[6bone] DoS attacks through 6to4 anycast relay

[Pim van Pelt]

Alex,

| We (SWITCH) are running one of the (still few) 6to4 anycast relays.
| Normally, traffic rates are very low (last month's average input was a
| little over 200kbps) but there were some spikes of several Mbps in the
| past week.  

I'd like to react to the 'still few' comment above. At AS12859, I've
been playing with the idea to start announcing the IPv4 anycast and
2002::/16, but I'm not entirely sure I'm willing to provide IPv4 transit
to and from foreign networks. On the other hand, < 1 Mbps traffic is
nothing to really worry about. The administration and 'looking after the
box' is something I'm more worried about.

The IPv6 side is fine by me -- we do not pay for transit at the moment.
The IPv4 side worries me in a particular way:

If I announce 192.88.99.0/24 to everybody (peers and IP uplinks), I 
attract everybody's traffic. In order to control this, I can announce it
only to peers. This way, incoming 6to4 traffic will be relayed from IPv4
peers into IPv6 peers. Does not cost anything -> good idea :-)

If I announce 2002::/16 however, I attract other peoples
2002:<v4prefix>:: traffic, which I would then have to forward back via
IPv4, possibly using an IP uplink. I cannot filter this traffic, because
people can not stear which 2002::/16 announcer their traffic will go to
that easily. I cannot announce a more specific into the IPv6 DFZ, 
allthough I'd REALLY like to announce '2002:213.136.0.0::/35'. I am
aware of the problems in doing so however.

Bottom line: I have not persued this any further. If the community is
interrested, I can easily be persuaded to proceed with a relay
deployment from AS12859 (nl.bit). 

-- 
---------- - -    - - -+- - -    - - ----------
Pim van Pelt                 Email: pim@ipng.nl
http://www.ipng.nl/             IPv6 Deployment
-----------------------------------------------