This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] IPv6 ICMP - denied packets
- Previous message (by thread): [atlas] Paris-traceroute variations
- Next message (by thread): [atlas] IPv6 ICMP - denied packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joachim Tingvold
joachim at tingvold.com
Mon Jun 23 23:01:36 CEST 2014
Hi, I recently installed a probe at home, and now my router spits out loads of 'denied icmpv6'-messages. After going through the logs for the last two days, I have ~1900 entries of denies towards the probe -- all of them more or less like this (with different source); ### Jun 22 2014 22:30:22.863 CEST: %IPV6_ACL-6-ACCESSLOGDP: list ipv6-inbound/2100 denied icmpv6 2A01:4F8:130:24A4::13:76 (Po1.102) -> {PROBE-IPV6-ADDRESS} (1/4), 8 packets ### I've got an ACL applied ingress on the link to my ISP, and the relevant part is shown below; ### ipv6 access-list ipv6-inbound sequence 2000 permit icmp any any echo-reply sequence 2005 permit icmp any any echo-request sequence 2010 permit icmp any any packet-too-big sequence 2015 permit icmp any any time-exceeded sequence 2020 permit icmp any any destination-unreachable sequence 2025 permit icmp any any parameter-problem sequence 2100 deny icmp any any log-input ### This ACL conforms to RFC4890[1] (except the Mobile IPv6 part). Of the 1900 entries, all of them are ICMPv6 type 1. ~300 of them have the code bit[2] set to 1, and ~1600 of them are set to 4. These are the top sources; ### 367 2001:500:2::C 313 2001:500:2D::D 289 2A01:4F8:130:24A4::13:76 289 2001:500:3::42 196 2A01:4F8:121:30A4::78:15 161 2001:DC3::35 100 2001:7FE::53 67 2001:7FD::1 60 2001:500:2F::F ### All of these are DNS root servers (except those starting with 2A01:4F8, which are some Atlas-thingies). It seems to me that the Atlas-probe sends quite some amount of ICMPv6-packets to the root DNS-servers (and even Atlas' own boxes), that are being returned with errors. Why does the probe do this, and does it actually rely on these replies? [1] <http://www.ietf.org/rfc/rfc4890.txt> [2] <http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xml#icmpv6-parameters-codes-2> -- Joachim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/ripe-atlas/attachments/20140623/f7164f4e/attachment.sig>
- Previous message (by thread): [atlas] Paris-traceroute variations
- Next message (by thread): [atlas] IPv6 ICMP - denied packets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]