[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 security questions
Thanks for the comments, a reply to a comment below.
On Wed, 20 Nov 2002, Jason Goldschmidt wrote:
> [...] I also
> believe there needs text that speaks to the usefulness of a 6to4 relay
> router. It should be made clear that a site should just block all
> traffic to/from relay routers if that site does not have a compelling
> reason to connect to the (Native) IPv6 Internet. 6to4 works great for
> connecting isolated clouds, but we can all see how connecting to the
> IPv6 Internet using 6to4 relay routers is flawed and dangerous.
I'm not so sure about that -- if you just want to connect isolated
islands, usually you could also use configured tunneling. Global
connectivity is an important factor, but those that don't want it seem to
be just a corner case.
There are two special cases that I can think of:
- people using 6to4 addresses merely because of their automatic features,
as a replacement for automatic tunneling/ISATAP (e.g. to connect v6 edge
routers over v4 MPLS core).
==> personally I'm not sure this is really a valid usage scenario but
rather a hack.
- people using 6to4 merely to be able to "optimize" (assuming v4
tunneling is better than v6 native, which is currently true) 6to4
connections in addition to their native v6 connections. Then a relay is
not needed. But blocking may still be a bit problematic as it depends on
proper source/destination address selection everywhere (depending a bit on
wheter 6to4 address are published e.g. in DNS)
What do others feel?
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords