Re: 6to4 security questions

[Jason Goldschmidt <jgoldsch@eng.sun.com>]

Brian E Carpenter wrote:

> Jason Goldschmidt wrote:
> ...
>  
> > ...It should be made clear that a site should just block all
> > traffic to/from relay routers if that site does not have a compelling
> > reason to connect to the (Native) IPv6 Internet.  6to4 works great for
> > connecting isolated clouds, but we can all see how connecting to the
> > IPv6 Internet using 6to4 relay routers is flawed and dangerous.
> >    
> Er, you're missing the main reason 6to4 was invented, i.e. allowing 
> isolated IPv6 sites to connect to the IPv6 Internet using relay routers. 
Understood, but the sparse deployment of 6to4 relay routers suggests 
people are not using 6to4 to connect to the IPv6 Internet.  And if they 
are, it isn't anything really that important.

-Jason


> The use of 6to4 encapsulation to source bogus traffic was in fact 
> discussed very briefly in the security section of RFC 3056, but without
> proposing a way to identify valid relay routers. If, after studying
> spoofing in general, we still need a specific solution to the 6to4
> spoofing risk, it will need to be a secure way of identifying valid
> relays.
>
>  Brian
>
>