[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 deployement issues - was 6to4 security questions



On Thu, 21 Nov 2002, Alain Durand wrote:
> >>RFC 3056 forbids announcing prefixes longer than 2002::/16, 
> >>and instructs ISPs to filter them, to avoid polluting the 
> >>IPv6 DFZ with IPv4 specifics.
> >>    
> >>
> >
> >Yes.
> >
> >.. which is why I proposed a model where 6to4 relays are interconnected
> >using eBGP multihop peerings, and IPv6 DFZ would be safe, and everyone
> >would be happy :-).
> >
>
> How does this help a 6to4 router to check if the packet is coming from
> a legitimate 6to4 relay?

Read the draft.

Under this assumption, (most) packets from native internet are only 
tunneled from your home relay -- some IP address you've configured, some 
security association you've done etc.

This assumes enough relays take part in this more-specifics mesh, and
outright discarding packets could not be done in the startup phase.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords