[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions

To: itojun@iijlab.net
Subject: Re: 6to4 security questions
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Sun, 19 Jan 2003 23:06:30 +0100 (CET)
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, Jason Goldschmidt <jgoldsch@eng.sun.com>, Tim Chown <tjc@ecs.soton.ac.uk>, v6ops@ops.ietf.org
In-reply-to: "Your message with ID" <20030118000438.C9E894B22@coconut.itojun.org>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> 	you mean that there's no external connectivity to the 6bone?  if sun's
> 	firewall is acting as a 6to4 border router, the box is subject to
> 	various attacks (as it will accept 6to4-encapsulated packet from
> 	anybody).

Yep.
The Sun boxes you see in the 6bone are external to the firewall.
Those boxes do not use 6to4.

> 	having 6to4 relay router is totally different question from running
> 	a 6to4 site.

Not if all of it is sitting in an isolated network (inside a proxy-based
firewall).

The point is that if you have both native IPv6 address and 6to4 addresses
in a routing realm, then you need relays.
The deployment inside the Sun firewall avoids this by only using 6to4
addresses. Hence it doesn't test the relay aspects of 6to4.

  Erik

References:
- Re: 6to4 security questions
  - From: itojun@iijlab.net

Prev by Date: Re: An alternative to 6to4 and teredo
Next by Date: Re: comment on: draft-ietf-v6ops-unman-scenarios-00.txt
Previous by thread: Re: 6to4 security questions
Next by thread: An alternative to 6to4 and teredo
Index(es):
- Date
- Thread