Re: 6to4 security questions

[Brian E Carpenter <brian@hursley.ibm.com>]

Francis Dupont wrote:
> 
>  In your previous mail you wrote:
> 
>    Actually, what is wrong with the model in bullet 2.2 of section 5.2
>    of RFC 3056, i.e. require a BGP4+ peer relationship between a 6to4
>    router and the 6to4 relay routers it deals with? (OK, I can see some
>    reachability issues but 6to4 is not supposed to be the universal answer.)
> 
> => this is a heavy solution (6to4 is supposed to be automatic and
> not require BGP4+ skills) 

This author of 6to4 *never* said that.

> which secures only one way.

Indeed. You need BGP peering on both sides of the relay.

> The security issue is a rogue 6to4 relay which uses 6to4 boxes behind
> 6to4 routers to reflect traffic to poor IPv6 nodes. 

Exactly. So the 6to4 routers should only accept packets from
BGP peers. It may be heavyweight, but it is not mysterious.

   Brian

> I am afraid
> this is the other way (as Alain said, the problem is in the asymmetrical
> routing between 6to4 and native IPv6 Internets).
> 
>    As I said a moment ago, 6to4 wasn't designed for end hosts. I've
>    always felt the BGP4+ scenario was the best one.
> 
> => of course, bullet 2.2 of section 5.2 is an option of a scenario...
> 
> Regards
> 
> Francis.Dupont@enst-bretagne.fr