Re: 6to4 relays [Re: WG Review: IPv6 Operations (v6ops)]

[Brian E Carpenter <brian@hursley.ibm.com>]

"Fred L. Templin" wrote:
> 
> > I use 6to4 on hosts every day, so I don't consider it hammering.
> >
> > But 6to4 was primariliy intended for routers.  That it happens
> > to work on some hosts is a happy side-benefit, not the design goal.
> >
> > Keith
> 
> If you want to run 6to4 on a host that happens to have a global IPv4 address
> and can accept 'ip-proto-41' w/o creating a security risk, then that is fine.
> But (and you seem to recognize this), if one wants to postulate a "generalized
> host-based 6to4" mechanism, that is a different matter and one that is not
> covered by any existing RFCs.
> 
> To realize a "generalized host-based 6to4", one would need to incorporate the
> NAT traversal mechanisms first pioneered by TEREDO and the two-stage (end-to-edge;
> edge-to-internet) tunneling mechanism first pioneered by ISATAP. But, then this
> becomes more than just vanilla 6to4 and represents a unified transition mechanism
> that incorporates elements proven by earlier works in various degrees. Finally,
> a truly generalized mechanism would work behind a corporate firewall w/o requiring
> any per-host firewall filter configurations and w/o exposing the site to outside
> attackers. It's not clear to me whether a solution for this exists - but, it
> would be pretty interesting if one could be identified!

If you are really stuck behind a NAT you have no choice but to try some 
Teredo-like trick, and one Teredo in the world is enough. But trying to 
support enterprise scenarios where neither the ISP, nor the corporate IS 
people, are willing to support IPv6, *and* there is a NAT in the way, is 
just not worth considering IMHO. Too complicated, too many failure modes.

   Brian