[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 security questions
Francis Dupont wrote:
>
> In your previous mail you wrote:
>
> There are in my opinion 4 ways forward:
>
> 1- Revisit 6to4 architecture to have bi-directional communication
> between the 6to4 router and the 6to4 relay. That way the decapsulating
> 6to4 router could apply some checks and make sure packets are comming
> from a legitimate 6to4 relay.
>
> => this is the solution for the home address option similar issue
> (the option is checked against the binding cache, i.e., is validated
> only when two-way communication is used).
Actually, what is wrong with the model in bullet 2.2 of section 5.2
of RFC 3056, i.e. require a BGP4+ peer relationship between a 6to4
router and the 6to4 relay routers it deals with? (OK, I can see some
reachability issues but 6to4 is not supposed to be the universal answer.)
As I said a moment ago, 6to4 wasn't designed for end hosts. I've
always felt the BGP4+ scenario was the best one.
Brian