[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sat, 16 Dec 2000, John Wright wrote:
> draft-ietf-ngtrans-6to4-06.txt:
>         Connection of IPv6 Domains via IPv4 Clouds without Explicit Tunnels
>     * "stf" interface implements it.  Be sure to read the next item before
>       configuring it, there are security issues.
> draft-itojun-ipv6-transition-abuse-01.txt:
>         Possible abuse against IPv6 transition technologies
>     * KAME does not implement RFC1933/2893 automatic tunnel.
>     * "stf" interface implements some address filters.  Refer to stf(4)
>       for details.  Since there's no way to make 6to4 interface 100% secure,
>       we do not include "stf" interface into GENERIC.v6 compilation.
So I guess I need to re-compile the kernel. ;-)

Anycase, I do not really understand the problems with this for 6to4.
When you sent a IPv6-packet to (say) 2002:c300:01ff:x:x:x:x:x, it get
tunned to, which is a IPv4 broadcast-address.
But, that packet will not get anywhere, as it will be filtered out by the
Ipv4-router servicing that IP-subnet if it has 'no ip-directed-broadcast'
After the wave of smurf-attacks last-year (which work on a simular
principle), almost every ISP has this enabled.

>     * kame/openbsd completely disables IPv4 mapped address support.
AFAIK, IPv4-enabled addresses are not the same thing as 6to4.

> Security issues will obviously make OpenBSD suspicious about implementing
> them and hence they have disabled this stf interface.
I just hope it is still in the code; so I just need to re-compile the

Cheerio! Kr. Bonne.
KB905-RIPE                                  belgacom internet backbone
(c=be,a=rtt,p=rttipc,s=Bonne,g=Kristoff)    Internet, IP and IP/VPN
[email protected]                    Fax: +32 2 2435122