Re: 6to4 security questions

[Brian E Carpenter <brian@hursley.ibm.com>]

Francis Dupont wrote:
> 
>  In your previous mail you wrote:
> 
>    There are in my opinion 4 ways forward:
> 
>    1- Revisit 6to4 architecture to have bi-directional communication
>        between the 6to4 router and the 6to4 relay. That way the decapsulating
>        6to4 router could apply some checks and make sure packets are comming
>        from a legitimate 6to4 relay.
> 
> => this is the solution for the home address option similar issue
> (the option is checked against the binding cache, i.e., is validated
> only when two-way communication is used).

Actually, what is wrong with the model in bullet 2.2 of section 5.2
of RFC 3056, i.e. require a BGP4+ peer relationship between a 6to4
router and the 6to4 relay routers it deals with? (OK, I can see some
reachability issues but 6to4 is not supposed to be the universal answer.)

As I said a moment ago, 6to4 wasn't designed for end hosts. I've
always felt the BGP4+ scenario was the best one. 

   Brian