[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 security questions
Pekka Savola wrote:
> On Thu, 21 Nov 2002, Brian E Carpenter wrote:
> > Actually, what is wrong with the model in bullet 2.2 of section 5.2
> > of RFC 3056, i.e. require a BGP4+ peer relationship between a 6to4
> > router and the 6to4 relay routers it deals with? (OK, I can see some
> > reachability issues but 6to4 is not supposed to be the universal answer.)
> That, in itself, helps little. Relay routers must also be connected using
> BGP4+ and advertising more specific routes.
No, the model is that they will advertise 2002::/16, but only inside a limited set
of AS's. That is mentioned in RFC 3056 - you use BGP policy to scope
which relay serves which part of the native IPv6 network.
That in itself doesn't protect against spoofing however; for that you need
peering between the 6to4 router and a set of trustworthy relays.
> > As I said a moment ago, 6to4 wasn't designed for end hosts. I've
> > always felt the BGP4+ scenario was the best one.
> Well, the reasons 6to4 is used are usualy either/and:
> 1) ease of taking into use
> 2) takes dynamic v4 address into account
> For SOHO/home use, both conditions are usually fulfilled. Also, for
> bigger enterprise networks, which are usually able to run BGP etc., are
> only concerned about _at most_ 1).
The third reason is
3) no IPv6 ISP offering configured tunnels near enough in the topology.