[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: implications of 6to4 for v6coex

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: implications of 6to4 for v6coex
From: Nathan Ward <v6ops@daork.net>
Date: Sat, 20 Sep 2008 12:44:07 +1200
In-reply-to: <8EFB68EAE061884A8517F2A755E8B60A1349FBBD01@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <6C2047ED-8BFF-43B1-A6D4-68FDA93D8013@apple.com> <48CDDB4B.3000506@gmail.com> <CC92994D-2C4B-4ED8-B0A5-4C8709DB0AD9@apple.com> <47074AEB-0A3B-4E53-B19E-A5DDDC61AA6B@daork.net> <87F68CA7-37E4-40A1-85C8-C7D409D5120B@suspicious.org> <8EFB68EAE061884A8517F2A755E8B60A1349FBBD01@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>

On 20/09/2008, at 10:18 AM, Christian Huitema wrote:

I do not know the history and the reason for the "MUST" in this
paragraph, and I agree with Nathan's statement that this section in
the RFC creates a problem if we implement a strict adherence to the
RFC.
The requirement came out of a desire for traceability andtestability, and was pushed during the AD review of the draft.

See my comments at the end, they are basically the same as what I'dhave written here.

Many experts were concerned that anycast addresses defeat ingressfiltering, and would facilitate various forms of spoofing attacks.Using the "real" address of the gateway as a source address wouldprevent that.

Is the suggestion here that strict uRPF would cause a problem?

A network with strict uRPF on multihoming links will have no doubtrealised that it's broken for many other things, and turned it off.

On the other hand, if we're talking about some kind of statefulfirewalling (IPv4), that doesn't really work with 6to4 anyway. Infact,stateful firewalling and this requirement would make things worse.

They were also concerned that with anycast addresses, it would bedifficult to test which gateways are up or down, or that the userwould have no recourse if the quality of service on the anycast pathof the moment was low.


What would the user's recourse be?

If you mean that the user would switch to another relay, then whilethis might be something that you or I would do, in a world where 6to4is enabled by default on many platforms, the vast majority of userswould not. The way I see it, is that we're at a trade off here, with 2options:

1) Leave this as it is, less providers deploy relays, but the relayswe do have are more easy to debug. IPv6 over 6to4 performance globallyis not good, we cannot put services on IPv6 because of performanceproblems.

2) Remove the paragraph, more providers deploy relays, but we havevery little relay debugging available to us. IPv6 over 6to4performance globally is improved, we can start putting services onIPv6 without performance problems.

Continuing to allow IPv6 over 6to4 to be broken for the sake of a bitof debugging is, in my opinion, a bad thing. We now understand thethings that break 6to4, and we are able to test for them without 6to4relays being on non-RFC3068 addresses.

Because of the implementations of many vendors, (2) has already beendone. Let's remove the paragraph to alleviate concerns of theseproviders, and get on with it.

--
Nathan Ward

References:
- implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: Nathan Ward <v6ops@daork.net>
- Re: implications of 6to4 for v6coex
  - From: Truman Boyes <truman@suspicious.org>
- RE: implications of 6to4 for v6coex
  - From: Christian Huitema <huitema@windows.microsoft.com>

Prev by Date: Re: implications of 6to4 for v6coex
Next by Date: Re: implications of 6to4 for v6coex
Previous by thread: Re: implications of 6to4 for v6coex - 6to4 and 6rd properties
Next by thread: Fwd: New Version Notification for draft-miyata-v6ops-snatpt-01
Index(es):
- Date
- Thread