Re: [v6ops] I-D Action: draft-ietf-v6ops-6to4-to-historic-07.txt - software bugs

[Jeroen Massar <jeroen@massar.ch>]

[Replies to multiple mails in this thread compressed into one]

On 2014-11-13 23:17, Alexandru Petrescu wrote:
[..]
>>> Do not deprecate until you offer a solution satisfying a number of
>>> requirements (currently unsatisfied by eg tunnel brokers).
>>
>> Which requirements are these?
> 
> Ones one would have to lay down and agree on before engaging in new work.
> 
> For example -1- must allow for reverse DNS ok,

That is a business decision. Most (all?) TBs provide this.

Note that a normal ISP does not do this, hence bit silly to require it
for a free tunnel...

> -2- must be secureable by existing e2e IPsec,

The tunnel or the packets that flow within it?
What is the problem you are trying to solve?


The packets in the tunnel are 1280+ hence, go IPSec away as much as you
want.

For securing the tunnel it would require distributing keying material.

As IPsec is horrible to configure and does not work through NATs happily
(yes, you can patch crap) nobody ever bothered with this.

For AYIYA packets are signed btw, hence, no spoofing of those.
There is no crypto though there either.

>-3- to the extent of possible be easy to set up for
> Clients

TSP (gogoclient) and TIC (AICCU) solve that problem. CPEs incorporate
these tools or have their own implementations (eg Fritz!Box).

How much 'easier' do you want it?

> and not involve intervention of another party (like when
> requesting an IPv6 address from an administrator, delayed paper forms,
> etc).

Gogo's "anonymous" TSP tunnels do this. They get a lot of abuse.

Other Tunnel Brokers and Gogo TSP in "authenticated" mode require that
one signs up, just as you would with a IPv4 ISP.

This is a "business" decision though. Nothing a technical thing can solve.

>From another mail:

> For example, the current tunnel brokers are very good but
> (1) are not trustful,

What do you mean with "trustful"?

> (2) force into later efforts to renumber when going native,

Changing ISPs typically require that.

Only way to avoid that is to get your own PI space. At that point you
will be able to arrange your own connectivity too though.

> (3) require filling in forms.  6to4 has the advantage of not requiring 3.

And 6to4 is unreliable as no ISP can 100% support it.

With Tunnel Brokers you are signing up for a service. Signing up
requires forms.

Though those forms are there primarily to limit abuse too and to enable
contacting people when they problems with their tunnel so that it can be
resolved.

And another mail:
> 6to4 is not alowing for reverse DNS either, if I am not terribly wrong.

https://6to4.nro.net

But even then you still do not want 6to4 as it is unreliable ;)

Doug Barton wrote:
> ... and yet I would assert that unless we're talking about
> something that is provider managed (such as 6rd) then automatically
> enabling it for the user is a bad idea. It will create more problems
> than it solves, and cause a lot of support calls, which ISPs are not
going to like.

Exactly.

Greets,
 Jeroen