Erik Nordmark wrote:
There are in my opinion 4 ways forward:But doesn't such a revisit result in the prefix needing to be
1- Revisit 6to4 architecture to have bi-directional communication
between the 6to4 router and the 6to4 relay. That way the decapsulating
6to4 router could apply some checks and make sure packets are comming
from a legitimate 6to4 relay.
associated with the tunnel endpoint in order for routing to scale
i.e. this becomes just a variant of the tunnel broker?
(Not that this would necessarily be bad, I think the tunnel broker is a much overlooked piece of work.)
I take this as a compliment! :-)
Yes. The question is now to understand if we can live with this threat or not,But if #1 and #4 are essentially the same choice we only have 3 real choices.