Mailing List Archive

On Fri, May 17, 2019 at 6:38 AM Gert Doering <gert@space.net> wrote:

> Hi,
>
> On Thu, May 16, 2019 at 01:51:51PM -0700, Nick Buraglio wrote:
> > Native IPv6 is clearly the right way to implement the service. However,
> my
> > question is "why filter 2002::/16?". It doesn't pose any more risk than a
> > native IPv6 address and there are some reasons to use it. Filtering it is
> > wrought with the possibilities for poor customer experience. My stance is
> > typically "don't filter $stuff unless you can identify a well defined
> > risk".
>
> Filtering it would allow the client to fall back to IPv4, instead of
> letting it go onward with poor IPv6.
>
> Unless you run a local relay you'll be hard pressed today to find any
> case where 2002:: to *non* 2002:: traffic won't be significantly worse
> than "just do IPv4" (in terms of "latency", "reliability", "packet loss").
>
> 2002:: to 2002:: is usually OK, as it follows the IPv4 path between
> both sides (thus, same latency, packet loss, etc).
>

A few questions;

Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
to 2002::/16?
Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
non-2002::/16?
For the later, where are you getting the route for 2002::/16 from?

Thanks
--
===============================================
David Farmer Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================

Hi,

On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
> A few questions;
>
> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
> to 2002::/16?
> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
> non-2002::/16?
> For the later, where are you getting the route for 2002::/16 from?

Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
can fail over quickly [if HE is not in use]) is hard.

We still run our own relay, so do not filter today. Mostly because I
know it works and (since it's our relay) I can rely on it to not break
things for people - and haven't had time to change that to "filter".

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On 18-May-19 06:12, Gert Doering wrote:
> Hi,
>
> On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
>> A few questions;
>>
>> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
>> to 2002::/16?
>> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
>> non-2002::/16?
>> For the later, where are you getting the route for 2002::/16 from?
>
> Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
> can fail over quickly [if HE is not in use]) is hard.
>
> We still run our own relay, so do not filter today. Mostly because I
> know it works and (since it's our relay) I can rely on it to not break
> things for people - and haven't had time to change that to "filter".

And surely the question is "What would produce the most help desk calls?".
Filtering something that is presumably working for its remaining users
might not be a good idea from that point of view.

Brian

Forgive the intrusion, as I seek a bit of clarity.

MSFT DirectAccess seems to use the address range in question:

Tunnel adapter iphttpsinterface:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2
Default Gateway . . . . . . . . . :

It seems to me that filtering this range might hurt a bit, unless I'm
mistaking what some are proposing.

Kurt

On Fri, May 17, 2019 at 1:06 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> On 18-May-19 06:12, Gert Doering wrote:
> > Hi,
> >
> > On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
> >> A few questions;
> >>
> >> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
> >> to 2002::/16?
> >> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
> >> non-2002::/16?
> >> For the later, where are you getting the route for 2002::/16 from?
> >
> > Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
> > can fail over quickly [if HE is not in use]) is hard.
> >
> > We still run our own relay, so do not filter today. Mostly because I
> > know it works and (since it's our relay) I can rely on it to not break
> > things for people - and haven't had time to change that to "filter".
>
> And surely the question is "What would produce the most help desk calls?".
> Filtering something that is presumably working for its remaining users
> might not be a good idea from that point of view.
>
> Brian

Brian E Carpenter wrote on 17/05/2019 21:06:
> And surely the question is "What would produce the most help desk calls?".
> Filtering something that is presumably working for its remaining users
> might not be a good idea from that point of view.

6to4 connectivity is probably already too broken to use. Here are some
atlas measurements from a couple of days ago:

https://atlas.ripe.net/measurements/21449877/
https://atlas.ripe.net/measurements/21449878/
https://atlas.ripe.net/measurements/21449879/

This was 3-packet ping from the same 1000 probes to three ipv6 hosts.
The results were:

server in IE: 14.5% unreachability
www.kame.net: 15.0% unreachability
random 6to4 address: 23.1% unreachability

What's also unfortunate is after downloading the json results:

> % cat *.txt | jq '.[] | select (.rcvd == 0) | .from' | cut -d\" -f2 | grep ^2002 | sort | uniq -c
> 2 2002:2ea7:331c:0:1ad6:c7ff:fe2a:1a7c
> 1 2002:4e1a:aba9:10:fa1a:67ff:fe4d:7ee9
> 1 2002:4e79:421e:0:a62b:b0ff:fee0:ae0
> 1 2002:5253:a51b:0:1:e3ff:febb:121b
> 2 2002:55d4:648c:0:f6f2:6dff:fe5d:a19c
> 1 2002:566:3896:0:6666:b3ff:feb0:e87a
> 3 2002:568:1047:1:220:4aff:fee0:20ac
> 2 2002:592:4daf:0:1:7dff:feac:317e
> 2 2002:5aba:3e12:1:eade:27ff:fe69:b644
> 1 2002:5b64:65f8:0:a62b:b0ff:fee0:1572
> 2 2002:5b73:5fdd:ffff:c66e:1fff:fe3a:d118
> 2 2002:8603:d75b:0:280:a3ff:fe91:408d
> 1 2002:b2f8:fe64:0:a2f3:c1ff:fec4:591c
> 2 2002:d58f:794c:0:eade:27ff:fe69:c8fa
> 2 2002:d5d1:57ac:1:c24a:ff:fecc:99fa
> %

I.e. 1.5% of the sample probes were using 6to4. Of these, 8 had
connectivity to the two control hosts, but not to the 6to4 host. This
is awful!

Anyway, none of this exceeds the level of "anecdatum", but it's
potentially interesting nonetheless, and it does suggest connectivity
problems between the 6to4 network and chunks of the native ipv6 internet.

Nick

Hi,

On Fri, May 17, 2019 at 01:45:56PM -0700, Kurt Buff - GSEC, GCIH wrote:
> Forgive the intrusion, as I seek a bit of clarity.
>
> MSFT DirectAccess seems to use the address range in question:
>
> Tunnel adapter iphttpsinterface:
>
> Connection-specific DNS Suffix . :
> IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2
> Default Gateway . . . . . . . . . :
>
> It seems to me that filtering this range might hurt a bit, unless I'm
> mistaking what some are proposing.

not being an MS DirectAccess expert I'd say that - given DA is a VPN technology, using IP-HTTPS as a (somewhat proprietary) tunnel tech - these addresses shouldn't be visible too much "in the [public] IPv6 Internet" so the proposed filtering (of this thread) shouldn't come into play.

cheers

Enno




>
> Kurt
>
> On Fri, May 17, 2019 at 1:06 PM Brian E Carpenter
> <brian.e.carpenter@gmail.com> wrote:
> >
> > On 18-May-19 06:12, Gert Doering wrote:
> > > Hi,
> > >
> > > On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
> > >> A few questions;
> > >>
> > >> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
> > >> to 2002::/16?
> > >> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
> > >> non-2002::/16?
> > >> For the later, where are you getting the route for 2002::/16 from?
> > >
> > > Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
> > > can fail over quickly [if HE is not in use]) is hard.
> > >
> > > We still run our own relay, so do not filter today. Mostly because I
> > > know it works and (since it's our relay) I can rely on it to not break
> > > things for people - and haven't had time to change that to "filter".
> >
> > And surely the question is "What would produce the most help desk calls?".
> > Filtering something that is presumably working for its remaining users
> > might not be a good idea from that point of view.
> >
> > Brian

--
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Florian Grunow, Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================

On Fri, May 17, 2019 at 1:59 PM Enno Rey <erey@ernw.de> wrote:
>
> Hi,
>
> On Fri, May 17, 2019 at 01:45:56PM -0700, Kurt Buff - GSEC, GCIH wrote:
> > Forgive the intrusion, as I seek a bit of clarity.
> >
> > MSFT DirectAccess seems to use the address range in question:
> >
> > Tunnel adapter iphttpsinterface:
> >
> > Connection-specific DNS Suffix . :
> > IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> > Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> > Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> > Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2
> > Default Gateway . . . . . . . . . :
> >
> > It seems to me that filtering this range might hurt a bit, unless I'm
> > mistaking what some are proposing.
>
> not being an MS DirectAccess expert I'd say that - given DA is a VPN technology, using IP-HTTPS as a (somewhat proprietary) tunnel tech - these addresses shouldn't be visible too much "in the [public] IPv6 Internet" so the proposed filtering (of this thread) shouldn't come into play.
>
> cheers
>
> Enno

So, network filters aren't going to gratuitously inspect IPv4 packets
for IPv6 content.

Seems reasonable to me.

Thanks,

Kurt

> >
> > Kurt
> >
> > On Fri, May 17, 2019 at 1:06 PM Brian E Carpenter
> > <brian.e.carpenter@gmail.com> wrote:
> > >
> > > On 18-May-19 06:12, Gert Doering wrote:
> > > > Hi,
> > > >
> > > > On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
> > > >> A few questions;
> > > >>
> > > >> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
> > > >> to 2002::/16?
> > > >> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
> > > >> non-2002::/16?
> > > >> For the later, where are you getting the route for 2002::/16 from?
> > > >
> > > > Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
> > > > can fail over quickly [if HE is not in use]) is hard.
> > > >
> > > > We still run our own relay, so do not filter today. Mostly because I
> > > > know it works and (since it's our relay) I can rely on it to not break
> > > > things for people - and haven't had time to change that to "filter".
> > >
> > > And surely the question is "What would produce the most help desk calls?".
> > > Filtering something that is presumably working for its remaining users
> > > might not be a good idea from that point of view.
> > >
> > > Brian
>
> --
> Enno Rey
>
> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
>
> Handelsregister Mannheim: HRB 337135
> Geschaeftsfuehrer: Florian Grunow, Enno Rey
>
> =======================================================
> Blog: www.insinuator.net || Conference: www.troopers.de
> Twitter: @Enno_Insinuator
> =======================================================

Hi,

On Sat, May 18, 2019 at 08:06:00AM +1200, Brian E Carpenter wrote:
> And surely the question is "What would produce the most help desk calls?".
> Filtering something that is presumably working for its remaining users
> might not be a good idea from that point of view.

Oh, since those are not *my* users, it's not my helpdesk.

Which is, annoyingly enough, the grand problem with IPv6 anyway -
"someone messing up their v6" will inevitably cause helpdesk calls
*elsewhere*.

Like this beauty discovered by someone today:

$ host -t aaaa bayerwaldhof.de
bayerwaldhof.de has IPv6 address ::

... the helpdesk calls will happen on the dual-stacked ISP side,
not on the messed-up content side...

Those that stick to v4-only are usually spared any helpdesk calls.

*sigh*

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On 18-May-19 09:07, Kurt Buff - GSEC, GCIH wrote:
> On Fri, May 17, 2019 at 1:59 PM Enno Rey <erey@ernw.de> wrote:
>>
>> Hi,
>>
>> On Fri, May 17, 2019 at 01:45:56PM -0700, Kurt Buff - GSEC, GCIH wrote:
>>> Forgive the intrusion, as I seek a bit of clarity.
>>>
>>> MSFT DirectAccess seems to use the address range in question:
>>>
>>> Tunnel adapter iphttpsinterface:
>>>
>>> Connection-specific DNS Suffix . :
>>> IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
>>> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
>>> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
>>> Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2
>>> Default Gateway . . . . . . . . . :
>>>
>>> It seems to me that filtering this range might hurt a bit, unless I'm
>>> mistaking what some are proposing.
>>
>> not being an MS DirectAccess expert I'd say that - given DA is a VPN technology, using IP-HTTPS as a (somewhat proprietary) tunnel tech - these addresses shouldn't be visible too much "in the [public] IPv6 Internet" so the proposed filtering (of this thread) shouldn't come into play.
>>
>> cheers
>>
>> Enno
>
> So, network filters aren't going to gratuitously inspect IPv4 packets
> for IPv6 content.

Let's hope not, but what possessed Microsoft to make them use the
2002::/16 prefix in this way is an interesting question in itself.
In 6to4 format, 4332:aaaa would imply a site IPv4 address of
67.50.170.170. And cccc:dddd:eeee:ffff doesn't look much like
a pseudo-random temporary interface identifier.

Maybe it's never a good idea to look underneath the hood of a VPN.

Brian
>
> Seems reasonable to me.
>
> Thanks,
>
> Kurt
>
>>>
>>> Kurt
>>>
>>> On Fri, May 17, 2019 at 1:06 PM Brian E Carpenter
>>> <brian.e.carpenter@gmail.com> wrote:
>>>>
>>>> On 18-May-19 06:12, Gert Doering wrote:
>>>>> Hi,
>>>>>
>>>>> On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote:
>>>>>> A few questions;
>>>>>>
>>>>>> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined
>>>>>> to 2002::/16?
>>>>>> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to
>>>>>> non-2002::/16?
>>>>>> For the later, where are you getting the route for 2002::/16 from?
>>>>>
>>>>> Indeed, as you said, filtering correctly (= ICMP unreachable, so clients
>>>>> can fail over quickly [if HE is not in use]) is hard.
>>>>>
>>>>> We still run our own relay, so do not filter today. Mostly because I
>>>>> know it works and (since it's our relay) I can rely on it to not break
>>>>> things for people - and haven't had time to change that to "filter".
>>>>
>>>> And surely the question is "What would produce the most help desk calls?".
>>>> Filtering something that is presumably working for its remaining users
>>>> might not be a good idea from that point of view.
>>>>
>>>> Brian
>>
>> --
>> Enno Rey
>>
>> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
>> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
>>
>> Handelsregister Mannheim: HRB 337135
>> Geschaeftsfuehrer: Florian Grunow, Enno Rey
>>
>> =======================================================
>> Blog: www.insinuator.net || Conference: www.troopers.de
>> Twitter: @Enno_Insinuator
>> =======================================================
>

On Fri, May 17, 2019 at 3:54 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> On 18-May-19 09:07, Kurt Buff - GSEC, GCIH wrote:
> > On Fri, May 17, 2019 at 1:59 PM Enno Rey <erey@ernw.de> wrote:
> >>
> >> Hi,
> >>
> >> On Fri, May 17, 2019 at 01:45:56PM -0700, Kurt Buff - GSEC, GCIH wrote:
> >>> Forgive the intrusion, as I seek a bit of clarity.
> >>>
> >>> MSFT DirectAccess seems to use the address range in question:
> >>>
> >>> Tunnel adapter iphttpsinterface:
> >>>
> >>> Connection-specific DNS Suffix . :
> >>> IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> >>> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> >>> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> >>> Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2
> >>> Default Gateway . . . . . . . . . :
> >>>
> >>> It seems to me that filtering this range might hurt a bit, unless I'm
> >>> mistaking what some are proposing.
> >>
> >> not being an MS DirectAccess expert I'd say that - given DA is a VPN technology, using IP-HTTPS as a (somewhat proprietary) tunnel tech - these addresses shouldn't be visible too much "in the [public] IPv6 Internet" so the proposed filtering (of this thread) shouldn't come into play.
> >>
> >> cheers
> >>
> >> Enno
> >
> > So, network filters aren't going to gratuitously inspect IPv4 packets
> > for IPv6 content.
>
> Let's hope not, but what possessed Microsoft to make them use the
> 2002::/16 prefix in this way is an interesting question in itself.
> In 6to4 format, 4332:aaaa would imply a site IPv4 address of
> 67.50.170.170. And cccc:dddd:eeee:ffff doesn't look much like
> a pseudo-random temporary interface identifier.
>
> Maybe it's never a good idea to look underneath the hood of a VPN.

LOL!

Obfuscation has its uses...

Kurt