Re: Time to add 2002::/16 to bogon filters?
Hi Youssef, My original reply wasn't sent to the Nanog list. Team Cymru considers 2002::/16 and 192.88.99.0/24 to be legitimate prefixes at this time, and will be not be adding them to our bogon filters. Our interpretation of the 6to4 anycast rfc is that while these are encouraged to be made obsolete, in practice they may still be in use, excluding them from being universally defined as a bogon in our feed. The RFC in question: https://tools.ietf.org/html/rfc7526 The rule, as it always should be, is to know your network, and know what is best for it. As noted in the RFC you are encouraged to review any current deployments and any existing filtering and adjust based on your own discretion. Regards, Gary McArtor Team Cymru On 6/28/18 2:32 PM, Rabbi Rob Thomas wrote:
FYI, the question has been raised. I'm not sure if this is wise or not. Gary, what are your thoughts?
-------- Forwarded Message -------- Subject: Re: Time to add 2002::/16 to bogon filters? Date: Thu, 28 Jun 2018 21:11:22 +0200 From: Youssef Bengelloun-Zahr <bengelly@gmail.com> To: Job Snijders <job@ntt.net> CC: NANOG [nanog@nanog.org] <nanog@nanog.org>
Hello Job,
Thank you for this feedback. I guess that NTT adopting this as a best practice will ring some bells around.
Do you know if Team Cymru has updated their filters accordingly ?
Best regards.
Le 28 juin 2018 à 20:58, Job Snijders <job@ntt.net> a écrit :
Dear alll,
Thank you all for your input. Just a heads-up - we deployed a few days ago.
NTT / AS 2914 now considers “2002::/16 le 128” and “192.88.99.0/24 le 32” to be bogon prefixes, and no longer accepts announcements for these destinations from any EBGP neighbor.
Kind regards,
Job
Le 2018-07-06 16:43, Gary McArtor a écrit :
Hi Youssef,
My original reply wasn't sent to the Nanog list.
Team Cymru considers 2002::/16 and 192.88.99.0/24 to be legitimate prefixes at this time, and will be not be adding them to our bogon filters. Our interpretation of the 6to4 anycast rfc is that while these are encouraged to be made obsolete, in practice they may still be in use, excluding them from being universally defined as a bogon in our feed.
The RFC in question: https://tools.ietf.org/html/rfc7526
The rule, as it always should be, is to know your network, and know what is best for it. As noted in the RFC you are encouraged to review any current deployments and any existing filtering and adjust based on your own discretion.
Regards,
Gary McArtor Team Cymru
On 6/28/18 2:32 PM, Rabbi Rob Thomas wrote: FYI, the question has been raised. I'm not sure if this is wise or not. Gary, what are your thoughts?
-------- Forwarded Message -------- Subject: Re: Time to add 2002::/16 to bogon filters? Date: Thu, 28 Jun 2018 21:11:22 +0200 From: Youssef Bengelloun-Zahr <bengelly@gmail.com> To: Job Snijders <job@ntt.net> CC: NANOG [nanog@nanog.org] <nanog@nanog.org>
Hello Job,
Thank you for this feedback. I guess that NTT adopting this as a best practice will ring some bells around.
Do you know if Team Cymru has updated their filters accordingly ?
Best regards.
Le 28 juin 2018 à 20:58, Job Snijders <job@ntt.net> a écrit :
Dear alll,
Thank you all for your input. Just a heads-up - we deployed a few days ago.
NTT / AS 2914 now considers "2002::/16 le 128" and "192.88.99.0/24 le 32" to be bogon prefixes, and no longer accepts announcements for these destinations from any EBGP neighbor.
Kind regards,
Job
sudo tcpdump -ni any 'net 2002::/16' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
I think it's still used a bit ? I see today announcements over the following OriginAS over more than 2000 peers. as1103 SURFnet bv as1835 Forskningsnettet - Danish network for Research and Education as2847 Kauno technologijos universitetas as6939 HURRICANE as16150 Availo Networks AB as25192 CZ.NIC, z.s.p.o. as28908 A3 Sverige AB I'm pretty curious about customers impacts if your drop these anycast 6to4 prefixes from your RIB/FIB ;) At home, I use HE.net tunnel broker, because no native IPv6 (yes we already lose matches against Belgium regarding IPv6 and ... beer) and a quick dump shows traffic to 2002:/16 : listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 15:10:59.588097 IP6 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413 > 2001:470:1f12:dead::beef.51413: UDP, length 94 15:10:59.588233 IP6 2001:470:1f12:dead::beef.51413 > 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413: UDP, length 365 So I'm pretty sure it's still used when no IPv6 is available from an eyeball provider to mount a 6to4 tunnel over a provider that have well deployed IPV6 infrastructure. Perhaps some of the 6to4 tunnel can be tuned to not use anycast prefixes ? -- FABIEN VINCENT _@beufanet_
On Mon, 09 Jul 2018 15:21:31 +0200, "Fabien VINCENT (NaNOG)" said:
I think it's still used a bit ? I see today announcements over the following OriginAS over more than 2000 peers.
as1103 SURFnet bv as1835 Forskningsnettet - Danish network for Research and Education as2847 Kauno technologijos universitetas as6939 HURRICANE as16150 Availo Networks AB as25192 CZ.NIC, z.s.p.o. as28908 A3 Sverige AB
Announced and used are two different things.. :)
sudo tcpdump -ni any 'net 2002::/16' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 15:10:59.588097 IP6 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413 > 2001:470:1f12:dead::beef.51413: UDP, length 94 15:10:59.588233 IP6 2001:470:1f12:dead::beef.51413 > 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413: UDP, length 365
I'm pretty sure that 2002: address is (a) *your* end of the tunnel and (b) only visible inside your network and *inside* the HE tunnel to the other end. In other words, it shouldn't be seen out on the public net if it's transiting an HE tunnel. I bet if you changed that '-i any' to '-i wlan' (for whatever your router calls the outbound-facing interface) you won't see traffic on 2002:
Le 2018-07-09 18:10, valdis.kletnieks@vt.edu a écrit :
On Mon, 09 Jul 2018 15:21:31 +0200, "Fabien VINCENT (NaNOG)" said:
I think it's still used a bit ? I see today announcements over the following OriginAS over more than 2000 peers.
as1103 SURFnet bv as1835 Forskningsnettet - Danish network for Research and Education as2847 Kauno technologijos universitetas as6939 HURRICANE as16150 Availo Networks AB as25192 CZ.NIC, z.s.p.o. as28908 A3 Sverige AB
Announced and used are two different things.. :)
sudo tcpdump -ni any 'net 2002::/16' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 15:10:59.588097 IP6 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413 > 2001:470:1f12:dead::beef.51413: UDP, length 94 15:10:59.588233 IP6 2001:470:1f12:dead::beef.51413 > 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413: UDP, length 365
I'm pretty sure that 2002: address is (a) *your* end of the tunnel and (b) only visible inside your network and *inside* the HE tunnel to the other end. In other words, it shouldn't be seen out on the public net if it's transiting an HE tunnel. I bet if you changed that '-i any' to '-i wlan' (for whatever your router calls the outbound-facing interface) you won't see traffic on 2002: You're right, it does need to be public to work ;) So my question is why it is still and it was announced on DFZ ? Regards, -- FABIEN VINCENT _@beufanet_
2002::/16 is still valid - not a bogon as long as there is an IPv4 Internet. Add the IPv4 bogons, though (2002:7f00:0000::/48 through 2002:7f.ff:ff.ff::/48, & others) On July 9, 2018 3:06:00 PM PDT, "Fabien VINCENT (NaNOG)" <list-nanog@beufa.net> wrote:
Le 2018-07-09 18:10, valdis.kletnieks@vt.edu a écrit :
On Mon, 09 Jul 2018 15:21:31 +0200, "Fabien VINCENT (NaNOG)" said:
I think it's still used a bit ? I see today announcements over the following OriginAS over more than 2000 peers.
as1103 SURFnet bv as1835 Forskningsnettet - Danish network for Research and Education as2847 Kauno technologijos universitetas as6939 HURRICANE as16150 Availo Networks AB as25192 CZ.NIC, z.s.p.o. as28908 A3 Sverige AB
Announced and used are two different things.. :)
sudo tcpdump -ni any 'net 2002::/16' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 15:10:59.588097 IP6 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413 > 2001:470:1f12:dead::beef.51413: UDP, length 94 15:10:59.588233 IP6 2001:470:1f12:dead::beef.51413 > 2002:6bab:c6c6:0:e561:b9f7:b221:a73.51413: UDP, length 365
I'm pretty sure that 2002: address is (a) *your* end of the tunnel and
(b) only visible inside your network and *inside* the HE tunnel to the other end. In other words, it shouldn't be seen out on the public net if it's transiting an HE tunnel. I bet if you changed that '-i any' to '-i wlan' (for whatever your router calls the outbound-facing interface) you won't see traffic on 2002:
You're right, it does need to be public to work ;) So my question is why it is still and it was announced on DFZ ?
Regards,
-- FABIEN VINCENT _@beufanet_
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
participants (4)
-
Fabien VINCENT (NaNOG)
-
Gary McArtor
-
LHC
-
valdis.kletnieks@vt.edu