[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



Brian E Carpenter wrote:

Jason Goldschmidt wrote:
...

...It should be made clear that a site should just block all
traffic to/from relay routers if that site does not have a compelling
reason to connect to the (Native) IPv6 Internet. 6to4 works great for
connecting isolated clouds, but we can all see how connecting to the
IPv6 Internet using 6to4 relay routers is flawed and dangerous.

Er, you're missing the main reason 6to4 was invented, i.e. allowing isolated IPv6 sites to connect to the IPv6 Internet using relay routers.
Understood, but the sparse deployment of 6to4 relay routers suggests people are not using 6to4 to connect to the IPv6 Internet. And if they are, it isn't anything really that important.

-Jason



The use of 6to4 encapsulation to source bogus traffic was in fact discussed very briefly in the security section of RFC 3056, but without
proposing a way to identify valid relay routers. If, after studying
spoofing in general, we still need a specific solution to the 6to4
spoofing risk, it will need to be a secure way of identifying valid
relays.

Brian