[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Automatic tunnels

To: "Christian Huitema" <huitema@windows.microsoft.com>
Subject: Re: Automatic tunnels
From: itojun@iijlab.net
Date: Fri, 01 Aug 2003 08:26:40 +0900
Cc: v6ops@ops.ietf.org
In-reply-to: huitema's message of Thu, 31 Jul 2003 09:03:48 MST. <DAC3FCB50E31C54987CD10797DA511BA046BF4EF@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>

>Which type of abuse are you concerned with? We can deploy native-to-6to4
>relays in several modes:
>
> - host specific=20
>	(host is multi-homed to 6to4, local routing entry to 2002::/16)
> - AS specific=20
>	(some routers act as relay, export a route to 2002::/16 in IGP)
> - Across multiple AS
>	(export a route to 2002::/16 in BGP)
>
>The first two modes don't seem particularly prone to abuse. Host
>specific relays certainly are not an issue, and the abuse to AS specific
>relay fall in the general category of "abusing peering agreements",
>which is by no means specific to 6to4. I agree that exporting a route
>through BGP is hard to control, as the route can be re-exported by
>peering ASes. But, again, this fall in the category of "peering abuses",
>which can be contained by proper peering contracts.

	we are afraid of our native-to-6to4 device being used as open relay
	of packet (bullet 3 in the above, of course).  the IPv4 source address
	will be ours, so we will get compliants from random people, because of
	malicious traffic from somewhere to 2002::/16.  running 6to4 relay
	router is like running open relay smtp server.

itojun

Follow-Ups:
- Re: Automatic tunnels
  - From: Pekka Savola <pekkas@netcore.fi>

References:
- RE: Automatic tunnels
  - From: "Christian Huitema" <huitema@windows.microsoft.com>

Prev by Date: RE: [mobile-ip] Re: FW: I-D ACTION:draft-tsirtsis-dsmip-problem-0 0.txt
Next by Date: RE: Automatic tunnels
Previous by thread: RE: Automatic tunnels
Next by thread: Re: Automatic tunnels
Index(es):
- Date
- Thread