[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 deployement issues - was 6to4 security questions



Pekka Savola wrote:
> 
> On Thu, 21 Nov 2002, Jeroen Massar wrote:
> > > please think that to the end, it will not work without
> > > re-specification _globally_.
> > > We don't want to restrict 6to4 to ISPs' walled gardens.
> >
> > One ISP can have a trust relation with another ISP and announce
> > the anycast prefix only to that other ISP so it can make use of it too.
> > Source address verification should then ofcourse be extended by the
> > other ISP's. This could be seen as a 'transit' type service, but then
> > between the v4 and v6 world ;)
> 
> How will you send traffic from 2001:dead:beef::1 to 2002:0103:0405::1, if
> 2001:dead:beef::/48 is not within the trust boundary?

Wrong question. The question is, does *any* 2002::/16 announcement
reach dead:beef's ISP? If yes, whichever relay is the origin of
that announcement will relay the traffic. The 2nd question is whether
that particular relay is trusted by 0103:0405's 6to4 router.

   Brian
> 
> If the answer if "no, you can't", this seems close to my "limited
> distribution of more specific routes" solution, except being more
> restrictive for deployment.
> 
> --
> Pekka Savola                 "Tell me of difficulties surmounted,
> Netcore Oy                   not those you stumble over and fall"
> Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM 
On assignment at the IBM Zurich Laboratory, Switzerland