[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposed 6to4 work (security)
Pekka Savola wrote:
>
> On Wed, 16 Oct 2002 itojun@iijlab.net wrote:
> > >> - can chew up bandwidth of the 6to4 public relay router provider, and
> > >> there's no way for an ISP to limit accesses to the relay router
> > >> to their customers (it has to be public service to everyone)
> > >I believe you *can* quite effectively limit the access. First by not
> > >advertising 2002::/16 or 192.88.99.1 to your peers (or doing it by some
> > >controlled measure, like no-export community), and if it's really
> > >important, placing some ACL's.
> >
> > you are correct if you don't have downstream ISPs.
> >
> > if you are a big ISP and have downstream ISPs, by doing the above you
> > will prohibit your downstream ISPs from providing 6to4 relay routers.
> > i'm not sure if it is an acceptable thing to do.
>
> True, but I believe this is a bit non-issue: if a downstream ISP is
> providing the service for everyone, you as a big ISP doesn't really need
> to do it that badly (except perhaps as a backup, and then different policy
> could apply -- connect the relay with BGP and have the routes be less
> preferred) yourself.
The idea was that relays would be run either by cooperatives or downstream
ISPs. I can't see why a transit provider would want to run one.
The spoofing issue is more serious; I can't see anything but some kind
of ingress filtering to protect against that.
This is why we need a 6to4 security draft in this WG.
Brian