The UDP tunneling scenario aims at solving the NAT crossing problem.
This is fine, but we need more than just a pot number and a payload
format to make this work. Since the origin of the tunnel is located
behind a NAT, and possibly many, you cannot predict the port number and
the IP address that it will use. Also, it is fair to assume that the
tunnel will probably not be offered by the local ISP -- if this ISP
wished to provide IPv6 service, it could just enable native IPv6, or
possibly native tunneling. I think we must meet the following
requirements:
1) There is no way to "pre-configure" the connection. The association
between a given "user prefix" and a pair of natted address and port must
be discovered in real-time.
2) There must be a way to verify the identity of the party requesting
the tunnel, to mitigate the risk of traffic highjacking, and possibly to
ensure that only authorized parties are using the service.
3) There must be some way to verify the origin of the traffic, in order
to avoid denial of service attacks.
4) There must be a way to "qualify" the tunnel, and check that traffic
is indeed flowing in both directions -- NAT configurations are prone to
bizarre cases of failure.
We should also note that IPv6 over UDP should be designed to work with
all NATs, including those that use "destination specific" port mappings.
The design, and the port discovery, should be focused on bilateral
tunnels.
-- Christian Huitema
> -----Original Message-----
> From: Francis Dupont [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 15, 2001 7:44 AM
> To: [EMAIL PROTECTED]
> Subject: IPv6 over UDP/IPv4
>
> We know that IPv6 over UDP/IPv4 is very useful for some users.
> This is very easy to do too (see the PS) but an advantage to
> have a document which specifies it is we can get a standard port...
> Do you believe we should write an Internet Draft about it?
>
> [EMAIL PROTECTED]
>
> PS: on FreeBSD 4.3 with Netgraph a little variation of
> the /usr/share/examples/netgraph/udp.tunnel script does the job.
> With if_tun (for systems without a netgraph-like facility) this takes
> one page of trivial code... or nothing if the user mode PPP has both
> UDP and IPv6 supports.
> --------------------------------------------------------------------
> IETF IPng Working Group Mailing List
> IPng Home Page: http://playground.sun.com/ipng
> FTP archive: ftp://playground.sun.com/pub/ipng
> Direct all administrative requests to [EMAIL PROTECTED]
> --------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
