In message <20150518180445.GB15755@puck.nether.net>, Jared Mauch writes:
On Mon, May 18, 2015 at 04:57:59PM +0000, Darrin Veit wrote:
Also, some networking hardware and operators apply firewall policy to the IPv6 path contrary to RFC 6092 recommendations. Of particular concern are configurations where unsolicited inbound IKE/IPsec traffic is not permitted in the default operating mode. Growth of these non-conformant configurations puts the P2P benefit of the next generation Internet in jeopardy. It would be incredibly regrettable if IPv6 necessitated the high level of configuration and inefficiency currently required for IPv4.
Many self-appointed IT experts have shot themselves in the foot in this regard. After 5+ years of trying to get sensible pMTU working inside an organization, or get IPv6 there people need to undertake other methods to address these shortcomings. Stateful inspection devices (or packet eaters as I call them) improperly generate spurious warnings when they are presented with data they don't understand or expect.
And they also eat DNS packets with "unexpected" DNS opcodes. They eat DNS packets with EDNS version != 0. They eat DNS packets with a EDNS flag set that is not DO. They eat DNS packets with EDNS options (less so than EDNS version != 0 or EDNS flag). Different != bad. Different != malformed. Different should not equal drop. Nameservers return NOTIMP (RFC 103[45]), BADVER or ignore and ignore (RFC 6891) respectively. There are no valid reasons to stop any of these extensions getting through to the nameserver as they handle them. 25 years ago blocking these may have been "reasonable" as some implementations were not up to scratch but we are not in the 1990's anymore. Nameservers have been attacked to 25 years. They have been hardened over that period. All dropping a so called "bad" DNS packets does is make it harder to deploy extensions. It doesn't save the nameserver. It doesn't "protect" the nameserver. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org