[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 tunnel over NAT

To: Rob Austein <sra+v6ops@hactrn.net>
Subject: Re: IPv6 tunnel over NAT
From: Randy Bush <randy@psg.com>
Date: Sat, 28 Sep 2002 05:12:24 -0700
Cc: v6ops@ops.ietf.org
Delivery-date: Sat, 28 Sep 2002 05:14:20 -0700
Envelope-to: v6ops-data@psg.com

> The point I was trying to make was that, while the defenses that a
> edge router has to deploy are annoying, they are a straightforward
> extrapolation of what we already do for IPv4, and are based in large
> part on topological information that happens to be one of the very few
> things that the 6to4 edge router -can- trust.  In the common simple
> case, the router's interfaces partition into two disjoint sets: "my
> site" and "the rest of the world".  Unless the router is badly
> configured or otherwise crippled, it knows which interfaces are are in
> which set, and can apply packet filtering rules as necessary when
> decapsulating to keep itself from being used as a DDoS reflector or as
> a circumvention tool to get around ingress filtering.  The packet
> filtering rules are seriously ugly, but at the conceptual level this
> is a small matter of programming.
> 
> The relay router, on the other hand, does not have any useful
> topological information on which to make such decisions (to a first
> approximation, everything a relay router sees is from "the rest of the
> world").  So it needs to have kind of additional mechanism for
> figuring out who's allowed to use it as a decapsulator.

bingo!

and relays out in the net would have serious problems of scaling in
security associations, where site gateways have little if any.

randy

Prev by Date: Re: open 6to4 relay routers implementing RFC3068?
Next by Date: Re: IPv6 tunnel over NAT
Previous by thread: Re: IPv6 tunnel over NAT
Next by thread: Re: IPv6 tunnel over NAT
Index(es):
- Date
- Thread