This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[atlas] IPv6 ICMP - denied packets

Previous message (by thread): [atlas] Paris-traceroute variations
Next message (by thread): [atlas] IPv6 ICMP - denied packets

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joachim Tingvold joachim at tingvold.com
Mon Jun 23 23:01:36 CEST 2014

Hi,

I recently installed a probe at home, and now my router spits out loads of 'denied icmpv6'-messages.

After going through the logs for the last two days, I have ~1900 entries of denies towards the probe -- all of them more or less like this (with different source);

###
Jun 22 2014 22:30:22.863 CEST: %IPV6_ACL-6-ACCESSLOGDP: list ipv6-inbound/2100 denied icmpv6 2A01:4F8:130:24A4::13:76 (Po1.102) -> {PROBE-IPV6-ADDRESS} (1/4), 8 packets
###

I've got an ACL applied ingress on the link to my ISP, and the relevant part is shown below;

###
ipv6 access-list ipv6-inbound
 sequence 2000 permit icmp any any echo-reply
 sequence 2005 permit icmp any any echo-request
 sequence 2010 permit icmp any any packet-too-big
 sequence 2015 permit icmp any any time-exceeded
 sequence 2020 permit icmp any any destination-unreachable
 sequence 2025 permit icmp any any parameter-problem
 sequence 2100 deny icmp any any log-input
###

This ACL conforms to RFC4890[1] (except the Mobile IPv6 part).

Of the 1900 entries, all of them are ICMPv6 type 1. ~300 of them have the code bit[2] set to 1, and ~1600 of them are set to 4.

These are the top sources;

###
 367 2001:500:2::C
 313 2001:500:2D::D
 289 2A01:4F8:130:24A4::13:76
 289 2001:500:3::42
 196 2A01:4F8:121:30A4::78:15
 161 2001:DC3::35
 100 2001:7FE::53
  67 2001:7FD::1
  60 2001:500:2F::F
###

All of these are DNS root servers (except those starting with 2A01:4F8, which are some Atlas-thingies).

It seems to me that the Atlas-probe sends quite some amount of ICMPv6-packets to the root DNS-servers (and even Atlas' own boxes), that are being returned with errors. Why does the probe do this, and does it actually rely on these replies?


[1] <http://www.ietf.org/rfc/rfc4890.txt>
[2] <http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xml#icmpv6-parameters-codes-2>

-- 
Joachim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </ripe/mail/archives/ripe-atlas/attachments/20140623/f7164f4e/attachment.sig>

Previous message (by thread): [atlas] Paris-traceroute variations
Next message (by thread): [atlas] IPv6 ICMP - denied packets

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ripe-atlas Archives ]