Forgive the intrusion, as I seek a bit of clarity. MSFT DirectAccess seems to use the address range in question:
Tunnel adapter iphttpsinterface: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2 Default Gateway . . . . . . . . . : It seems to me that filtering this range might hurt a bit, unless I'm mistaking what some are proposing. Kurt On Fri, May 17, 2019 at 1:06 PM Brian E Carpenter <[email protected]> wrote: > > On 18-May-19 06:12, Gert Doering wrote: > > Hi, > > > > On Fri, May 17, 2019 at 12:55:33PM -0500, David Farmer wrote: > >> A few questions; > >> > >> Are you generating ICMPv6 toward non-2002::/16 sources for traffic destined > >> to 2002::/16? > >> Are you generating ICMPv6 toward 2002::/16 source for traffic destined to > >> non-2002::/16? > >> For the later, where are you getting the route for 2002::/16 from? > > > > Indeed, as you said, filtering correctly (= ICMP unreachable, so clients > > can fail over quickly [if HE is not in use]) is hard. > > > > We still run our own relay, so do not filter today. Mostly because I > > know it works and (since it's our relay) I can rely on it to not break > > things for people - and haven't had time to change that to "filter". > > And surely the question is "What would produce the most help desk calls?". > Filtering something that is presumably working for its remaining users > might not be a good idea from that point of view. > > Brian
