Re: IPv6 Tunnels

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 15 Feb 2005 11:49:18 EST, Gary Flynn said:

> A student run unix server has been set up as an
> IPv6 tunnel for academic experimentation and learning.
> I'm worried about IPv6 tunnels inadvertently
> bypassing border access controls.

Well... there's 2 possibilities.  One is that it's a 6-over-4 tunnel,
in which case your border router only sees the IPv4 encapsulation.

But you *ALREADY* know how to deal with this - it's exactly the same
issue as an incoming VPN or SSL connection. (If you don't already handle
this case, you've got bigger problems than IPv6).

Another issue is if it's a native IPv6 connection if your site has rolled
that out.  Make sure that any IPv4 ACLs on the border routers have equivalent
IPv6 ACLs in place.

Common cause of screw-ups in filtering:  Forgetting about IPv6 addresses
in the ffff: prefix - those are encapsulated IPv4 addresses....

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: _bin
Description: