RE: 6to4 deployement issues - was 6to4 security questions

[Pekka Savola <pekkas@netcore.fi>]

On Thu, 21 Nov 2002, Jeroen Massar wrote:
> > please think that to the end, it will not work without 
> > re-specification _globally_. 
> > We don't want to restrict 6to4 to ISPs' walled gardens.
> 
> One ISP can have a trust relation with another ISP and announce
> the anycast prefix only to that other ISP so it can make use of it too.
> Source address verification should then ofcourse be extended by the
> other ISP's. This could be seen as a 'transit' type service, but then
> between the v4 and v6 world ;)

How will you send traffic from 2001:dead:beef::1 to 2002:0103:0405::1, if 
2001:dead:beef::/48 is not within the trust boundary?

If the answer if "no, you can't", this seems close to my "limited 
distribution of more specific routes" solution, except being more 
restrictive for deployment.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords