Re: 6to4 security questions

[Pekka Savola <pekkas@netcore.fi>]

On Wed, 20 Nov 2002, Tim Chown wrote:
> If you look at home user connectivity now, the most common method used is
> a tunnel broker, witness 10K+(?) users of freenet6.  A TB can serve /48's
> as well as just connecting hosts.  I doubt there's 10K users of 6to4?

Really that many?  I wonder how many of them are actually being used?

To me, 6to4 seems far better mechanism to deploy v6 for organizations that 
_usually_ need tunnel broker (easy access, tunnel end-point far away).

Controlled tunnel brokering seems of course the better choice.  But it 
appears to me that that's _not_ what most of those tunnel sites are..
 
> I take the point about 6to4 deployment in Sun.  It's certainly easier than
> a mesh of tunnels in that respect (depending on the topology you want),
> but you still need the same ISP support (ip tunnels allowed).

That's wrong way to deploy 6to4, as it breaks the assumption about global 
reachability.

Instead, if configuring tunnels between the sites (the N^2 problem) is a 
real problem, Sun should use native addresses for infrastructure, and 6to4 
just for the "point-to-point links" betweent the sites  (think of BGP 
tunneling except replace BGP with 6to4).

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords