[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Draft: PI addressing derived from AS numbers

To: "J. Noel Chiappa" <jnc@ginger.lcs.mit.edu>
Subject: Re: Draft: PI addressing derived from AS numbers
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Fri, 21 Feb 2003 17:09:35 +0100 (CET)
Cc: brian@hursley.ibm.com, multi6@ops.ietf.org
In-reply-to: "Your message with ID" <200302040115.h141FOXC002924@ginger.lcs.mit.edu>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> Unless you start using multiple headers (which is sort of already specified,
> which is why I like 16+16, although it has all the obvious "source routing"
> security bugs), there's only a single IPv6 address field in "IPv6
> *unmodified*", so it's kind of hard to do both with one field.

HIP can help with the "source routing" security bugs.
One question in my mind is whether that type of approach requires 
IPsec protection of every packet, or if one can limit this to a subset
of the packets (like the TCP SYN/SYN-ACK exchange).

Another question, once we have the architectural 16+16 picture clear,
is whether it is possible to do "header compression" to avoid having 4*16
bytes of identifiers+locators in every packet.

A third question is whether one can make this work with both hosts doing
16+16 (which might provide a stronger security binding) and site border
routers doing it (which would be easier to deploy using existing IPv6
implementations in the hosts).

I'll stop now,
   Erik

Follow-Ups:
- Re: Draft: PI addressing derived from AS numbers
  - From: RJ Atkinson <rja@extremenetworks.com>

References:
- Re: Draft: PI addressing derived from AS numbers
  - From: "J. Noel Chiappa" <jnc@ginger.lcs.mit.edu>

Prev by Date: Re: ISP failures and site multihoming [Re: Enforcing unreachability of site local addresses]
Next by Date: Re: GSE
Previous by thread: Re: Draft: PI addressing derived from AS numbers
Next by thread: Re: Draft: PI addressing derived from AS numbers
Index(es):
- Date
- Thread