6to4 and Teredo vs Tunnel broker (was Re: 6to4 security questions)

[Alain Durand <Alain.Durand@Sun.COM>]

Erik Nordmark wrote:

> > There are in my opinion 4 ways forward:
> >
> > 1- Revisit 6to4 architecture to have bi-directional communication
> >    between the 6to4 router and the 6to4 relay. That way the decapsulating
> >    6to4 router could apply some checks and make sure packets are comming
> >    from a legitimate 6to4 relay.
> >    
> But doesn't such a revisit result in the prefix needing to be
> associated with the tunnel endpoint in order for routing to scale
> i.e. this becomes just a variant of the tunnel broker?
>
> (Not that this would necessarily be bad, I think the tunnel broker  
> is a much overlooked piece of work.)
I take this as a compliment! :-)

> But if #1 and #4 are essentially the same choice we only have 3 real
> choices.
Yes. The question is now to understand if we can live with this threat 
or not,
or in other words, does full automatic connection to IPv6 networks
from anywhere in IPv4 land outweight the security threat of what
is the logical equivalent of open relays.

Same question applies for NAT traversial solutions like Teredo.

The alternative is deploying virtual ISPs through tunnel brokers that 
also accept
IPv6 over UDP (or TCP, or PPP) over IPv4, at the cost of giving up
full automation and creating sub optimal topologies.

I think this is a fundamental question for the 'unmanaged environment'.

   - Alain.