[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LIN6 and multihoming (+sec)




>>>>> On Sat, 18 Aug 2001 11:26:20 +0300 (EEST), Pekka Savola <pekkas@netcore.fi> said:

 > I don't think people generally want to multihome every node, rather
 > multihome a router and provide multihomed connection that way.  ID's based
 > on EUI64 aren't possible with this mechanism if there is only one
 > interface on end-nodes (you could just make up the other ID, I suppose,
 > but that would be .. dirty, and no effective means of tracking them unless
 > using some mapping function to generate them).  The fact remains that this
 > mechanism does not seem to be fit for real multihoming.

	I don't think I understand what you mean by "ID's based on EUI64
	aren't possible with this mechanism if there is only one
	interface on end-nodes", can you clarify?

 > Does ICMP Unreachable trigger you to retry connection using a different
 > destination address?  IIRC ICMP unreaches are soft errors, and affect
 > nothing.

	Our implementation has a hook to handle ICMP unreach messages.
	With this hook, the LIN6 node can refresh the opponent's
	mapping, so strictly speaking the ICMP message does not trigger
	a direct change of the destination address.  
	When a node does become unreachable due to a temporary routing
	error and its mapping does not change, its destination address
	will not change.

 > I don't comment on non-multihoming issues, except for the fact that there
 > are no "Security Considerations" in the text.  It appears to me that if
 > you use generalized network prefix as e.g. TCP/UDP endpoints, capturing
 > traffic, hijacking connections etc. are bound to be at least potentially
 > easier (as the generalized LIN6 namespace is flat); this puts even more
 > responsibility for the security of DNS and mapping agent functions.

	You present some good points and we plan to address these issues in
	future drafts. For now, we would like more people to test our
	implementation to get feedback so that we can effectively integrate
	our proposal with DNS and mapping agents. If you have any interest
	at all in LIN6 please try our prototype implementation.

masahiro