[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 tunnel over NAT




Rob Austein wrote:

When traffic is coming into the relay routers from the v6 side, the
relay router is the encapsulator, and has nothing to worry about
(assuming that proper ingress filtering was done elsewhere in the v6
net, etcetera, but that's an understood problem, nothing new there).
In this case it's the receiving 6to4 site router that's the
decapsulator and has the worries, but, as I've mentioned in other
postings, I think the problems for the 6to4 site router are much less
severe because such a router can make reasonably sane decisions based
on physical network topology (eg: "if it came in via an external
interface, it does not go out again on an external interface,
period").

No. The 6to4 router has a  serious problem in that space.

IPv6 routing using 6to4 relays is asymetric, a 6to4 router may
choose which relay it send its traffic to for native v6, but has
absolutly no control where the packets will come back from.

So the decapsulating 6to4 router has no way  to know if incoming
packets are coming from a real relay or if it is spoofed trafic.

   - Alain.