Re: 6to4 security questions

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   > => this is a heavy solution (6to4 is supposed to be automatic and
   > not require BGP4+ skills) 
   
   This author of 6to4 *never* said that.
   
=> I know but many 6to4 supporters said exactly that.

   > which secures only one way.
   
   Indeed. You need BGP peering on both sides of the relay.
   
=> I'd like to know how?

   > The security issue is a rogue 6to4 relay which uses 6to4 boxes behind
   > 6to4 routers to reflect traffic to poor IPv6 nodes. 
   
   Exactly. So the 6to4 routers should only accept packets from
   BGP peers. It may be heavyweight, but it is not mysterious.
   
=> how you can archieve this:
  - a random native IPv6 source with a packet for a 6to4 node knows
   the 6to4 relay associated to the 6to4 destination. The obvious
   way to do this is to inject a part of the IPv4 routing into
   the 2002:: prefix, i.e., something we must not do.
  - same but between 6to4 relays (i.e., the pollution is constraint
   to the 6to4 relay set). It should work but it will become very
   hard to find ISPs which accept to run a 6to4 relay.
IMHO this relay problem makes 6to4 usable only to transit (?)
an IPv4 internet to IPv6 (all IPv6 islands will be 6to4, no need for relays)
(cf a comment from a Sun guy doing exactly this for the internal Sun internet)

Regards

Francis.Dupont@enst-bretagne.fr