[ post by non-subscriber. with the massive amount of spam, it is easy to miss and therefore delete mis-posts. so fix subscription addresses! ] Jun-ichiro itojun Hagino wrote:
I have seens instances where this is a problem.
=> I think a extra rule is needed: The applications have to be IPv6 ready.
(see my comment on IPv4/IPv6 operation).
However, what to do when some services are IPv6 ready and some are not?
Example, there is a telnetd listening on v4 and v6, but popd only
listen on v4?
i don't think extra rule is needed. when multiple address (mixture of AAAA and A) are returned, client (like SMTP sender) should try to connect to all of them, just like when multiple A records are returned. so it is okay to have IPv4-only SMTP server running on top of IPv4/v6 dual stack node, and advertise both AAAA and A records. the client will try IPv6 connection, fails, and then try IPv4 connection.
How do you reconcile this with RFC3068 An Anycast Prefix for 6to4 Relay Routers ?why not? tunnel ingress box (= 6to4 relay router) should be located4.1. Ingress Filtering=> This only applies to configured tunnels, and CAN NOT be implemented
for automatic tunnels like 6to4 using relay routers.
I understand this is a sub-section of '4 Configured Tunneling'
but this somehow contradic the text in the security considerations.
at topologically-correct location.
I agree, this is a general problem. Tunnel decapsulators are basically acting6. Security Considerations=> This is not true for automatic tunneling (see above comment)
Tunneling is not known to introduce any security holes except for the
possibility to circumvent ingress filtering [13]. This is prevented
by requiring that decapsulating routers only forward packets if they
have been configured to accept encapsulated packets from the IPv4
source address in the receive packet.
I think that any kind of automatic tunneling mechanism
using open relays such a 6to4 creates serious risks in the Internet.
there also is another problem which applies to with configured tunnel as well. malicious party can inject IPv6-over-IPv4 packet to tunnel endpoint, to inject any IPv6 traffic to the Internet anonymously.