[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 tunnel over NAT
> The point I was trying to make was that, while the defenses that a
> edge router has to deploy are annoying, they are a straightforward
> extrapolation of what we already do for IPv4, and are based in large
> part on topological information that happens to be one of the very few
> things that the 6to4 edge router -can- trust. In the common simple
> case, the router's interfaces partition into two disjoint sets: "my
> site" and "the rest of the world". Unless the router is badly
> configured or otherwise crippled, it knows which interfaces are are in
> which set, and can apply packet filtering rules as necessary when
> decapsulating to keep itself from being used as a DDoS reflector or as
> a circumvention tool to get around ingress filtering. The packet
> filtering rules are seriously ugly, but at the conceptual level this
> is a small matter of programming.
>
> The relay router, on the other hand, does not have any useful
> topological information on which to make such decisions (to a first
> approximation, everything a relay router sees is from "the rest of the
> world"). So it needs to have kind of additional mechanism for
> figuring out who's allowed to use it as a decapsulator.
bingo!
and relays out in the net would have serious problems of scaling in
security associations, where site gateways have little if any.
randy