[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 6to4 security questions

To: "'Brian E Carpenter'" <brian@hursley.ibm.com>
Subject: RE: 6to4 security questions
From: "Jeroen Massar" <jeroen@unfix.org>
Date: Thu, 21 Nov 2002 17:19:28 +0100
Cc: "'Laurent Dumont'" <laurent@apple.com>, <v6ops@ops.ietf.org>
Delivery-date: Thu, 21 Nov 2002 08:19:19 -0800
Envelope-to: v6ops-data@psg.com
Importance: Normal
In-reply-to: <3DDCF4AE.D6F16937@hursley.ibm.com>
Organization: Unfix
Sender: owner-v6ops@ops.ietf.org

Brian E Carpenter wrote:

> As I keep having to remind people, 6to4 wasn't designed as
> a mass market end-host solution, so if you use it for that
> and have problems, well, I'm not too surprised.

Which is exactly what I wanted to point out to Laurent though
I did it probably with the wrong wordings ;)

I think that 6to4 could work if the upstream ISP delivered the relay.
Eg.. the client-machine tries to RA, if unsuccesfull it tries the
upstreams 6to4 using the anycast address.
The big assumption here is the fact that all upstreams need to either:
- have a 6to4 announced to their clients using the anycast address.
- block the route to the 6to4 anycast.
If neither of these two points are met one will fall back into the
scaling problems and will see people using IPv6 over a completely
different country. I don't see this as a viable solution though :(

Greets,
 Jeroen

> Jeroen Massar wrote:
> > 
> > Laurent Dumont wrote:
> > 
> > > We're planning to offer 6to4 as an auto configured fallback
> > > for getting home
> > > Mac users on IPv6. This of course if we don't get a RA and
> > > only in the case we're the Mac is not behind a NAT... But that's
> > another issue.
> > 
> > I think that making that a default option will lead into 
> _many_ helpdesk
> > phonecalls.
> > The actual upstream ISP will get phonecalls like:
> >  "www.example.org doesn't work"
> > 
> > Even though the upstream (ISP) can reach it quite well over IPv4.
> > Ofcourse one will have IPv6 -> IPv4 fallback. But the latency for
> > falling
> > back will be quite big. Also note that, unless 6to4 relays 
> suddenly pop
> > out
> > of nowhere, the traffic of these users will go through a couple of
> > different
> > countries without the user probably wanting it.
> > 
> > It would be a good thing to do to 'force' upstreams to get 
> IPv6 in their
> > networks.
> > But I really don't think it will scale and it will deliver a load of
> > headaches.
> > If you added this option as an option in the network 
> settings with a big
> > help doc
> > alongside with it describing the problems which could arise 
> this would
> > be great.
> > "Go to network config and hit that 'enable 6to4' button to 
> enable it" or
> > something
> > similar. A warning on a non-responded RA could also be a 
> good idea but
> > one has
> > to remember that most users will blindly click "Yes" on 
> most forms they
> > don't understand.
> > 
> > People really wanting IPv6 will get it from their upstream or a
> > transitional method
> > and they can pick out of a lot: 6to4, configured using a 
> tunnelbroker or
> > their upstream.
> > Note also that current tunnelbroker systems have quite intuitive
> > websites and for example
> > freenet6 delivers an automatic configuration tool.
> > At least then they will be begging their upstream to get it 
> supported :)
> > 
> > Greets,
> >  Jeroen
> 
> 
>

References:
- Re: 6to4 security questions
  - From: Brian E Carpenter <brian@hursley.ibm.com>

Prev by Date: Re: 6to4 deployement issues - was 6to4 security questions
Next by Date: Re: 6to4 security questions
Previous by thread: Re: 6to4 deployement issues - was 6to4 security questions
Next by thread: Re: 6to4 security questions
Index(es):
- Date
- Thread