Re: 6to4 security questions

[Brian E Carpenter <brian@hursley.ibm.com>]

Pekka Savola wrote:
> 
> On Thu, 21 Nov 2002, Brian E Carpenter wrote:
> > Actually, what is wrong with the model in bullet 2.2 of section 5.2
> > of RFC 3056, i.e. require a BGP4+ peer relationship between a 6to4
> > router and the 6to4 relay routers it deals with? (OK, I can see some
> > reachability issues but 6to4 is not supposed to be the universal answer.)
> 
> That, in itself, helps little.  Relay routers must also be connected using
> BGP4+ and advertising more specific routes.

No, the model is that they will advertise 2002::/16, but only inside a limited set
of AS's. That is mentioned in RFC 3056 - you use BGP policy to scope
which relay serves which part of the native IPv6 network. 

That in itself doesn't protect against spoofing however; for that you need
peering between the 6to4 router and a set of trustworthy relays.

> 
> > As I said a moment ago, 6to4 wasn't designed for end hosts. I've
> > always felt the BGP4+ scenario was the best one.
> 
> Well, the reasons 6to4 is used are usualy either/and:
>  1) ease of taking into use
>  2) takes dynamic v4 address into account
> 
> For SOHO/home use, both conditions are usually fulfilled.  Also, for
> bigger enterprise networks, which are usually able to run BGP etc., are
> only concerned about _at most_ 1).

The third reason is 
  3) no IPv6 ISP offering configured tunnels near enough in the topology.

     Brian