[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 deployement issues - was 6to4 security questions
Pekka Savola wrote:
>
> On Thu, 21 Nov 2002, Jeroen Massar wrote:
> > > please think that to the end, it will not work without
> > > re-specification _globally_.
> > > We don't want to restrict 6to4 to ISPs' walled gardens.
> >
> > One ISP can have a trust relation with another ISP and announce
> > the anycast prefix only to that other ISP so it can make use of it too.
> > Source address verification should then ofcourse be extended by the
> > other ISP's. This could be seen as a 'transit' type service, but then
> > between the v4 and v6 world ;)
>
> How will you send traffic from 2001:dead:beef::1 to 2002:0103:0405::1, if
> 2001:dead:beef::/48 is not within the trust boundary?
Wrong question. The question is, does *any* 2002::/16 announcement
reach dead:beef's ISP? If yes, whichever relay is the origin of
that announcement will relay the traffic. The 2nd question is whether
that particular relay is trusted by 0103:0405's 6to4 router.
Brian
>
> If the answer if "no, you can't", this seems close to my "limited
> distribution of more specific routes" solution, except being more
> restrictive for deployment.
>
> --
> Pekka Savola "Tell me of difficulties surmounted,
> Netcore Oy not those you stumble over and fall"
> Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter
Distinguished Engineer, Internet Standards & Technology, IBM
On assignment at the IBM Zurich Laboratory, Switzerland