[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 deployement issues - was 6to4 security questions
RFC 3056 forbids announcing prefixes longer than 2002::/16,
and instructs ISPs to filter them, to avoid polluting the
IPv6 DFZ with IPv4 specifics.
Brian
Jeroen Massar wrote:
>
> Pekka Savola [mailto:pekkas@netcore.fi] wrote:
>
> > On Fri, 22 Nov 2002, Brian E Carpenter wrote:
> > > > On Thu, 21 Nov 2002, Jeroen Massar wrote:
> > > > > > please think that to the end, it will not work without
> > > > > > re-specification _globally_.
> > > > > > We don't want to restrict 6to4 to ISPs' walled gardens.
> > > > >
> > > > > One ISP can have a trust relation with another ISP and announce
> > > > > the anycast prefix only to that other ISP so it can
> > make use of it too.
> > > > > Source address verification should then ofcourse be
> > extended by the
> > > > > other ISP's. This could be seen as a 'transit' type
> > service, but then
> > > > > between the v4 and v6 world ;)
> > > >
> > > > How will you send traffic from 2001:dead:beef::1 to
> > 2002:0103:0405::1, if
> > > > 2001:dead:beef::/48 is not within the trust boundary?
> > >
> > > Wrong question. The question is, does *any* 2002::/16 announcement
> > > reach dead:beef's ISP? If yes, whichever relay is the origin of
> > > that announcement will relay the traffic. The 2nd question
> > is whether
> > > that particular relay is trusted by 0103:0405's 6to4 router.
> >
> > Exactly. In Jeroen's model, I believe, the particular relay would
> > particully never be trusted.
>
> That is exactly what I mean.
>
> >
> > Any such model model is broken.
>
> Eek :)
>
> > 6to4 routers do not have any ways of knowing where traffic
> > will be coming
> > from, so discarding packets because they didn't come from your two
> > favourite relays is *wrong*.
>
> Thats indeed true, fortunatly in the setup depicted below one
> knows where packets should be coming from.
>
> > Propagating more specific routes etc. avoids this problem as
> > you have only one "home" relay.
>
> Which where my thoughts exactly.
> Indeed the origin 6to4 relay's ISP will announce the prefixes it
> is willing to relay for, so the others can now where this relay
> is located and send all the return traffic directly there.
> That 6to4 relay can then send the traffic directly to the 6to4 node.
>
> One thing is that "local" traffic will go over that same relay too
> even if it's in the same subnet. Maybe a check for "local subnet"
> could be devised to overcome this problem.
>
> Eg, box-A = 10.1.2.3/24, box-B = 10.1.2.4/24, these are directly
> connected
> and should send the 6to4 packets directly too each other.
> But when box-C has 192.168.1.2 this should go over the relay.
> Basically it comes down to:
>
> 10.100.2.5/24
> [6to4 node A] <---+
> | 10.100.1.1
> +-----> [6to4 relay] <------> [IPv6 Internet]
> 10.100.2.6/24 |
> [6to4 node B] <---+
>
> The relay announces 2002:0A64::/32 (10.100.0.0/16)
> - Any node on the internet knows how to reach it.
> - It only serves 10.100.0.0/16.
> - "6to4 Transit" goes over native (or configured tunnels) IPv6.
> - "Spoofing" is limited to the ISP, or the prefixes the 6to4 relay
> trusts.
> - 6to4 Anycast route is only available inside the ISP, or the ISPs it
> trusts.
> - Local traffic (6to4 node A <-> 6to4 node B) travels locally only.
> This should save some traffic on the relay though it is not 100%
> required.
>
> Ofcourse 10.x.x.x addresses can be replaced by real IP's, these are
> examples.
>
> One could also see this approach as aggregating 6to4 traffic.
> Eg I imagine a 6to4 relay one hop more to the right of the above picture
> which carries for instance 10.0.0.0/8 which it announces to the
> internet.
>
> Hope this clears it up a bit :)
>
> Greets,
> Jeroen