|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Instant IPv6 PI solution for everyone (Was: BBC does IPv6 ;) (Was:large multi-site enterprises and PI)
On Mon, 2004-11-29 at 01:11 -0800, Owen DeLong wrote: <SNIP> > How is this any more of a security hole than address-based trust in the > first place. As near as I can tell, the 6-to-4 mapping is simply a > legitimate form of address spoofing more than what I would call dynamic > tunnels. As I understand it, there's some magic IPv6 prefix which since > I don't remember what it is, I'll call <pfx> and your V4 address simply > gets mapped to <pfx>::<v4addr> and away it goes. ::ffff:<a.b.c.d.>, eg ::ffff:192.0.2.42, but that is mostly (or entirely?) deprecated. The IPv4 mapped addresses give a range of nice security problems where people forget to close down their IPv6 firewall for this and thus allow IPv4 addresses into the IPv6 world and there where some other reasons. 2002:<AB>:<CD>::/48, eg, 192.0.2.42 becomes 2002:c000:22a::/48, 6to4, quite in use and works fine when the 6to4 relays are close-by for both ends. The "Instant IPv6 solution for anyone" (Reading Material: RFC3068 & RFC3056) Say, you currently have 192.0.2.0/24 (IPv4 doc prefix, can't use ;) then you thus also have 2002:c000:22a::/48 or larger of course, depending on your IPv4 space, though a /48 should be enough for most folks. Tada, because you have one single IPv4 address, that is most likely already PI in IPv4, you also have a IPv6 prefix that is PI. Now can everybody stop complaining that the installed IPv4 base already has PI and needs it too for IPv6, use above solution and get it over with. Also if you are multihomed by multiple IPv4 prefixes you can do that with the above too, just RA multiple prefixes on your network. There is one catch-22 though, according to RFC3056 Section 2.2: 8<------------------- On its native IPv6 interface, the relay router MUST advertise a route to 2002::/16. It MUST NOT advertise a longer 2002:: routing prefix on that interface. Routing policy within the native IPv6 routing domain determines the scope of that advertisement, thereby limiting the visibility of the relay router in that domain. ------------------->8 Because it would introduce a lot of IPv4 routes into the IPv6 routing tables... As at the moment most ISP's don't filter >/48 this should not be much of a problem. And folks, don't forget to setup your _own_ 6to4 relay otherwise your connectivity will be terrible. Note also that Windows XP SP1 etc support the above per default after one has typed 'netsh interface ipv6 install', though when behind a NAT it will try Teredo where possible to get out of that bubble. Thus while everybody is waiting for multi6 to solve it, see above ;) Greets, Jeroen Attachment:
signature.asc
|