[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 using ::FFFF:0000:0000/96

To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: 6to4 using ::FFFF:0000:0000/96
From: Kevin Day <toasty@dragondata.com>
Date: Sun, 27 Jan 2008 22:45:50 -0600
Cc: v6ops <v6ops@ops.ietf.org>
In-reply-to: <479D51EB.5050707@gmail.com>
References: <1960684A-584F-4754-A122-0940BC61DDC0@dragondata.com> <67099930801231003l648d3200k7c86be48d35b21ef@mail.gmail.com> <479CD34E.7010403@free.fr> <A3B8A0B7-7E54-4A88-8C07-29DD2CBE727E@dragondata.com> <479CF498.4090702@gmail.com> <88AA9D9F-603D-428A-8C05-1A41D56DFE80@dragondata.com> <479D51EB.5050707@gmail.com>


On Jan 27, 2008, at 9:54 PM, Brian E Carpenter wrote:

I think there are two other options for the relay.

3) Forward the packet to your local friendly NAT-PT box.
This is really a version of #2 - in fact it's the only
case I can think of where #2 would be useful. Of course,
most people don't have a local friendly NAT-PT.

That might be a little tough for those of us running public anycastrelays to pull off, but perhaps locally sure. :)

I will say that this seems to be impossible for someone running arelay on any of the BSDs(Free/Net/Open/Dragonfly), or OS X. They willnot accept or route any mapped(::FFFF:0:0/96) addresses at any time,so it's not possible without removing some code from in_input.c toeven forward packets to a NAT-PT box.

However, I think this is a bit dangerous to allow by default forforwarding. It's not too hard to imagine cases where networks areusing tunnels to gain v6 connectivity, and don't have their firewallsor other security set up to handle v4 packets being injected intotheir network from their tunnel box.

All this said, I'm seeing even more "unusual" traffic on our 6to4relay that's outside mapped addresses showing up... In the past fewdays of watching, I've seen 6to4 clients try sending to the 6to4 relaypackets with destination addresses in:


Unicast:

Link Local (FE80::)
Site Local (FEC0::)
v4 compatibility (::/96)
v4 mapped (::FFFF:0:0/96)
All zeros (::)
Loopback (::1)

Obviously invalid addresses (BBBB:BBBB:BBBB:BBBB:BBBB:BBBB:BBBB:BBBB,etc)


Multicast:

Unknown multicast (FF00::)
Node Local (FF01::)
Link Local (FF02::)
Site Local (FF05::)

I've been trying to trace the source of as many of these as ispossible, but with the pretty anonymous nature of 6to4 it's a littledifficult. Before I expend too much energy on this:


1) Has anyone already done this digging before?

2) Is it of interest to anyone other than myself? :)

For right now, the default action of our relay is to drop all ofthese, but I'm mostly interested in what the clients are trying toaccomplish with traffic like this, and what (if anything) is breakingas a result of it.


-- Kevin

Follow-Ups:
- Re: 6to4 using ::FFFF:0000:0000/96
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
  - From: Kevin Day <toasty@dragondata.com>
- Re: 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
  - From: "Erik Kline" <ekline@ekline.com>
- Re: 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
  - From: Kevin Day <toasty@dragondata.com>
- Re: 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
  - From: Kevin Day <toasty@dragondata.com>
- Re: 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: Re: 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
Next by Date: I-D Action:draft-ietf-v6ops-addr-select-ps-03.txt
Previous by thread: Re: 6to4 using ::FFFF:0000:0000/96 (mail.comcast.net AAAA record weirdness)
Next by thread: Re: 6to4 using ::FFFF:0000:0000/96
Index(es):
- Date
- Thread