RE: 6to4 being replaced by Teredo only? [Re: Tunneling scenarios and

["Christian Huitema" <huitema@windows.microsoft.com>]

> > the security properties are worse with 6to4 than Teredo (due to its
> > simplicity).
> >
> > Pekka Savola
> 
> 	reading the above sentence... its the most humourous thing
> 	i've read all week. perhaps what Pekka intended to say was
> 	that the security properties of 6to4 are more knowable than
> 	Teredo due to its simplicity.  Most folks believe that if
> 	you can know the properties of some bit of code, its more
> 	secure than code that is too large/complex to understand well.
> 	Or perhaps Pekka ment something else...

Pekka's point can be summarized as follow: the bubble mechanism of
Teredo performs a 3-ways handshake, which effectively mitigates some
potential misuse of the relays for anonymous DOS attacks; there is no
such mechanism in 6to4.

Rob and Bill retort with the general "complexity is bad" argument: it is
much easier to have a bug in 100,000 lines of code than in 100; simper
code is easier to debug. However, Teredo's code is not all that large,
maybe a few hundred lines, and it can effectively be debugged. After
all, we do have two independent implementations of Teredo that
interoperate without apparent issues.

That being said, I would not want to replace all usage of 6to4 by
Teredo. 6to4 is a natural solution for upgrading the existing home
routers.

-- Christian Huitema