[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 tunnel over NAT



At Fri, 27 Sep 2002 17:06:04 -0700, Alain Durand wrote:
> 
> I think we are in violent agreement here.

Not sure.

The point I was trying to make was that, while the defenses that a
edge router has to deploy are annoying, they are a straightforward
extrapolation of what we already do for IPv4, and are based in large
part on topological information that happens to be one of the very few
things that the 6to4 edge router -can- trust.  In the common simple
case, the router's interfaces partition into two disjoint sets: "my
site" and "the rest of the world".  Unless the router is badly
configured or otherwise crippled, it knows which interfaces are are in
which set, and can apply packet filtering rules as necessary when
decapsulating to keep itself from being used as a DDoS reflector or as
a circumvention tool to get around ingress filtering.  The packet
filtering rules are seriously ugly, but at the conceptual level this
is a small matter of programming.

The relay router, on the other hand, does not have any useful
topological information on which to make such decisions (to a first
approximation, everything a relay router sees is from "the rest of the
world").  So it needs to have kind of additional mechanism for
figuring out who's allowed to use it as a decapsulator.