[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



> There are in my opinion 4 ways forward:
> 
> 1- Revisit 6to4 architecture to have bi-directional communication
>     between the 6to4 router and the 6to4 relay. That way the decapsulating
>     6to4 router could apply some checks and make sure packets are comming
>     from a legitimate 6to4 relay.

But doesn't such a revisit result in the prefix needing to be
associated with the tunnel endpoint in order for routing to scale
i.e. this becomes just a variant of the tunnel broker?
(Not that this would necessarily be bad, I think the tunnel broker
is a much overlooked piece of work.)

But if #1 and #4 are essentially the same choice we only have 3 real
choices.

  Erik