On Thu, 23 Sep 2010, Marcus C. Gottwald wrote: > Henrique de Moraes Holschuh wrote (Mon 2010-Sep-20 15:13:13 -0300): > > Are you aware of the security implications? Unless you route the relevant > > gateway prefixes yourself, you will be using a 6to4 gateway which can be > > anywhere and belong to anyone, subject to the whims of BGP anycast. > > Security as in availability or as in integrity? With regard to > availability: Well, yes, a tunnel might be more reliable, but > I've seen 6to4 working very well so far.
An ISP will move really fast to make sure nobody is BGP-hijacking its "important" prefixes, while the 6to4 gateway prefix is supposed to be anycast and is rarely considered "important", so it will not raise any alarms. Unless the gateway is supposed to be local to you, it is far more vulnerable than a tunnel or native ipv6 connectivity. > With regard to integrity: There's no reason for me to trust my > local ISP and backbone operators any more than anybody else. That's your call. But let me remind you that your ISP is at least bound to local laws. If it starts MITM your https sessions, it will be due to a court order or as a favour to your local Gestapo. While any criminal-haven AS in the world (and there are lots) can try to herd 6to4 traffic to themselves for nasty purposes without rasing any eyebrows. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
