• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Plea for the HE staff

Started by vobelic, October 24, 2010, 07:54:42 PM

Previous topic - Next topic

mnalis

#15
Quote from: snarked on October 27, 2010, 10:51:21 AM
Well, then it's not your traceroute source but "carnet.hr" which is blocking ICMP on your sample traceroute.  

Just to clarify,  it is not "carnet.hr" that is doing the blocking. 161.53.129.187 is owned by "Institut Rudjer Boskovic", which is a member of CARNet.

CARNet is Croatian NREN (National Research & Education Network) which among other things provides Internet connectivity and other services to its members. CARNet not only does not block ICMP to its members, it also has working IPv6 setup since 2004. [1], and have been providing it to any interested member institutions (and is currently working on pushing it to home users).

So ICMP blocking is probably happening at "Institut Rudjer Boskovic" border routers. One would need to contact IRB network admins, and persuade them to either remove ICMP echo request blocking and/or request native IPv6 from CARNet; or the user should get some other way than tunnelbroker.net to get IPv6 connectivity (sixxs.net should work with its AYIYA tunnels, or Teredo might work [2] is SIXXS is too troublesome)

[1] see http://ipv6.carnet.hr/obavijesti/index.html (Croatian only, sorry)
[2] on Debian Lenny for example, it is as simple as "apt-get install miredo", and violla, you've got IPv6 connectivity.

vobelic

Heh you did your research :)

Yes I was just simplifying by not mentioning IRB.

Right try you to pursuade them to enable IPv6...
They are even trying to put existing hosts behind NAT and one public IP to make the network more "secure" ...


lukec

Suggest, also that they consider carefully the impact if, when they get there, blocking ICMP in the v6 world ans doing that will have significant impact on a fully functional IPv6 Network...
Regards
lukec

snarked

If IMB wants to block ICMP echo into their machines, they may do so.  However, they shouldn't block anything that merely transits their router without entering their network.  You need to talk to them about this.

mnalis

Quote from: snarked on November 03, 2010, 11:07:44 AM
If IMB wants to block ICMP echo into their machines, they may do so.  However, they shouldn't block anything that merely transits their router without entering their network.  You need to talk to them about this.

IRB (not IMB) is in fact final "customer" -  they are leaf network, and they are blocking icmp echo entering their network.
They are not transit network, and hence they don't block anything that "merely transits their router without entering their network" -- ALL traffic that transits their router are either exiting or entering their network.

CARNet is the one in the role of ISP -- having both traffic entering the CARNet network, as well as lots of traffic which is just passing through their routers from some other source to some other destination - but they do not block anything here...

So yes, IRB is quite allowed to block ICMP echo requests to their network if that's their policy, although it makes problems for its users  :(

snarked

Then your choice is to move to another provider.  It's that simple.

mnalis

Quote from: snarked on November 04, 2010, 12:11:23 PM
Then your choice is to move to another provider.  It's that simple.

Well, it's not my choice, but Vobelics (I just jumped in the discussion with some clarifications). And as it is not (as established above) providers (Internet Service Provider is CARNet) fault, moving to another provider (ISP) is not going to help at all (as it seems you imply). Because, whichever ISP the the IRB chooses, their (IRBs) policy stays the same, and they would still drop incoming ICMP echo request packets (as it is IRBs policy, and not of their ISP, which is CARNet).

Now the issue is simple1 as you say, but not in a way you mention -- Vobelic could try:


  • to talk to IRB network admins to remove that "ICMP Echo unwanted" policy or to request native IPv6 from CARNet (which provides it free of charge to all it's members). Pestering for native IPv6 is probably the best choice, if somewhat time consuming and of uncertain outcome -- but also of biggest reward.
  • he could try to persuade HE.net staff to remove "ICMP Echo request" requirement if using "AUTO" script (which he did try and got refused)
  • he could use some other IPv6 tunnel provider which does not require ICMP Echo, like sixxs.net AYIYA tunnels (probably the easiest way out)
  • he could leave IRB (probably his place of employment I'd guess) for some other company
  • he could give up on IPv6 for the time being

Ok, that last one is unacceptable, and he might even argue that next-to-last is also somewhat extreme  ;)

Footnotes:
1 definition of simple: "anything that one does not have to do himself/herself". Or, as we'd  say in Croatian "lako je tuđim kurcem po koprivama mlatiti"