[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

6to4 and Teredo vs Tunnel broker (was Re: 6to4 security questions)




Erik Nordmark wrote:

There are in my opinion 4 ways forward:

1- Revisit 6to4 architecture to have bi-directional communication
between the 6to4 router and the 6to4 relay. That way the decapsulating
6to4 router could apply some checks and make sure packets are comming
from a legitimate 6to4 relay.

But doesn't such a revisit result in the prefix needing to be
associated with the tunnel endpoint in order for routing to scale
i.e. this becomes just a variant of the tunnel broker?

(Not that this would necessarily be bad, I think the tunnel broker is a much overlooked piece of work.)

I take this as a compliment! :-)

But if #1 and #4 are essentially the same choice we only have 3 real
choices.

Yes. The question is now to understand if we can live with this threat or not,
or in other words, does full automatic connection to IPv6 networks
from anywhere in IPv4 land outweight the security threat of what
is the logical equivalent of open relays.

Same question applies for NAT traversial solutions like Teredo.

The alternative is deploying virtual ISPs through tunnel brokers that also accept
IPv6 over UDP (or TCP, or PPP) over IPv4, at the cost of giving up
full automation and creating sub optimal topologies.

I think this is a fundamental question for the 'unmanaged environment'.

- Alain.