Hi, On 20.8.2012 21:09, Andrew McCauley wrote:
I am seeing a large number of error messages in my /var/log/messages related to IPV6 networks being unreachable. EG: (dump from logwatch)sendto(2002:a00:2:e472:219:9dff:fe44:2458) (fd=18): Network is unreachable: 216 time(s) sendto(2002:c0a8:f02:1234:219:9dff:fe37:2031) (fd=18): Network is unreachable: 56 time(s) sendto(2002:a01:aaf:1234:219:9dff:fe3c:c6fc) (fd=18): Network is unreachable: 82 time(s)
Those addresses and all the rest in your log sample are 6to4 mapped ipv4-addresses. The mapped addresses are all rfc 1918 private addresses, for example the one starting with 2002:a00:2 is 10.0.0.2, 2002:c0a8:f02 is 192.168.15.2 and 2002:a01:aaf is 10.1.10.175. So there's no way for your ntp reply packets to be routed back to their destination, if the packets didn't originate within your organization / within the organization of the closest 6to4 gateway -> network unreachable.
Normally rfc 1918 6to4 mapped addresses should not be seen in the global ipv6 world, so you might want to filter them away before they reach your server. Just like they are dropped in the ipv4 world as well.
Is this a case of someone spoofing ipv6 UDP NTP packets? Are others seeing this?
My guess is the packets are leaking to the global internet due to misconfiguration rather than malice. Anyway there's very little chance reply packets make it back to the originators.
I'm not seeing network unreachables on my ipv6 ntp pool servers, but that could very well be due to rfc 1918 (mapped) addresses being filtered earlier in the network, before the packets reach my ntp servers.
Tapio _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
