[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



On Wednesday, November 20, 2002, at 01:08 PM, Tim Chown wrote:

On Wed, Nov 20, 2002 at 08:48:45PM +0100, Jeroen Massar wrote:
Currently in europe, at least, there are only a few 6to4 relays:
 - Switch
 - Cybernet
 - Funet
There are others (e.g. three I know of in the UK). How public they are
is another issue.

Just to put 6to4 in perspective for its current deployment, I am not aware
of any European NRENs that are using 6to4 to connect sites to their national
IPv6 deployments. Everything is done by manually configured tunnels.

That's not to say 6to4 doesn't have a place (our students use it for access
from their home networks, and it will work behind a NAT with tunnel forwarding)
but it is perhaps more likely to be in large customer networks?

To play devil's advocate, who is using 6to4 in a notable deployment?
Define a notable deployment. Windows XP comes with IPv6 support. It isn't on by default, but with a few commands, IPv6 is on and 6to4 is up. Mac OS X 10.2 (a.k.a. Jaguar) ships with IPv6 on and listening for routing advertisements. With a command, 6to4 is on and the node has an IPv6 address.

These releases require people to manually enable 6to4. It won't be long before such technologies are enabled by default. Will the 6to4 relays melt down? Perhaps. Will there be any incentive for people to deploy 6to4 relays or even maintain them if the traffic does pick up? At the very least, it will be a sign that there is demand for IPv6 connectivity.

Is it reasonable to rely on ISPs supplying IPv6 to their customers? I don't imagine I'll live to see the day that SBC hands out IPv6 addresses to DSL customers, and I'm only 25.

I see only one compelling reason to use IPv6 instead of IPv4, and that's end to end connectivity (no NATs). The problem is, developers are not going to deploy an IPv6 application if there are no clients that have IPv6 addresses. Until there are applications that support IPv6 and don't work over IPv4, there will be no demand for IPv6.

6to4 is a bootstrap technology that lets you get IPv6 out to a lot of people, people that have no hope of getting IPv6 addresses from shortsighted ISPs. With transition technologies like 6to4, developers can count on IPv6 and writing their applications. If the applications succeed and people are using IPv6, the demand may convince the ISPs to deploy IPv6.

Unfortunately, 6to4 will not work for everyone out there, especially those behind a NAT. Vendors of NAT boxes are not implementing 6to4, they don't see any demand. The shipworm/teredo draft is an interesting proposal for getting IPv6 connectivity to nodes behind a NAT. Unfortunately, the IETF seems to be totally uninterested.

If the transition to IPv6 relies on ISPs making a multi-billion dollar gamble that deploying IPv6 without any customer demand will pay off, IPv6 will never be widely deployed. Tunnel brokers don't scale, unless they charge. If they charge, only corporations and the few individuals that care enough will have IPv6 connectivity.

-josh