Teredo relays should only originate packets to an IPv4 address
if the communication was initiated from the IPv6 side. That’s enough to
build a stateful address filter in the relay, so it only accepts IPv4 packets
if there was prior initiation from the IPv6 side. I don’t know whether
commercial implementations of Teredo actually implement this stateful
filtering, but if they did that would go a long way towards alleviating the ISP’s
fear. Failing that, it is also possible to run the Teredo relay at an
arbitrary port number, or even one that changes periodically. That, too,
would make it very hard for “leeches” to steal the relay service by
pointing to the IPv4 address of the relay. The remaining possibility for the “leeches” would be
to set up a static IPv6 route for 2001::/32 towards the relay that they want to
target. If ISP are concerned with that, they can simply black-hole traffic to 2001::/32
at their border router. It will not hurt, since the internal hosts are supposed
to use the internal relay. Having special IPv4 addresses for the relay does not appear
particularly beneficial. By definition, the Teredo relay is meant to accept
traffic from various remote IPv4 addresses, and thus should be reachable from
these addresses. From:
owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On Behalf Of james
woodyatt On Sep 15, 2008, at 17:44, Christian Huitema wrote:
The complaint I have heard is that simply not advertising
the routes to third parties is not enough to prevent them from using static
routes to steal relay service. This can be mitigated by using ULA's for the IPv6 interface
addresses, but the corresponding use of RFC 1918 addresses for the IPv4
interfaces is more perilous, it seems, from an O&M perspective— or so
I've gathered. Perhaps, I'm mistaken, and there really are no technical
objections to the deployment of relay routers, and the resistance is entirely
motivated by perverse incentives that lead to the degradation of the public
IPv6 internet as their tragic side-effect. I'm trying not to be
demoralized by that possibility.
Isn't this impossible without filtering the return path to
the unicast IPv4 addresses on their Teredo relay so that exterior sites are
unable to obtain relay service to other exterior sites by the application of a
static route? I gather that this filtering requirement is the only reason
service providers are offering any technical objection to the deployment of
6to4 and Teredo relays. My idea is to allocate a new special-use block of
IPv4 addresses so that such static routes are only possible by explicit, mutual
agreement between autonomous systems. On a related note: should we
move this discussion onto the <v4v6interim@ietf.org>
list? |