[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On Sat, 16 Dec 2000, John Wright wrote:
> Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels
> * "stf" interface implements it. Be sure to read the next item before
> configuring it, there are security issues.
> Possible abuse against IPv6 transition technologies
> * KAME does not implement RFC1933/2893 automatic tunnel.
> * "stf" interface implements some address filters. Refer to stf(4)
> for details. Since there's no way to make 6to4 interface 100% secure,
> we do not include "stf" interface into GENERIC.v6 compilation.
So I guess I need to re-compile the kernel. ;-)
Anycase, I do not really understand the problems with this for 6to4.
When you sent a IPv6-packet to (say) 2002:c300:01ff:x:x:x:x:x, it get
tunned to 126.96.36.199, which is a IPv4 broadcast-address.
But, that packet will not get anywhere, as it will be filtered out by the
Ipv4-router servicing that IP-subnet if it has 'no ip-directed-broadcast'
After the wave of smurf-attacks last-year (which work on a simular
principle), almost every ISP has this enabled.
> * kame/openbsd completely disables IPv4 mapped address support.
AFAIK, IPv4-enabled addresses are not the same thing as 6to4.
> Security issues will obviously make OpenBSD suspicious about implementing
> them and hence they have disabled this stf interface.
I just hope it is still in the code; so I just need to re-compile the
Cheerio! Kr. Bonne.
KB905-RIPE belgacom internet backbone
(c=be,a=rtt,p=rttipc,s=Bonne,g=Kristoff) Internet, IP and IP/VPN
[email protected] Fax: +32 2 2435122