Request comment: list of IPs to block outbound

Brandon Martin lists.nanog at monmotha.net
Mon Oct 14 00:59:41 UTC 2019


On 10/13/19 3:36 PM, Stephen Satchell wrote:
> Are you saying that Terendo should come off the list?  Is this useful
> between an ISP and an edge firewall fronting an internal network?  Would
> I see inbound packets with a source address in the 2001::/32 netblock?

If you are running services which are "generally available to the 
public". you can absolutely expect to see these.  Anyone stuck behind an 
IPv6-hostile NAT44 is likely to end up using Teredo as the "transition 
mechanism of last resort".  It usually works, albeit with poor 
performance, in almost all situations unless the IPv6-hostile network 
has actively blocked it in their IPv4 ruleset.

I personally use Teredo somewhat frequently.  Yes, I could set up a 
similar tunneling mechanism to a network I control and get "production" 
addressing and probably better quality of service, but Teredo is as 
simple as "apt-get install miredo".  It's also available on stock 
Windows albeit (I think) disabled by default.

If your network only talks to specific, known destinations, then it's up 
to you.  Your network; your rules.  It's certainly unlikely you'll ever 
see any publicly accessible services of consequence being hosted in 
2001::/32 if only because the addressing tends to be somewhat transient 
and NAT hole punching unreliable for inbound, unsolicited data.

> In my research, this is marked as deprecated.  Would I see packets with
> a source address in the 2002::/16 netblock?

In theory, this is just as legitimate as Teredo.  In practice, it is 
indeed deprecated, and almost anyone who can set up 6to4 can get a 
"production" tunnel to someone like HE.net or likely has 6rd available 
from their native IPv4 provider.  It can also be tricky to prevent 
reflection type attacks using 6to4 address space.

IIRC, Windows used to set up 6to4 by default if it found it had what it 
believed to be publicly routable IPv4 connectivity, but I think this may 
now be disabled.  Some consumer routers did the same.  It was handy 
because you got a full /48 allowing non-NAT addressing of subtended 
networks and even prefix delegation if you wanted it.

While this probably falls under the same justifications as the above, in 
practice I'd say 6to4 is probably all but dead in terms of legitimate 
uses on the public Internet of today.  I haven't personally run 6to4 in 
over a decade.

6to4 was a neat idea, but I think it's dead, Jim.
-- 
Brandon Martin



More information about the NANOG mailing list