[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 6to4 security questions



Laurent Dumont wrote:

> We're planning to offer 6to4 as an auto configured fallback 
> for getting home
> Mac users on IPv6. This of course if we don't get a RA and 
> only in the case we're the Mac is not behind a NAT... But that's
another issue.

I think that making that a default option will lead into _many_ helpdesk
phonecalls.
The actual upstream ISP will get phonecalls like:
 "www.example.org doesn't work"

Even though the upstream (ISP) can reach it quite well over IPv4.
Ofcourse one will have IPv6 -> IPv4 fallback. But the latency for
falling
back will be quite big. Also note that, unless 6to4 relays suddenly pop
out
of nowhere, the traffic of these users will go through a couple of
different
countries without the user probably wanting it.

It would be a good thing to do to 'force' upstreams to get IPv6 in their
networks.
But I really don't think it will scale and it will deliver a load of
headaches.
If you added this option as an option in the network settings with a big
help doc
alongside with it describing the problems which could arise this would
be great.
"Go to network config and hit that 'enable 6to4' button to enable it" or
something
similar. A warning on a non-responded RA could also be a good idea but
one has
to remember that most users will blindly click "Yes" on most forms they
don't understand.

People really wanting IPv6 will get it from their upstream or a
transitional method
and they can pick out of a lot: 6to4, configured using a tunnelbroker or
their upstream.
Note also that current tunnelbroker systems have quite intuitive
websites and for example
freenet6 delivers an automatic configuration tool.
At least then they will be begging their upstream to get it supported :)

Greets,
 Jeroen