[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions

To: itojun@iijlab.net
Subject: Re: 6to4 security questions
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Sun, 19 Jan 2003 16:47:28 +0100
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, Jason Goldschmidt <jgoldsch@eng.sun.com>, Tim Chown <tjc@ecs.soton.ac.uk>, v6ops@ops.ietf.org
In-reply-to: Your message of Sat, 18 Jan 2003 09:04:38 +0900. <20030118000438.C9E894B22@coconut.itojun.org>

 In your previous mail you wrote:

   >A long time ago Jason said:
   >
   >> At Sun we are using 6to4, as an early transition mechanism, for our 
   >> deployment.  For the past few years we have had a few (read 3) 
   >> engineering sites connected by configured tunnels.  We found deployment 
   >> scalability problems with this approach, so we decided to go with 6to4. 
   >
   >What Jason forgot to mention was that this deployment (inside Sun's firewalls)
   >uses exclusively 6to4 addresses.

   	you mean that there's no external connectivity to the 6bone?

=> yes, this is what Jason and other Sun people described at the last IETF.
This is a good usage case for 6to4, with no external security issue at all.

        if sun's
   	firewall is acting as a 6to4 border router, the box is subject to
   	various attacks (as it will accept 6to4-encapsulated packet from
   	anybody).

   >Thus there are no 6to4 relays.

   	having 6to4 relay router is totally different question from running
   	a 6to4 site.

=> and this is a cause of security and non technical burdens...   

Regards

Francis.Dupont@enst-bretagne.fr

References:
- Re: 6to4 security questions
  - From: itojun@iijlab.net

Prev by Date: Re: An alternative to 6to4 and teredo
Next by Date: Re: An alternative to 6to4 and teredo
Previous by thread: Re: 6to4 security questions
Next by thread: Re: 6to4 security questions
Index(es):
- Date
- Thread