[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 usage scenarios



On Thu, 21 Nov 2002, Alain Durand wrote:
> >I think section 6.3.2 of my draft discusses (very roughly) one approach at
> >the problem.   
> >
>    This could be done by forming eBGP
>    [BGP] multi-hop peerings between Relays, and advertising more
>    specific routes (e.g. the same superblocks of IPv4 addresses one
>    expects to service) to all the other Routers.
> 
> This is where I doubt it works. As you pointed out in your draft,
> it requires (strong)cooperation among all the relays, but worse,
> it requires complete coverage of the IPv4 space.

Yeah, this is a problem.  But you can approach this many ways, my view is:

 1) identify the current status, document the threats
 2) make up a way to lessen these threats (they cannot completely go away)
 3) if people are worried about the spoofing problem, _expect them to 
contact their home relay, and make it to advertise their prefix_.  If the 
person doesn't care.. can't help anyway.

But there are some ways to help here a bit:
 - it is desirable to have strong co-operation, but it's not _necessary_, 
only if you want a higher level of security (the rest just work as before)
 - ISP's providing 6to4 relay as a real service are more likely to have a 
stricter list of prefixes the ISP serves -- and configuring static routes 
is easier
 - some more specifics can even be automatically generated e.g. from 
RADB/RIPE route databases
 - we could develop a very simple protocol/process (could be just a 
triggering packet or whatnot) to make the home relay start automatically 
advertise a prefix

> And again, how will the 6to4 router knows the valid IPv4 address
> of the relay it is associated with (if the router has used the well 
> known anycast addr
> to discover the relay)?

1) the relay may use 192.88.99.1 as the souce address (our relay does 
that)
2) if not, a simple ping to that address or manual equivalent should 
reveal this

As you note, there are quite a few problems to be ironed out, but it just 
_might_ work.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords