[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The state of IPv6 multihoming development

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: The state of IPv6 multihoming development
From: Pekka Nikander <Pekka.Nikander@nomadiclab.com>
Date: Sun, 27 Oct 2002 15:47:34 +0300
Cc: Tony Li <Tony.Li@procket.com>, multi6@ops.ietf.org
In-reply-to: <20021027103332.V14896-100000@sequoia.muada.com>
References: <20021027103332.V14896-100000@sequoia.muada.com>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.2b) Gecko/20021024

Iljitsch van Beijnum wrote:

The basic idea is simple: the IP addresses the transport layer uses
become the identifiers of a session. In transit, these identifiers
may/must be replaced by locators, but they identifiers are restored
before the packet reaches the transport layer at the other end.

The idea is that identifiers are also valid "regular" IP addresses that
can be used whenever multi-address multihoming isn't supported by both
ends or otherwise not desired.

Why does this so much sound like Mobile IPv6 to me?

...

Making this functionality "portable" so it can be located either inside
the host, or at a border router or some intermediate device would
greatly help in easy deployment and makes it possible to better address
the needs to implement multihoming or traffic engineering policies and
address management in large networks.

And why does this statement make me think that the lessons
we learned during the Mobile IPv6 security process might
be good to remember here?

I am probably biased here, but IMHO once you start to really
ponder the security consequences, you pretty much come to the
idea that maybe, after all, it might be better to introduce
a new cryptographic name space instead of once more overloading
the IP name space with some IP addresses that are end-point
identifiers (and locators) and some that are (just) locators.
The resulting aliasing problems are nasty, security wise.
The NSRG report still makes a good reading.

If you are going to require changes to the end-host and the
introduction of a mudem box anyway, the HIP design might
be a good place to start with.  The more recent variants of
HIP already support end-host multi-homing, and they contain
a "mudem" which is able to perform prefix translation, function
as a mobility home agent, and as a mobility anchor point.

Probably the LIN6/LINA design can do most of what HIP does as well,
but I haven't followed their recent changes, and I don't know if
they have already solved the scalability problems in their
security design.

--Pekka Nikander

References:
- RE: The state of IPv6 multihoming development
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: RE: The state of IPv6 multihoming development
Next by Date: Re: The state of IPv6 multihoming development
Previous by thread: RE: The state of IPv6 multihoming development
Next by thread: Re: The state of IPv6 multihoming development
Index(es):
- Date
- Thread