[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 anycast IP as source address / PTR record



On 2008-01-31 19:34, Antonio Querubin wrote:
> On Wed, 30 Jan 2008, Kevin Loch wrote:
> 
>> Kevin Day wrote:
>>>
>>> Quick poll:
>>>
>>> When a 6to4 relay encapsulates v6 traffic and sends it to a 6to4 host
>>> over v4, should the source address be 192.88.99.1 or the relay's v4
>>> unicast address?
>>
>> Stateful firewalls would prefer that the return traffic come from
>> 192.88.99.1 (assuming they properly handle proto 41 traffic).
> 
> The scenario is 6to4 to 6to4.  

I thought that was exactly the scenario Kevin was *not*
asking about. In that case it's obvious that each 6to4 box
will use its own IPv4 address as source (which is why it's
not mentioned in RFC 3056 - because it's obvious).

   Brian

> Both ends would ideally be encapsulating
> traffic directly to the other's IPv4 address.  Relay via 192.88.99.1
> need not be involved.  In that situation you'd probably want the 6to4
> host to use it's own IPv4 address as the source if it has to deal with a
> firewall.
> 
> 192.88.99.1 is really required when traffic is between a 6to4 host and a
> native IPv6 host as there's really no other way to reach the latter. 
> The latter will punt to it's default gateway and the packets will
> eventually egress from a 6to4 border relay on it's way to the 6to4 host.
> 
> So the 'ideal' behaviour of the encapsulator (to deal with firewalls)
> really depends on whether the source address of the IPv6 packet is
> native or a 6to4 address.  A 6to4 host talking to 6to4 can still encap
> to a relay if it wanted to but 1) it's not as efficient, and 2) probably
> more likely to run afoul of firewalls.
> 
> 
> Antonio Querubin
> whois:  AQ7-ARIN
> 
>