[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 usage scenarios
On Thu, 21 Nov 2002, Alain Durand wrote:
> >I think section 6.3.2 of my draft discusses (very roughly) one approach at
> >the problem.
> >
> This could be done by forming eBGP
> [BGP] multi-hop peerings between Relays, and advertising more
> specific routes (e.g. the same superblocks of IPv4 addresses one
> expects to service) to all the other Routers.
>
> This is where I doubt it works. As you pointed out in your draft,
> it requires (strong)cooperation among all the relays, but worse,
> it requires complete coverage of the IPv4 space.
Yeah, this is a problem. But you can approach this many ways, my view is:
1) identify the current status, document the threats
2) make up a way to lessen these threats (they cannot completely go away)
3) if people are worried about the spoofing problem, _expect them to
contact their home relay, and make it to advertise their prefix_. If the
person doesn't care.. can't help anyway.
But there are some ways to help here a bit:
- it is desirable to have strong co-operation, but it's not _necessary_,
only if you want a higher level of security (the rest just work as before)
- ISP's providing 6to4 relay as a real service are more likely to have a
stricter list of prefixes the ISP serves -- and configuring static routes
is easier
- some more specifics can even be automatically generated e.g. from
RADB/RIPE route databases
- we could develop a very simple protocol/process (could be just a
triggering packet or whatnot) to make the home relay start automatically
advertise a prefix
> And again, how will the 6to4 router knows the valid IPv4 address
> of the relay it is associated with (if the router has used the well
> known anycast addr
> to discover the relay)?
1) the relay may use 192.88.99.1 as the souce address (our relay does
that)
2) if not, a simple ping to that address or manual equivalent should
reveal this
As you note, there are quite a few problems to be ironed out, but it just
_might_ work.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords