[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: implications of 6to4 for v6coex

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: implications of 6to4 for v6coex
From: james woodyatt <jhw@apple.com>
Date: Fri, 19 Sep 2008 17:15:40 -0700
Cc: Christian Huitema <huitema@windows.microsoft.com>
In-reply-to: <8EFB68EAE061884A8517F2A755E8B60A1349FBBD01@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <6C2047ED-8BFF-43B1-A6D4-68FDA93D8013@apple.com> <48CDDB4B.3000506@gmail.com> <CC92994D-2C4B-4ED8-B0A5-4C8709DB0AD9@apple.com> <47074AEB-0A3B-4E53-B19E-A5DDDC61AA6B@daork.net> <87F68CA7-37E4-40A1-85C8-C7D409D5120B@suspicious.org> <8EFB68EAE061884A8517F2A755E8B60A1349FBBD01@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>

On Sep 19, 2008, at 15:18, Christian Huitema wrote:

[Nathan Ward wrote:]
I do not know the history and the reason for the "MUST" in thisparagraph, and I agree with Nathan's statement that this section inthe RFC creates a problem if we implement a strict adherence to theRFC.
The requirement came out of a desire for traceability andtestability, and was pushed during the AD review of the draft.


I surmised correctly what motivated the requirement.

Many experts were concerned that anycast addresses defeat ingressfiltering, and would facilitate various forms of spoofing attacks.Using the "real" address of the gateway as a source address wouldprevent that.

Clearly, ingress filtering of 6to4 packets should be looking at theembedded IPv6 source address, rather than the outer IPv4 sourceaddress, right? A new special-use block could be reserved for makingIPv4-only ingress filtering exceptions apply to transit from 6to4relays.

They were also concerned that with anycast addresses, it would bedifficult to test which gateways are up or down, or that the userwould have no recourse if the quality of service on the anycast pathof the moment was low.

A new special-use block would retain this testing and tracingfunction, though it might be confusing for tracers to be receiving6to4 packets with source addresses that originate at relays indifferent addressing realms. Other protocols, e.g. ICMP, would beguaranteed to come from relays in the local addressing realm.

I'm beginning to see where the complications here spin out. There isclearly something broken about 6to4, and I'm not sure how to fix it.Can it be saved as a standard?



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: implications of 6to4 for v6coex
  - From: Nathan Ward <v6ops@daork.net>

References:
- implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: Nathan Ward <v6ops@daork.net>
- Re: implications of 6to4 for v6coex
  - From: Truman Boyes <truman@suspicious.org>
- RE: implications of 6to4 for v6coex
  - From: Christian Huitema <huitema@windows.microsoft.com>

Prev by Date: RE: implications of 6to4 for v6coex
Next by Date: Re: implications of 6to4 for v6coex
Previous by thread: RE: implications of 6to4 for v6coex
Next by thread: Re: implications of 6to4 for v6coex
Index(es):
- Date
- Thread