RE: Teredo and auto-discovery [Re: POLL: Consensus for moving forward with Teredo?]

[Pekka Savola <pekkas@netcore.fi>]

On Sun, 2 May 2004, Christian Huitema wrote:
> Anycast can be retrofitted trivially in Teredo. The client is configured
> with the domain name or the IP address of a Teredo server; it suffices
> to resolve the domain name to an anycast address, or configure the
> anycast address as address of the server. Teredo servers don't keep
> state per client session, so the service will work even in case of
> anycast re-routing.

What about using anycast only for initial contact to establish the 
unicast address of the closest server, similar to means described in 
e.g. draft-ietf-mboned-auto-multicast-02.txt ?

Obviously, this is rather independent part of the procedure and would
just need to replace the whatever "server discovery" function Teredo
has, so plugging it back later on if deemed feasible wouldn't seem
very difficult either.

> However, there is a reason why anycast was removed, and the reason is
> IESG review. Anycast reduces traceability; using anycast addresses as
> source addresses creates a number of security issues, e.g. prevents
> ingress filtering. I believe that there are too many such issues to make
> anycast a "base design".

To be precise, it prevents ingress filtering without an exception list
from the direction of networks deploying Teredo servers which are
advertised outside of their site, correct?  I.e., Teredo servers which
advertise the anycast prefix in inter-domain routing.  One could argue
that servers deployed in such a fashion may not be an actual problem..

I personally don't see much problem with using anycast as source;  
we've certainly always used that for our 6to4 relay, and many others
as well.  But I can see why that makes some people a little bit
nervous.. :)

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings