Re: 6to4 security questions

[Pekka Savola <pekkas@netcore.fi>]

On Thu, 21 Nov 2002, Brian E Carpenter wrote:
> > On Thu, 21 Nov 2002, Brian E Carpenter wrote:
> > > Actually, what is wrong with the model in bullet 2.2 of section 5.2
> > > of RFC 3056, i.e. require a BGP4+ peer relationship between a 6to4
> > > router and the 6to4 relay routers it deals with? (OK, I can see some
> > > reachability issues but 6to4 is not supposed to be the universal answer.)
> > 
> > That, in itself, helps little.  Relay routers must also be connected using
> > BGP4+ and advertising more specific routes.
> 
> No, the model is that they will advertise 2002::/16, but only inside a limited set
> of AS's. That is mentioned in RFC 3056 - you use BGP policy to scope
> which relay serves which part of the native IPv6 network. 

A very and heavy and unreliable (the unpredictable return routing) model.  
I don't believe there are any of these deployed.
 
> That in itself doesn't protect against spoofing however; 

Indeed.

> for that you need
> peering between the 6to4 router and a set of trustworthy relays.

You're creating a separate, rather small 6to4 internets using this model, 
unless the relay routers will relay more specific routes between them.

I can't regard that as an acceptable deployment scenario: this seems like 
creating semi-global addresses, and isolate yourself from the rest.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords