[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: implications of 6to4 for v6coex

To: Christian Huitema <huitema@windows.microsoft.com>
Subject: RE: implications of 6to4 for v6coex
From: Rémi Denis-Courmont <rdenis@simphalempin.com>
Date: Wed, 17 Sep 2008 09:57:38 +0200
Cc: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <8EFB68EAE061884A8517F2A755E8B60A1349E94236@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
Organization: Remlab.net
References: <6C2047ED-8BFF-43B1-A6D4-68FDA93D8013@apple.com> <48CDDB4B.3000506@gmail.com> <CC92994D-2C4B-4ED8-B0A5-4C8709DB0AD9@apple.com> <48CEE039.803@gmail.com> <7C5C5D78-D160-4A8F-897D-199ECE13CAA3@apple.com> <8EFB68EAE061884A8517F2A755E8B60A1349E93DD0@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <AC714B55-DBB4-4FBD-8033-80AE4F1C8100@apple.com> <8EFB68EAE061884A8517F2A755E8B60A1349E94236@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
User-agent: RoundCube Webmail/0.1

On Tue, 16 Sep 2008 15:43:39 -0700, Christian Huitema

<huitema@windows.microsoft.com> wrote:

> Teredo relays should only originate packets to an IPv4 address if the

> communication was initiated from the IPv6 side. That's enough to build a

> stateful address filter in the relay, so it only accepts IPv4 packets if

> there was prior initiation from the IPv6 side. I don't know whether

> commercial implementations of Teredo actually implement this stateful

> filtering, but if they did that would go a long way towards alleviating

the

> ISP's fear.



At least those Teredo relay deployments I know of _do_ discard traffic from

IPv4 to IPv6 unless solicited by one native IPv6 node. That's the most

basic protection against blind spoofing Teredo clients.



However, if I understand James right, his concern is with the IPv6 to IPv4

direction, whereby a IPv6 ISP could steal the relaying capacity of another

IPv6 ISP. To address that, one must (simply?) discard packets toward

2001:0::/32 and coming from unauthorized IPv6 nodes (although this will

obviously cause a split Internet).



> Failing that, it is also possible to run the Teredo relay at an arbitrary

> port number, or even one that changes periodically.  That, too, would

make

> it very hard for "leeches" to steal the relay service by pointing to the

> IPv4 address of the relay.



It is my understanding that a Teredo relay must server traffic to/from the

*whole* IPv4 Internet. So I do not get this.



A Teredo relay can restrict which chunk of the native IPv6 Internet it

relays from/to, not which chunk of the IPv4 Internet.



> The remaining possibility for the "leeches" would be to set up a static

> IPv6 route for 2001::/32 towards the relay that they want to target. If

ISP

> are concerned with that, they can simply black-hole traffic to 2001::/32

at

> their border router. It will not hurt, since the internal hosts are

> supposed to use the internal relay.



Yes. Or at the relay itself - checking that the non-Teredo IPv6 address

belongs to the ISP.



-- 

Rémi Denis-Courmont

References:
- implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- RE: implications of 6to4 for v6coex
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- RE: implications of 6to4 for v6coex
  - From: Christian Huitema <huitema@windows.microsoft.com>

Prev by Date: RE: implications of 6to4 for v6coex
Next by Date: Re: implications of 6to4 for v6coex
Previous by thread: RE: implications of 6to4 for v6coex
Next by thread: Re: implications of 6to4 for v6coex
Index(es):
- Date
- Thread