• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

transit traffic filtered ?

Started by anubisg1, August 11, 2014, 05:32:23 AM

Previous topic - Next topic

anubisg1

Hello,

I'm doing some experimentation with LISP.

I joined the lisp beta network and i was assigned an IPv6 /48 subnet that i can use as LISP EID

Assuming no Proxy ETR is configured, when the router gets a negative reply from the lisp mapping server, my router will forward the ipv6 traffic natively without LISP encapsulation and therefore it will follow the regular routing table.

My routing table defines a Default route ::/0 out of the Tunnel configured with HE.

Now, the packets are sourced with an IPv6 address from the /48 pool i got assigned by cisco. This /48 subnet is NOT the one that HE assigned me. what it seems to happen, is that HE is blocking an traffic sourced from a subnet which is not theirs.

the traceroute shows me this:

root@raspberrypi /home/pi # traceroute6 2001:4860:4860::8888
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
1  2610:d0:21bd:2:XXXX:XXXX:fe80:9e23 (2610:d0:21bd:2:XXXX:XXXX:fe80:9e23)  0.936 ms  0.600 ms  0.710 ms
2  2001:470:0:221::2 (2001:470:0:221::2)  181.069 ms  181.501 ms  182.073 ms
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *


Now, 2001:470:0:221::2 is an HE ip, but is not even my tunnel endpoint  (my end point on HE side would be 2001:470:6E:4AB::1 ) all my traffic seems to be black holed once it reaches HE.

Can you confirm my findings ? (that HE drops inbound traffic not sourced by a subnet allocated by HE itself) Is there any way to have this thing disabled?

Regards
Andrea

broquea

#1
Uh, yes, definitely filtered, as it should be. There is upstream Reverse Path Filtering in front of the tservs and on them to stop incorrectly sourced IPs outside the scope of the tunnel's address range from transiting the HE network. That shows it stopping at the tserv itself, as expected:

$ host 2001:470:0:221::2
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.2.2.0.0.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa domain name pointer tserv1.prg1.he.net.


A fix would be to have your own ASN and get a LOA from Cisco or whomever the range was allocated to initially, and set up a BGP tunnel.