[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions

To: Jason Goldschmidt <jgoldsch@eng.sun.com>
Subject: Re: 6to4 security questions
From: Brian E Carpenter <brian@hursley.ibm.com>
Date: Wed, 20 Nov 2002 20:09:48 +0100
Cc: v6ops@ops.ietf.org
Delivery-date: Wed, 20 Nov 2002 11:11:23 -0800
Envelope-to: v6ops-data@psg.com
Organization: IBM
References: <Pine.LNX.4.44.0211201923500.12074-100000@netcore.fi> <3DDBCC97.6020901@eng.sun.com>
Sender: owner-v6ops@ops.ietf.org

Jason Goldschmidt wrote:
...
>  ...It should be made clear that a site should just block all
> traffic to/from relay routers if that site does not have a compelling
> reason to connect to the (Native) IPv6 Internet.  6to4 works great for
> connecting isolated clouds, but we can all see how connecting to the
> IPv6 Internet using 6to4 relay routers is flawed and dangerous.

Er, you're missing the main reason 6to4 was invented, i.e. allowing 
isolated IPv6 sites to connect to the IPv6 Internet using relay routers. 

The use of 6to4 encapsulation to source bogus traffic was in fact 
discussed very briefly in the security section of RFC 3056, but without
proposing a way to identify valid relay routers. If, after studying
spoofing in general, we still need a specific solution to the 6to4
spoofing risk, it will need to be a secure way of identifying valid
relays.

  Brian

Follow-Ups:
- Re: 6to4 security questions
  - From: Jason Goldschmidt <jgoldsch@eng.sun.com>

References:
- 6to4 security questions
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: 6to4 security questions
  - From: Jason Goldschmidt <jgoldsch@eng.sun.com>

Prev by Date: Re: 6to4 security questions
Next by Date: Re: 6to4 security questions
Previous by thread: Re: 6to4 security questions
Next by thread: Re: 6to4 security questions
Index(es):
- Date
- Thread