Garry Dolley wrote: > On Fri, Apr 03, 2009 at 02:17:41PM +0000, Stuart Henderson wrote: >> On 2009-04-03, Garry Dolley <gdol...@arpnetworks.com> wrote: >>> Dear misc, >>> >>> Is it possible to have a git0 tunnel that accepts a remote endpoint >>> of any address? I'm trying to set up a 6to4 anycast relay router. >> 6to4 is not gif. > > Weird, because it works as 6to4. I'm tunneling IPv6 packets over it > from a Linux box (static endpoint) that has a 6to4 tunnel whose > endpoint is my OpenBSD box.
That is because 6to4 (http://en.wikipedia.org/wiki/6to4) uses proto-41 (http://en.wikipedia.org/wiki/6in4). The major difference and also the concern for security is that the remote endpoint (where the packet will be forwarded to) is determined from the IPv6 address, eg 2002:aabb:ccdd:: becomes aa.bb.cc.dd. There are a lot of security pitfalls in 6to4 and if I recall correctly that is the reason why OpenBSD does not support 6to4. IMHO that was a just decision. As a side-note, there has been talk in the IETF to deprecate 6to4, especially the anycast version. Mostly though due to the many many many issues that come along with actually operating 6to4 anycast on a larger scale. (Try debugging 6to4 anycasted when there are 10 networks between you and the remote site, and you can only do traceroutes from your hosts and don't have a view at all at any of the other hosts/routers in the middle: impossible) Proto-41 itself is also easily subjective to spoofing as long as one can spoof IPv4 packets anywhere on a connected network and can get them to the host. >> OpenBSD does not support 6to4. > > Can a gif0 tunnel be set up with dynamic endpoints? If you add the heartbeat protocol this can work. Otherwise proto-41 doesn't have support for dynamic endpoints (unless you manually script it, then again, heartbeat is not that far away from that in some cases ;) Greets, Jeroen [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
