[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns



Suresh,

You wrote to Christian:

> While I agree with you about the possibility of an "arms race" I really
> do not see anything we can do about this. What would you recommend
> instead? I am really open to suggestions.

My feeling is that we need to tell IT managers something like
"If your users have a need for IPv6 tunnels, here is how to
make them as safe as possible:

 <description of mechanisms, e.g. for detecting DoS,...>

and after that, explain the threats, and state that tunnels
should be disabled if you are not protected against the threats.

There are also other positive suggestions, like operating
an on-site 6to4 relay and/or Teredo server, so that those
mechanisms don't cross the border router.

I agree with you that there are real threats (or will be, once
there is enough deployment to make IPv6 tunnels an interesting
target). It's quite appropriate to document them.

    Brian