Text only | Text with Images

Hurricane Electric's IPv6 Tunnel Broker Forums

Tunnelbroker.net Specific Topics => Questions & Answers => Topic started by: thoughtlite on September 09, 2015, 08:29:28 AM

Title: Traffic leakage? Seeing pings to addresses other than my own
Post by: thoughtlite on September 09, 2015, 08:29:28 AM
Hi!  I've been running HE tunnels on and off for years, and since my new ISP doesn't support IPv6, I'm back to using HE 24/7, with a /48 divided among a few networks.  No problems there.

Occasionally I'm seeing ICMPv6 pings on my firewall to destination addresses that aren't anywhere close to my /48 - one such is 2001:0470:0007:0c78:0000:0000:0000:0002 (with the source listed as 2001:0470:0007:0c78:0000:0000:0000:0001).  The IPv4 addresses are what I would expect; my IPv4 address for the destination, and 216.66.22.2 for the source.

It's blocked, so no big deal, but I'm wondering why this is happening, and whether it indicates some undesirable traffic leakage, spoofing, or someone possibly using an old, old address; don't remember if I ever had anything containing it, but I've had my current allocation for months.  Any ideas?

Title: Re: Traffic leakage? Seeing pings to addresses other than my own
Post by: evantkh on September 10, 2015, 08:32:56 AM
There is no encryption for 6in4. Packets can easily be injected.

However, the same public IP address should not be able to have more than one tunnel. I think you should email ipv6@he.net.
Title: Re: Traffic leakage? Seeing pings to addresses other than my own
Post by: kcochran on September 10, 2015, 10:29:22 AM
Uhm, did you just set up your /48 w/o the client-side IPv6 address?
Title: Re: Traffic leakage? Seeing pings to addresses other than my own
Post by: evantkh on September 12, 2015, 10:07:33 PM
Quote from: kcochran on September 10, 2015, 10:29:22 AM
Uhm, did you just set up your /48 w/o the client-side IPv6 address?

Is HE keeping pinging the client IPv6 addresses?
Title: Re: Traffic leakage? Seeing pings to addresses other than my own
Post by: thoughtlite on September 25, 2015, 01:15:34 PM
Quote from: kcochran on September 10, 2015, 10:29:22 AM
Uhm, did you just set up your /48 w/o the client-side IPv6 address?

(Sorry it took so long to reply - I wasn't notified via email that there were any replies.)

Ahhh, at least in the case of the example I posted, it probably refers to the client and server endpoints of my tunnel.  I was just looking at the routed /64, which has a different number in the third hex group than the /64 used by the client and server tunnel endpoints, and had thought it wasn't my assigned /64.

One more question - does HE prefer replies to such pings?  I haven't sent them, at least after setting up the tunnel, but things work fine.
Title: Re: Traffic leakage? Seeing pings to addresses other than my own
Post by: snarked on October 07, 2015, 02:01:39 PM
QuoteIs HE keeping pinging the client IPv6 addresses?
HE's keep-alive/tunnel-test pings go to the tunnel /64, not the client IP range.
Title: Re: Traffic leakage? Seeing pings to addresses other than my own
Post by: DJX on October 09, 2015, 07:59:58 AM
I see this on my Tunnel as well.
https://forums.he.net/index.php?topic=3001.msg17664#msg17664
Title: Re: Traffic leakage? Seeing pings to addresses other than my own
Post by: kassniwqds on October 18, 2015, 08:24:31 PM
Quote from: DJX on October 09, 2015, 07:59:58 AM
I see this on my Tunnel as well. ourcase (http://www.ourcase.co.uk/)
https://forums.he.net/index.php?topic=3001.msg17664#msg17664

it seems very helpful.
Text only | Text with Images