Fwd: Time to add 2002::/16 to bogon filters?
Dear working group, Feedback welcome - should 2002::/16 still be accepted in the DFZ? Kind regards. Job ---------- Forwarded message --------- From: Job Snijders <job@ntt.net> Date: Mon, 18 Jun 2018 at 23:08 Subject: Time to add 2002::/16 to bogon filters? To: NANOG [nanog@nanog.org] <nanog@nanog.org> Dear all, TL;DR: Perhaps it is time to add 2002::/16 to our EBGP bogon filters? It is kind of strange that in the default-free zone (where we don’t announce defaults to each other) - we will propagate what is effectively an IPv4 default-route, in the IPv6 DFZ. IETF has politely abandoned the prefix: https://tools.ietf.org/html/rfc7526 Wes George highlighted operational problems from accepting 2002::/16 on the data-plane slide 6: http://iepg.org/2018-03-18-ietf101/wes.pdf Is there still really any legit reason left to accept, or propagate, 2002::/16 on EBGP sessions in the DFZ? Kind regards, Job
On Jun 18, 2018, at 5:28 PM, Job Snijders <job@ntt.net> wrote:
Dear working group,
Feedback welcome - should 2002::/16 still be accepted in the DFZ?
I think if providers still want to offer this as a service they can do this in their own networks, but it should not be generally in the DFZ. - Jared
If you receive packets sourced from 2002::/16 where do you plan to send responses? They are valid IPv6 packets and addresses. If you don't want to provide your customers with a route to 2002::/16 that is your business, but recommending that 2002::/16 is a bogon mean no one should accept or advertise the route which means no one can effectively use 6to4. I'm happy to say that, but not without some data to back it up. On Mon, Jun 18, 2018 at 5:52 PM, Jared Mauch <jared@puck.nether.net> wrote:
On Jun 18, 2018, at 5:28 PM, Job Snijders <job@ntt.net> wrote:
Dear working group,
Feedback welcome - should 2002::/16 still be accepted in the DFZ?
I think if providers still want to offer this as a service they can do this in their own networks, but it should not be generally in the DFZ.
- Jared
-- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
Hi, On Mon, Jun 18, 2018 at 06:23:28PM -0500, David Farmer wrote:
If you receive packets sourced from 2002::/16 where do you plan to send responses? They are valid IPv6 packets and addresses.
I can see only two ways to handle those - run a local relay to send 2002::/16 -> ipv4 world - drop these packets, hard
If you don't want to provide your customers with a route to 2002::/16 that is your business, but recommending that 2002::/16 is a bogon mean no one should accept or advertise the route which means no one can effectively use 6to4. I'm happy to say that, but not without some data to back it up.
No one *can* effectively use anycast 6to4, which was the whole point of the depreciation RFC. It needs to die, horribly, in flames. Anyone using it needs to feel the pain of enabling a broken protocol. ISPs need to have their customers call the help desk if they enable 6to4 on customer routers or in their own network, instead of deploying proper IPv6. (Note that 6rd is not "anycast 6to4" and as thus not subject to this rant) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Dear WG, Just a heads-up - we deployed a few days ago. NTT / AS 2914 now considers “2002::/16 le 128” and “192.88.99.0/24 le 32” to be bogon prefixes, and no longer accepts announcements for these destinations from any EBGP neighbor. Kind regards, Job
On Mon, Jun 18, 2018 at 4:28 PM, Job Snijders <job@ntt.net> wrote:
Dear working group,
Feedback welcome - should 2002::/16 still be accepted in the DFZ?
Kind regards.
Job
---------- Forwarded message --------- From: Job Snijders <job@ntt.net> Date: Mon, 18 Jun 2018 at 23:08 Subject: Time to add 2002::/16 to bogon filters? To: NANOG [nanog@nanog.org] <nanog@nanog.org>
Dear all,
TL;DR: Perhaps it is time to add 2002::/16 to our EBGP bogon filters?
It is kind of strange that in the default-free zone (where we don’t announce defaults to each other) - we will propagate what is effectively an IPv4 default-route, in the IPv6 DFZ.
IETF has politely abandoned the prefix: https://tools.ietf.org/html/rfc7526
RFC7526 most certainly does not deprecate or abandon the prefix 2002::/16.
From Section 4 of RFC7526;
This document formally deprecates the anycast 6to4 transition mechanism defined in [RFC3068] and the associated anycast IPv4 address 192.88.99.1. ... The basic unicast 6to4 mechanism defined in [RFC3056] and the associated 6to4 IPv6 prefix 2002::/16 are not deprecated.
Wes George highlighted operational problems from accepting 2002::/16 on the data-plane slide 6: http://iepg.org/2018-03-18-ietf101/wes.pdf
I don't see a slide 6, slide 5 proposes to "Reject DNS queries from 2002::/16 and just let it fall back to IPv4." That seems reasonable to me because by definition a 6to4 host should have IPv4 connectivity, and doing DNS over 6to4 seems like a really bad idea even if 6to4 is working for you. However, it's a long way from completely bogonising 2002::/16
Is there still really any legit reason left to accept, or propagate, 2002::/16 on EBGP sessions in the DFZ?
Section 6 of RFC7526 has several recommendations, filtering 2002::/16 is not generally one of them. However, if your customers are not using 6to4 at all, then filtering 2002::/16 probably won't hurt anything. But that is not the same thing as saying that 2002::/16 is a bogon in all situations, and that is not supported by RFC7526. If you have other data to support bogonising 2002::/16 I'm happy to listen.
Kind regards,
Job
-- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
participants (4)
-
David Farmer -
Gert Doering -
Jared Mauch -
Job Snijders