• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Traffic leakage? Seeing pings to addresses other than my own

Started by thoughtlite, September 09, 2015, 08:29:28 AM

Previous topic - Next topic

thoughtlite

Hi!  I've been running HE tunnels on and off for years, and since my new ISP doesn't support IPv6, I'm back to using HE 24/7, with a /48 divided among a few networks.  No problems there.

Occasionally I'm seeing ICMPv6 pings on my firewall to destination addresses that aren't anywhere close to my /48 - one such is 2001:0470:0007:0c78:0000:0000:0000:0002 (with the source listed as 2001:0470:0007:0c78:0000:0000:0000:0001).  The IPv4 addresses are what I would expect; my IPv4 address for the destination, and 216.66.22.2 for the source.

It's blocked, so no big deal, but I'm wondering why this is happening, and whether it indicates some undesirable traffic leakage, spoofing, or someone possibly using an old, old address; don't remember if I ever had anything containing it, but I've had my current allocation for months.  Any ideas?


evantkh

There is no encryption for 6in4. Packets can easily be injected.

However, the same public IP address should not be able to have more than one tunnel. I think you should email ipv6@he.net.

kcochran

Uhm, did you just set up your /48 w/o the client-side IPv6 address?

evantkh

Quote from: kcochran on September 10, 2015, 10:29:22 AM
Uhm, did you just set up your /48 w/o the client-side IPv6 address?

Is HE keeping pinging the client IPv6 addresses?

thoughtlite

Quote from: kcochran on September 10, 2015, 10:29:22 AM
Uhm, did you just set up your /48 w/o the client-side IPv6 address?

(Sorry it took so long to reply - I wasn't notified via email that there were any replies.)

Ahhh, at least in the case of the example I posted, it probably refers to the client and server endpoints of my tunnel.  I was just looking at the routed /64, which has a different number in the third hex group than the /64 used by the client and server tunnel endpoints, and had thought it wasn't my assigned /64.

One more question - does HE prefer replies to such pings?  I haven't sent them, at least after setting up the tunnel, but things work fine.

snarked

QuoteIs HE keeping pinging the client IPv6 addresses?
HE's keep-alive/tunnel-test pings go to the tunnel /64, not the client IP range.


kassniwqds