[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: implications of 6to4 for v6coex



Teredo relays should only originate packets to an IPv4 address if the communication was initiated from the IPv6 side. That’s enough to build a stateful address filter in the relay, so it only accepts IPv4 packets if there was prior initiation from the IPv6 side. I don’t know whether commercial implementations of Teredo actually implement this stateful filtering, but if they did that would go a long way towards alleviating the ISP’s fear.

 

Failing that, it is also possible to run the Teredo relay at an arbitrary port number, or even one that changes periodically.  That, too, would make it very hard for “leeches” to steal the relay service by pointing to the IPv4 address of the relay.

 

The remaining possibility for the “leeches” would be to set up a static IPv6 route for 2001::/32 towards the relay that they want to target. If ISP are concerned with that, they can simply black-hole traffic to 2001::/32 at their border router. It will not hurt, since the internal hosts are supposed to use the internal relay.

 

Having special IPv4 addresses for the relay does not appear particularly beneficial. By definition, the Teredo relay is meant to accept traffic from various remote IPv4 addresses, and thus should be reachable from these addresses.

 

 

From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On Behalf Of james woodyatt
Sent: Tuesday, September 16, 2008 2:54 PM
To: IPv6 Operations
Subject: Re: implications of 6to4 for v6coex

 

On Sep 15, 2008, at 17:44, Christian Huitema wrote:

 

If the ISP ensures that the advertisements for 2001::/32 are not sent to third parties, then the relays can only be used by that ISP's customer.

 

The complaint I have heard is that simply not advertising the routes to third parties is not enough to prevent them from using static routes to steal relay service.

 

This can be mitigated by using ULA's for the IPv6 interface addresses, but the corresponding use of RFC 1918 addresses for the IPv4 interfaces is more perilous, it seems, from an O&M perspective— or so I've gathered.  Perhaps, I'm mistaken, and there really are no technical objections to the deployment of relay routers, and the resistance is entirely motivated by perverse incentives that lead to the degradation of the public IPv6 internet as their tragic side-effect.  I'm trying not to be demoralized by that possibility.

 

Dual-stack IPv6 users can deploy their own Teredo relays. For example, the provider of a big service over IPv6 could deploy a Teredo relay as part of the service, for exclusive use by that service.

 

Isn't this impossible without filtering the return path to the unicast IPv4 addresses on their Teredo relay so that exterior sites are unable to obtain relay service to other exterior sites by the application of a static route?  I gather that this filtering requirement is the only reason service providers are offering any technical objection to the deployment of 6to4 and Teredo relays.  My idea is to allocate a new special-use block of IPv4 addresses so that such static routes are only possible by explicit, mutual agreement between autonomous systems.

 

On a related note: should we move this discussion onto the <v4v6interim@ietf.org> list?

 



--

james woodyatt <jhw@apple.com>

member of technical staff, communications engineering