[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 tunnel over NAT



> The point I was trying to make was that, while the defenses that a
> edge router has to deploy are annoying, they are a straightforward
> extrapolation of what we already do for IPv4, and are based in large
> part on topological information that happens to be one of the very few
> things that the 6to4 edge router -can- trust.  In the common simple
> case, the router's interfaces partition into two disjoint sets: "my
> site" and "the rest of the world".  Unless the router is badly
> configured or otherwise crippled, it knows which interfaces are are in
> which set, and can apply packet filtering rules as necessary when
> decapsulating to keep itself from being used as a DDoS reflector or as
> a circumvention tool to get around ingress filtering.  The packet
> filtering rules are seriously ugly, but at the conceptual level this
> is a small matter of programming.
> 
> The relay router, on the other hand, does not have any useful
> topological information on which to make such decisions (to a first
> approximation, everything a relay router sees is from "the rest of the
> world").  So it needs to have kind of additional mechanism for
> figuring out who's allowed to use it as a decapsulator.

bingo!

and relays out in the net would have serious problems of scaling in
security associations, where site gateways have little if any.

randy