[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed 6to4 work (security)



On Wed, 16 Oct 2002 itojun@iijlab.net wrote:
> >> 	- can chew up bandwidth of the 6to4 public relay router provider, and
> >> 	  there's no way for an ISP to limit accesses to the relay router
> >> 	  to their customers (it has to be public service to everyone)
> >I believe you *can* quite effectively limit the access.  First by not 
> >advertising 2002::/16 or 192.88.99.1 to your peers (or doing it by some 
> >controlled measure, like no-export community), and if it's really 
> >important, placing some ACL's.
> 
> 	you are correct if you don't have downstream ISPs.
> 
> 	if you are a big ISP and have downstream ISPs, by doing the above you
> 	will prohibit your downstream ISPs from providing 6to4 relay routers.
> 	i'm not sure if it is an acceptable thing to do.

True, but I believe this is a bit non-issue: if a downstream ISP is
providing the service for everyone, you as a big ISP doesn't really need
to do it that badly (except perhaps as a backup, and then different policy
could apply -- connect the relay with BGP and have the routes be less
preferred) yourself.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords