Le dimanche 19 août 2007, vous avez écrit : > Many university campus networks (and large businesses that have been > around for some time, etc.) run non-RFC1918 addresses internally. > They then NAT, proxy or statefully filter traffic through their > border. If someone has a better name than "campus" for this, then > then I'm all ears - I realise it's not accurate at all. I have had cases were proto-41 was statelessly firewalled as well (no NAT though). One was a "campus" network, but I have also met this problem on some commercial Wi-Fi networks. > My understanding of Windows (and to some extent some Linuxes and > BSDs) 6to4 behaviour is that when they detect an interface with a > non- RFC1918 IPv4 address, they bring up 6to4. Yes. And they also start sending router advertisements, regardless of any "administered" IPv6 router on the network. > While this is fine for networks that don't filter or otherwise mess > with IP protocol 41, this causes big problems for users behind > networks that filter or NAT. Exactly. (...) > Has anyone given thought to a 6to4 'qualification' procedure for > auto- configured 6to4? Such a procedure could be as simple as sending > an ICMPv6 echo request to 2002:c058:6301:: (192.88.99.1) and bringing > the interface up if there is an acceptable response. I have considered this. It does not work. You will see that, ok, proto-41 is not statelessly firewalled. But that is not sufficient since 6to4 is relayed asymetrically between 6to4 nodes and the native IPv6 Internet. For proper detection, you would need to ping a native IPv6 node, which you know will reply through an outbound 6to4 relay that encapsulates packets with a source address different from 192.88.99.1. If that works, there's good chance that there is no firewalling at all (or some kind of "cone" firewalling). -- Rémi Denis-Courmont http://www.remlab.net/
Attachment:
signature.asc
Description: This is a digitally signed message part.