[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 deployement issues - was 6to4 security questions
On Thu, 21 Nov 2002, Alain Durand wrote:
> >>RFC 3056 forbids announcing prefixes longer than 2002::/16,
> >>and instructs ISPs to filter them, to avoid polluting the
> >>IPv6 DFZ with IPv4 specifics.
> >>
> >>
> >
> >Yes.
> >
> >.. which is why I proposed a model where 6to4 relays are interconnected
> >using eBGP multihop peerings, and IPv6 DFZ would be safe, and everyone
> >would be happy :-).
> >
>
> How does this help a 6to4 router to check if the packet is coming from
> a legitimate 6to4 relay?
Read the draft.
Under this assumption, (most) packets from native internet are only
tunneled from your home relay -- some IP address you've configured, some
security association you've done etc.
This assumes enough relays take part in this more-specifics mesh, and
outright discarding packets could not be done in the startup phase.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords