nanog mailing list archives

Re: Usage of Teredo and IPv6 for P2P on Windows 10 and Xbox One

From: Mark Andrews <marka () isc org>
Date: Tue, 19 May 2015 08:25:53 +1000


In message <20150518180445.GB15755 () puck nether net>, Jared Mauch writes:

On Mon, May 18, 2015 at 04:57:59PM +0000, Darrin Veit wrote:

Also, some networking hardware and operators apply firewall policy to
the IPv6 path contrary to RFC 6092 recommendations. Of particular concern
are configurations where unsolicited inbound IKE/IPsec traffic is not
permitted in the default operating mode. Growth of these non-conformant
configurations puts the P2P benefit of the next generation Internet in
jeopardy. It would be incredibly regrettable if IPv6 necessitated the
high level of configuration and inefficiency currently required for IPv4.


      Many self-appointed IT experts have shot themselves in the foot
in this regard.  After 5+ years of trying to get sensible pMTU working
inside an organization, or get IPv6 there people need to undertake other
methods to address these shortcomings.  Stateful inspection devices
(or packet eaters as I call them) improperly generate spurious warnings
when they are presented with data they don't understand or expect.


And they also eat DNS packets with "unexpected" DNS opcodes.
They eat DNS packets with EDNS version != 0.    
They eat DNS packets with a EDNS flag set that is not DO.
They eat DNS packets with EDNS options (less so than EDNS version != 0
or EDNS flag).

Different != bad.  Different != malformed.  Different should not equal drop. 

Nameservers return NOTIMP (RFC 103[45]), BADVER or ignore and ignore
(RFC 6891) respectively.  There are no valid reasons to stop any
of these extensions getting through to the nameserver as they handle
them.  25 years ago blocking these may have been "reasonable" as
some implementations were not up to scratch but we are not in the
1990's anymore.  Nameservers have been attacked to 25 years.  They
have been hardened over that period.

All dropping a so called "bad" DNS packets does is make it harder
to deploy extensions.  It doesn't save the nameserver.  It doesn't
"protect" the nameserver.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Usage of Teredo and IPv6 for P2P on Windows 10 and Xbox One Darrin Veit (May 18)
- Re: Usage of Teredo and IPv6 for P2P on Windows 10 and Xbox One Jared Mauch (May 18)
  - Re: Usage of Teredo and IPv6 for P2P on Windows 10 and Xbox One Mark Andrews (May 18)