[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 tunnel over NAT
- To: v6ops@ops.ietf.org
- Subject: Re: IPv6 tunnel over NAT
- From: Rob Austein <sra+v6ops@hactrn.net>
- Date: Fri, 27 Sep 2002 15:17:15 -0400
- Delivery-date: Fri, 27 Sep 2002 12:20:35 -0700
- Envelope-to: v6ops-data@psg.com
- User-agent: Wanderlust/2.8.1 (Something) SEMI/1.14.4 (Hosorogi) FLIM/1.14.4(Kashiharajingū-mae) APEL/10.3 Emacs/20.7 (i386--freebsd) MULE/4.0(HANANOEN)
At Fri, 27 Sep 2002 15:02:45 -0400, Keith Moore wrote:
>
> > Yeah, well, I never really bought the RFC 3068 anycast relay router
> > model anyway, it's kludging around an IPv6 routing issue by turning it
> > into an IPv4 routing issue :).
>
> granted that it doesn't change the issue to move it from v6 to v4,
> but what is the real problem you're concerned about?
Many of the open packet relay problems (potential as DDoS reflectors,
potential for circumvention of ingress controls, etc -- and note that
this applies to all flavors of open packet relays, not just 6to4
relays) stem from treating the entire IPv4 internet as one giant link
layer network, making it impossible to apply the usual tools that we
use in the IPv4 universe (ingress control, fault isolation, etc) in
any useful way.
Now set the wayback machine to the days when we were still debating
the relative merits of giant bridged networks versus routers in IPv4.
Ring any bells?
In other words, we have divide-and-conquer techniques for dealing with
the problems that arise from excessively large link layer networks.
We're not using them at the moment because they'd require us to divide
the relevant portions of the IPv6 address space up into smaller
subnetworks and deploy routers, which would be unpleasant, but might
not be as unpleasant as living with various instantiations of the open
packet relay problem for the next decade.