[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and mechanisms evaluation]

To: v6ops@ops.ietf.org
Subject: Re: 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and mechanisms evaluation]
From: Rob Austein <sra@isc.org>
Date: Sat, 13 Mar 2004 02:39:45 -0500
In-reply-to: <Pine.LNX.4.44.0403130759510.20089-100000@netcore.fi>
References: <Roam.SIMC.2.0.6.1079132485.7485.nordmark@bebop.france> <Pine.LNX.4.44.0403130759510.20089-100000@netcore.fi>
User-agent: Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0 (SAKAKI)

At Sat, 13 Mar 2004 08:08:51 +0200 (EET), Pekka Savola wrote:
> 
> The chief advantage of 6to4 is its simplicity (a minimal -- but
> insecure -- implementation can be about 5-10 lines of code!), and the
> ability to provide a /48 prefix, instead of being run individually on
> each system.  This could be useful especially in the cases where the 
> (NAT) gateways would implement some form of IPv6 support.  As Teredo 
> cannot support more than one address, it would not be applicable in 
> this scope.

The 6to4 edge routers I've been using for the last two or three years
do this.  I for one would be unhappy to lose this capability.

> The disadvantage is that it's an additional mechanism, and not
> applicable except in the space where NAT is often being used; also,
> the security properties are worse with 6to4 than Teredo (due to its
> simplicity).

With all due respect, the second clause of that sentence is a cheap
shot.  6to4 can be implemented well or poorly and can be used well or
poorly.  Packet filtering works just fine on an edge router if one
bothers to turn it on.  I do not believe that giving 6to4's job to
Terado would really solve any security problems; at best it would
transform them, and in some cases it would probably make them worse by
replacing a simple solution with a more complex one.

> Depending on how strongly people feel about the necessity of this
> optimization and providing an easy means for (NAT) gateway vendors to
> add basic IPv6 support, 6to4 could be retained, or we could try to
> figure out whether Teredo spec needs to be re-evaluated for the case
> when there is no NAT traversal at all.

Terado is excessively complex for the case of a user who wants IPv6
capability from an IPv4-only ISP and has the ability to replace the
NAT box.  Yes, Terado could probably be used in this case instead of
6to4; pigs also fly just fine, given sufficient thrust [RFC1925], but
that doesn't make either of these a good idea.

Please retain 6to4.

Follow-Ups:
- Re: 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and mechanisms evaluation]
  - From: Erik Nordmark <Erik.Nordmark@sun.com>
- Re: 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and mechanisms evaluation]
  - From: Brian E Carpenter <brc@zurich.ibm.com>

References:
- Re: Tunneling scenarios and mechanisms evaluation
  - From: Erik Nordmark <Erik.Nordmark@sun.com>
- 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and mechanisms evaluation]
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: Tunneling scenarios and mechanisms evaluation
Next by Date: Re: Tunneling scenarios and mechanisms evaluation
Previous by thread: 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and mechanisms evaluation]
Next by thread: Re: 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and mechanisms evaluation]
Index(es):
- Date
- Thread