[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



Jason Goldschmidt wrote:
> 
> Brian E Carpenter wrote:
> 
> >Jason Goldschmidt wrote:
> >...
> >
> >
> >> ...It should be made clear that a site should just block all
> >>traffic to/from relay routers if that site does not have a compelling
> >>reason to connect to the (Native) IPv6 Internet.  6to4 works great for
> >>connecting isolated clouds, but we can all see how connecting to the
> >>IPv6 Internet using 6to4 relay routers is flawed and dangerous.
> >>
> >>
> >
> >Er, you're missing the main reason 6to4 was invented, i.e. allowing
> >isolated IPv6 sites to connect to the IPv6 Internet using relay routers.
> >
> Understood, but the sparse deployment of 6to4 relay routers suggests
> people are not using 6to4 to connect to the IPv6 Internet.  And if they
> are, it isn't anything really that important.

Let's be clear why 6to4 was invented. It was intended to be a disruptive
technology for the case where a relatively sophisticated site's ISP
was unwilling to provide IPv6 service, and no upstream tunnel provider
was available. But I wouldn't expect to see widespread deployment until
there is widespread demand for IPv6 access, by which time we need to have
fixed the spoofing risk.

    Brian

> 
> -Jason
> 
> >
> >The use of 6to4 encapsulation to source bogus traffic was in fact
> >discussed very briefly in the security section of RFC 3056, but without
> >proposing a way to identify valid relay routers. If, after studying
> >spoofing in general, we still need a specific solution to the 6to4
> >spoofing risk, it will need to be a secure way of identifying valid
> >relays.
> >
> >  Brian
> >
> >
> >

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM 
On assignment at the IBM Zurich Laboratory, Switzerland