Re: 6to4 security questions

[Erik Nordmark <Erik.Nordmark@sun.com>]

> Documenting the problems is the first step (which your draft mostly 
> does) and I believe these should remain in their own draft.  The larger, 
> relay router related, problems I do not believe can or should be solved 
> by this draft.  This draft should present the security concerns, the 
> possible attacks and any known ways to protect a 6to4 site.  I also 
> believe there needs text that speaks to the usefulness of a 6to4 relay 
> router.  It should be made clear that a site should just block all 
> traffic to/from relay routers if that site does not have a compelling 
> reason to connect to the (Native) IPv6 Internet.  6to4 works great for 
> connecting isolated clouds, but we can all see how connecting to the 
> IPv6 Internet using 6to4 relay routers is flawed and dangerous.

I think that would result in a separate "6to4 Internet" and "IPv6-native
Internet" which can't (reliably) communicate which would be a very bad idea -
so bad that we should deprecate 6to4 IMHO.

Instead it makes sense trying to find sound operational practises that can
be applied while allowing nodes/sites using 6to4 to communicate with
nodes/sites that do not use 6to4 without severe security issues.

  Erik