would love to hear some thoughts on this, and understand if others are actually filtering this at both data plane and control plane.


Amos Rosenboim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190514/bfc62451/attachment.html>

More information about the NANOG mailing list