Security Considerations for 6to4

Document Type Expired Internet-Draft (individual)
Author Pekka Savola 
Last updated 2002-03-04
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The IPv6 interim mechanism 6to4 [6TO4] uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks. The architecture includes Relay Routers and Routers, which accept and decapsulate IPv4 traffic from anywhere. There aren't many constraints on the embedded IPv6 packets, or where IPv4 traffic will be automatically tunneled to. These could enable one to go around access controls, and more likely, being able to perform proxy Denial of Service attacks using Relays as reflectors. This document discusses these issues and tries to suggest enhancements to alleviate the problems.


Pekka Savola (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)