[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



As I keep having to remind people, 6to4 wasn't designed as
a mass market end-host solution, so if you use it for that
and have problems, well, I'm not too surprised.

  Brian

Jeroen Massar wrote:
> 
> Laurent Dumont wrote:
> 
> > We're planning to offer 6to4 as an auto configured fallback
> > for getting home
> > Mac users on IPv6. This of course if we don't get a RA and
> > only in the case we're the Mac is not behind a NAT... But that's
> another issue.
> 
> I think that making that a default option will lead into _many_ helpdesk
> phonecalls.
> The actual upstream ISP will get phonecalls like:
>  "www.example.org doesn't work"
> 
> Even though the upstream (ISP) can reach it quite well over IPv4.
> Ofcourse one will have IPv6 -> IPv4 fallback. But the latency for
> falling
> back will be quite big. Also note that, unless 6to4 relays suddenly pop
> out
> of nowhere, the traffic of these users will go through a couple of
> different
> countries without the user probably wanting it.
> 
> It would be a good thing to do to 'force' upstreams to get IPv6 in their
> networks.
> But I really don't think it will scale and it will deliver a load of
> headaches.
> If you added this option as an option in the network settings with a big
> help doc
> alongside with it describing the problems which could arise this would
> be great.
> "Go to network config and hit that 'enable 6to4' button to enable it" or
> something
> similar. A warning on a non-responded RA could also be a good idea but
> one has
> to remember that most users will blindly click "Yes" on most forms they
> don't understand.
> 
> People really wanting IPv6 will get it from their upstream or a
> transitional method
> and they can pick out of a lot: 6to4, configured using a tunnelbroker or
> their upstream.
> Note also that current tunnelbroker systems have quite intuitive
> websites and for example
> freenet6 delivers an automatic configuration tool.
> At least then they will be begging their upstream to get it supported :)
> 
> Greets,
>  Jeroen