[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 6to4 security questions



Brian E Carpenter wrote:

> As I keep having to remind people, 6to4 wasn't designed as
> a mass market end-host solution, so if you use it for that
> and have problems, well, I'm not too surprised.

Which is exactly what I wanted to point out to Laurent though
I did it probably with the wrong wordings ;)

I think that 6to4 could work if the upstream ISP delivered the relay.
Eg.. the client-machine tries to RA, if unsuccesfull it tries the
upstreams 6to4 using the anycast address.
The big assumption here is the fact that all upstreams need to either:
- have a 6to4 announced to their clients using the anycast address.
- block the route to the 6to4 anycast.
If neither of these two points are met one will fall back into the
scaling problems and will see people using IPv6 over a completely
different country. I don't see this as a viable solution though :(

Greets,
 Jeroen

> Jeroen Massar wrote:
> > 
> > Laurent Dumont wrote:
> > 
> > > We're planning to offer 6to4 as an auto configured fallback
> > > for getting home
> > > Mac users on IPv6. This of course if we don't get a RA and
> > > only in the case we're the Mac is not behind a NAT... But that's
> > another issue.
> > 
> > I think that making that a default option will lead into 
> _many_ helpdesk
> > phonecalls.
> > The actual upstream ISP will get phonecalls like:
> >  "www.example.org doesn't work"
> > 
> > Even though the upstream (ISP) can reach it quite well over IPv4.
> > Ofcourse one will have IPv6 -> IPv4 fallback. But the latency for
> > falling
> > back will be quite big. Also note that, unless 6to4 relays 
> suddenly pop
> > out
> > of nowhere, the traffic of these users will go through a couple of
> > different
> > countries without the user probably wanting it.
> > 
> > It would be a good thing to do to 'force' upstreams to get 
> IPv6 in their
> > networks.
> > But I really don't think it will scale and it will deliver a load of
> > headaches.
> > If you added this option as an option in the network 
> settings with a big
> > help doc
> > alongside with it describing the problems which could arise 
> this would
> > be great.
> > "Go to network config and hit that 'enable 6to4' button to 
> enable it" or
> > something
> > similar. A warning on a non-responded RA could also be a 
> good idea but
> > one has
> > to remember that most users will blindly click "Yes" on 
> most forms they
> > don't understand.
> > 
> > People really wanting IPv6 will get it from their upstream or a
> > transitional method
> > and they can pick out of a lot: 6to4, configured using a 
> tunnelbroker or
> > their upstream.
> > Note also that current tunnelbroker systems have quite intuitive
> > websites and for example
> > freenet6 delivers an automatic configuration tool.
> > At least then they will be begging their upstream to get it 
> supported :)
> > 
> > Greets,
> >  Jeroen
> 
> 
>