Best practice for running 6to4 relays (was Re: 6to4 borkeness)

[Bernhard Schmidt]

Hi Michael,

> 1) I am curious as to what best practice would be to correctly setup a
> 6to4 router for a small ISP, announcing the route is valid just for ips
> within my network - and not incurring the entire weight of australia
> trying to route through my gateway? (significant bandwidth charges here)

If you have a Cisco box it is fairly easy

interface Tunnel2002
  no ip address
  ipv6 address 2001:1B10::C058:6301/128
  ipv6 mtu 1280
  ipv6 verify unicast reverse-path
  tunnel source Loopback2002
  tunnel mode ipv6ip 6to4
  tunnel path-mtu-discovery

interface Loopback2002
  ip address 192.88.99.1 255.255.255.0 secondary
  ip address 83.170.0.245 255.255.255.255

ipv6 route 2002::/16 Tunnel2002

done. A local 6to4 relay and a global 6to4 relay are not different to 
configure, the key is that you need to limit the BGP distribution of the 
two prefixes involved, 2002::/16 (IPv6 -> IPv4) and 192.88.99.0/24 (IPv4 
-> IPv6). If you only give them to your clients, only they will use this 
gateway.

A few notes to this config:

a) it is still worth a discussion whether 6to4 relays should source IPv4 
packets from 192.88.99.1 (pro: does not break with stateful firewalls) 
or some provider unicast address (pro: easier to track what 6to4 relay 
was used on the way back, anycast addresses should not be used as source 
for anything). I chose the latter, plus you can force your traffic to go 
through this gateway by using this address instead of 192.88.99.1 as 
default gw. If you want to source from 192.88.99.1, make that address 
the main address on Lo2002.

b) pMTU discovery for the underlying IPv4 path seems to be a problematic 
item, so I set "ipv6 mtu 1280" to be on the safe side.

c) verify unicast reverse-path is set here because I've already seen a 
few DoS attempts through 6to4, and the ones I caught so far luckily had 
a non-2002:: source address (and got blocked by uRPF).

Regards,
Bernhard