[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



Thanks for the comments, a reply to a comment below.

On Wed, 20 Nov 2002, Jason Goldschmidt wrote:
> [...] I also 
> believe there needs text that speaks to the usefulness of a 6to4 relay 
> router.  It should be made clear that a site should just block all 
> traffic to/from relay routers if that site does not have a compelling 
> reason to connect to the (Native) IPv6 Internet.  6to4 works great for 
> connecting isolated clouds, but we can all see how connecting to the 
> IPv6 Internet using 6to4 relay routers is flawed and dangerous.

I'm not so sure about that -- if you just want to connect isolated 
islands, usually you could also use configured tunneling.  Global 
connectivity is an important factor, but those that don't want it seem to 
be just a corner case.

There are two special cases that I can think of:
 - people using 6to4 addresses merely because of their automatic features, 
as a replacement for automatic tunneling/ISATAP (e.g. to connect v6 edge 
routers over v4 MPLS core).
  ==> personally I'm not sure this is really a valid usage scenario but 
rather a hack.

 - people using 6to4 merely to be able to "optimize" (assuming v4 
tunneling is better than v6 native, which is currently true) 6to4 
connections in addition to their native v6 connections.  Then a relay is 
not needed.  But blocking may still be a bit problematic as it depends on 
proper source/destination address selection everywhere (depending a bit on 
wheter 6to4 address are published e.g. in DNS)

What do others feel?

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords