[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4

To: "'Follen, Stephen'" <sfollen@enterasys.com>, <v6ops@ops.ietf.org>
Subject: RE: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
From: "Jeroen Massar" <jeroen@unfix.org>
Date: Thu, 28 Aug 2003 18:40:20 +0200
In-reply-to: <05829C8A6277594395457B34D6A3A6DD2840B9@MAANDMBX2.ets.enterasys.com>
Organization: Unfix

-----BEGIN PGP SIGNED MESSAGE-----

Follen, Stephen wrote:

> A question related to Ingress Filtering of decapsulated 
> [tunneled] IPv6-in-IPv4 packets:
>  
> Section 3.6 of RFC 2893, IPv6 Transition Mechanisms, 
> indicates that "... a decapsulated packet MUST NOT be 
> forwarded unless the node has been explicitly configured to 
> forward such packets ..." and in section 4.3 "The 
> decapsulating node MUST verify that the tunnel source address 
> is acceptable before forwarding decapsulated packets ..."
> (the more recent draft-ietf-v6ops-mech-v2-00.txt, Basic IPv6 
> Transition Mechanisms provides similar guidance in sections 
> 3.6, 3.9 and 4.1)
>  
> The question is what to do in the case that the packets are 
> filtered / not forwarded:

SixXS POPs have the following policy:
 - Unconfigured tunnels, thus if a 'tunnel' is not known
   to the POP return a proto 41 icmp unreachable (IPv4)
 - Configured tunnels, but with the wrong source prefix
   will return a IPv6 Administrative Filter. Note that
   if the OS of the POP doesn't support this it will
   be silently dropped, but that is currently only the
   case on of the POPs.

Thus the POPs cannot be used if they a tunnel is not configured.
And they can only be used then when the source prefix is correct
that is the prefix that was assigned to go over the tunnel.

Unfortunatly I know of a couple of tunnelbrokers that do
not filter based on source prefix allowing them to be used
for abusive means which cannot be tracked unless one checks
every hop's traffic stats and as these are unavailable...

Also read up in: http://ip6.de.easynet.net/ipv6-minimum-peering.txt
aka "Minimum Technical IPv6 Peering Requirements (MIPP)" by Robert Kiessling.

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/

iQA/AwUBP04wdCmqKFIzPnwjEQLCYgCfUF7kiYeyrZ99trZ0AxcxuFBSLi8AnRf7
tYxrmgaFVabdQgJVJUXqTJn6
=LvDQ
-----END PGP SIGNATURE-----

References:
- RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
  - From: "Follen, Stephen" <sfollen@enterasys.com>

Prev by Date: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Next by Date: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Previous by thread: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Next by thread: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Index(es):
- Date
- Thread