[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: implications of 6to4 for v6coex

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: implications of 6to4 for v6coex
From: james woodyatt <jhw@apple.com>
Date: Tue, 16 Sep 2008 17:43:27 -0700
In-reply-to: <alpine.LRH.2.00.0809161301370.11794@cust11798.lava.net>
References: <6C2047ED-8BFF-43B1-A6D4-68FDA93D8013@apple.com> <48CDDB4B.3000506@gmail.com> <CC92994D-2C4B-4ED8-B0A5-4C8709DB0AD9@apple.com> <48CEE039.803@gmail.com> <7C5C5D78-D160-4A8F-897D-199ECE13CAA3@apple.com> <8EFB68EAE061884A8517F2A755E8B60A1349E93DD0@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <AC714B55-DBB4-4FBD-8033-80AE4F1C8100@apple.com> <alpine.LRH.2.00.0809161301370.11794@cust11798.lava.net>

On Sep 16, 2008, at 16:05, Antonio Querubin wrote:

On Tue, 16 Sep 2008, james woodyatt wrote:
The complaint I have heard is that simply not advertising theroutes to third parties is not enough to prevent them from usingstatic routes to steal relay service.
If they're afraid of that, why can't they just block access to therelay address via ACLs at their borders? Most ISPs probably do somekind of filtering at their border anyway. Adding one more deny ruleisn't gonna make a big impact on performance.

Yes, the existing RFCs recommend filtering at the border gateway andlimited routing advertisements to trusted peers. So, why do serviceproviders think they can't secure their 6to4 relay service that way?They must have a legitimate reason, don't you think? Surely, theyaren't trying to sabotage the IPv4-IPv6 transition by splitting thepublic IPv6 internet into three parts (one for native, one for 6to4and one for Teredo), right?

Again, it would be better if an authoritative voice recommending*against* the deployment of 6to4 and Teredo relays in service providernetworks, because of concerns about limiting access to relay servicesto their subscribers only, would step in here and speak to the issuedirectly. I've only gathered from talking with people that theproblem with ACLs at the border routers is that a real deployment planwould require too many ACL entries, i.e. one for each relay, becauserelays would have to be in lots of different places around theinteriors of their networks, and addressed accordingly.

Won't somebody from a service provider *please* step up and explainwhy they cannot and/or will not deploy 6to4 relay routers for the useof their subscribers as the standards track documents currentlydescribe them? The continuing silence from the operations communityon this topic is very troubling, but I suppose it's possible everyoneis still enjoying their copious allotment of holiday time.


It *is* September, though, isn't it?


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: implications of 6to4 for v6coex
  - From: Joe Abley <jabley@hopcount.ca>

References:
- implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- RE: implications of 6to4 for v6coex
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: implications of 6to4 for v6coex
  - From: james woodyatt <jhw@apple.com>
- Re: implications of 6to4 for v6coex
  - From: Antonio Querubin <tony@lava.net>

Prev by Date: Re: implications of 6to4 for v6coex
Next by Date: Re: implications of 6to4 for v6coex
Previous by thread: Re: implications of 6to4 for v6coex
Next by thread: Re: implications of 6to4 for v6coex
Index(es):
- Date
- Thread