[194590] in North American Network Operators' Group
Re: BCP for securing IPv6 Linux end node in AWS
daemon@ATHENA.MIT.EDU (JORDI PALET MARTINEZ)
Mon May 15 07:18:39 2017
X-Original-To: nanog@nanog.org
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: nanog@nanog.org
Date: Mon, 15 May 2017 13:18:29 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: nanog list <nanog@nanog.org>
In-Reply-To: <20170515105709.GA4589@gsp.org>
Reply-To: jordi.palet@consulintel.es
Errors-To: nanog-bounces@nanog.org
Just make sure that nothing breaks PTB as it happens if you don=E2=80=99t p=
ay attention to ECMP.
RFC7690
1&1 in Germany has this issue since at least 18-24 months ago, so all their=
customers with IPv6 enabled are *broken* for anyone having a smaller MTU b=
ecause tunnels or the ISP technology, etc. They are aware of that, I told t=
hem for many months, but is not yet fixed, so make sure you don=E2=80=99t u=
se those data centers if you want to enable IPv6.
You can check this with any of their IPv6 enabled sites (thousands I guess)=
, for example http://diskmakerx.com/
And a nice tool to check it:
https://nat64check.go6lab.si/
Regards,
Jordi
=20
-----Mensaje original-----
De: NANOG <nanog-bounces@nanog.org> en nombre de Rich Kulawiec <rsk@gsp.org=
>
Responder a: <rsk@gsp.org>
Fecha: lunes, 15 de mayo de 2017, 12:57
Para: nanog list <nanog@nanog.org>
Asunto: Re: BCP for securing IPv6 Linux end node in AWS
On Sun, May 14, 2017 at 09:29:45AM -0400, Eric Germann wrote:
> I???ve reviewed some of the stuff out there, but apparently I???m
> catching too many of the ICMP types in the rejection as routing event=
ually
> breaks. My guess is router discovery gets broken by too tight of fil=
ters.
=20
That's a good guess, but I would also guess that path MTU discovery
may be breaking. (Or not.) I think you may want to implement RFC 4890=
,
with a look at RFC 4443.
=20
---rsk
=20
=20
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or con=
fidential. The information is intended to be for the use of the individual(=
s) named above. If you are not the intended recipient be aware that any dis=
closure, copying, distribution or use of the contents of this information, =
including attached files, is prohibited.
