On Sat, Apr 04, 2009 at 11:50:08AM +0200, Jeroen Massar wrote: > Garry Dolley wrote: > > On Fri, Apr 03, 2009 at 02:17:41PM +0000, Stuart Henderson wrote: > >> On 2009-04-03, Garry Dolley <gdol...@arpnetworks.com> wrote: > >>> Dear misc, > >>> > >>> Is it possible to have a git0 tunnel that accepts a remote endpoint > >>> of any address? I'm trying to set up a 6to4 anycast relay router. > >> 6to4 is not gif. > > > > Weird, because it works as 6to4. I'm tunneling IPv6 packets over it > > from a Linux box (static endpoint) that has a 6to4 tunnel whose > > endpoint is my OpenBSD box. > > That is because 6to4 (http://en.wikipedia.org/wiki/6to4) uses proto-41 > (http://en.wikipedia.org/wiki/6in4).
Iiiiiiiinteresting... > The major difference and also the concern for security is that the > remote endpoint (where the packet will be forwarded to) is determined > from the IPv6 address, eg 2002:aabb:ccdd:: becomes aa.bb.cc.dd. > There are a lot of security pitfalls in 6to4 and if I recall correctly > that is the reason why OpenBSD does not support 6to4. IMHO that was a > just decision. > > As a side-note, there has been talk in the IETF to deprecate 6to4, > especially the anycast version. Mostly though due to the many many many > issues that come along with actually operating 6to4 anycast on a larger > scale. (Try debugging 6to4 anycasted when there are 10 networks between > you and the remote site, and you can only do traceroutes from your hosts > and don't have a view at all at any of the other hosts/routers in the > middle: impossible) > > Proto-41 itself is also easily subjective to spoofing as long as one can > spoof IPv4 packets anywhere on a connected network and can get them to > the host. Gotcha. > >> OpenBSD does not support 6to4. > > > > Can a gif0 tunnel be set up with dynamic endpoints? > > If you add the heartbeat protocol this can work. Otherwise proto-41 > doesn't have support for dynamic endpoints (unless you manually script > it, then again, heartbeat is not that far away from that in some cases ;) All great information, thanks for the explanations! -- Garry Dolley ARP Networks, Inc. | http://www.arpnetworks.com | (818) 206-0181 Data center, VPS, and IP Transit solutions Member Los Angeles County REACT, Unit 336 | WQGK336 Blog http://scie.nti.st
