[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



 In your previous mail you wrote:

   Actually, what is wrong with the model in bullet 2.2 of section 5.2
   of RFC 3056, i.e. require a BGP4+ peer relationship between a 6to4
   router and the 6to4 relay routers it deals with? (OK, I can see some
   reachability issues but 6to4 is not supposed to be the universal answer.)
   
=> this is a heavy solution (6to4 is supposed to be automatic and
not require BGP4+ skills) which secures only one way.
The security issue is a rogue 6to4 relay which uses 6to4 boxes behind
6to4 routers to reflect traffic to poor IPv6 nodes. I am afraid
this is the other way (as Alain said, the problem is in the asymmetrical
routing between 6to4 and native IPv6 Internets).

   As I said a moment ago, 6to4 wasn't designed for end hosts. I've
   always felt the BGP4+ scenario was the best one. 
   
=> of course, bullet 2.2 of section 5.2 is an option of a scenario...

Regards

Francis.Dupont@enst-bretagne.fr