Re: Security of 6to4 (was: Re-prioritizing 6to4 over v4 addresses)
On Thu, 23 Sep 2010, Marcus C. Gottwald wrote:
> Henrique de Moraes Holschuh wrote (Mon 2010-Sep-20 15:13:13 -0300):
> > Are you aware of the security implications? Unless you route the relevant
> > gateway prefixes yourself, you will be using a 6to4 gateway which can be
> > anywhere and belong to anyone, subject to the whims of BGP anycast.
>
> Security as in availability or as in integrity? With regard to
> availability: Well, yes, a tunnel might be more reliable, but
> I've seen 6to4 working very well so far.
An ISP will move really fast to make sure nobody is BGP-hijacking its
"important" prefixes, while the 6to4 gateway prefix is supposed to be
anycast and is rarely considered "important", so it will not raise any
alarms.
Unless the gateway is supposed to be local to you, it is far more
vulnerable than a tunnel or native ipv6 connectivity.
> With regard to integrity: There's no reason for me to trust my
> local ISP and backbone operators any more than anybody else.
That's your call. But let me remind you that your ISP is at least bound
to local laws. If it starts MITM your https sessions, it will be due to
a court order or as a favour to your local Gestapo. While any
criminal-haven AS in the world (and there are lots) can try to herd 6to4
traffic to themselves for nasty purposes without rasing any eyebrows.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: