Hi Amos,
Just responded in another mailing list on this:
6to4 is still a valid protocol. IT SHOULD NOT be filtered. 6to4 uses the same protocol as other tunnels such as 6in4 (protocol 41).
https://www.ietf.org/rfc/rfc3056.txt
It works fine for peer to peer applications.
What the IETF deprecated is anycast for 6to4 relays:
https://tools.ietf.org/html/rfc7526
I believe Hurricane Electric still hosts 6to4 relays.
Regards,
Jordi
El 14/5/19 17:32, "NANOG en nombre de Amos Rosenboim" <nanog-bounces@nanog.org en nombre de amos@oasis-tech.net> escribió:
Hello,
As we are trying to tighten the security for IPv6 traffic in our network, I was looking for a reference IPv6 ingress filter.
I came up with Job Snijders suggestion (thank you Job) that can be conveniently found at whois -h whois.ripe.net fltr-martian-v6
After applying the filter I noticed some traffic from 6to4 addresses (2002::/16) to our native IPv6 prefixes (residential users in this case).
The traffic is a mix of both UDP and TCP but all on high port numbers on both destination and source.
It seems to me like some P2P traffic, but I really can’t tell.
This got me thinking, why should we filter these addresses at all ?
I know 6to4 is mostly dead, but is it inherently bad ?
And if so, why is the prefix (2002::/16) still being routed ?
I would love to hear some thoughts on this, and understand if others are actually filtering this at both data plane and control plane.
Thanks,
Amos Rosenboim
--