[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tunneling [Was: Agenda for Vienna]

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: tunneling [Was: Agenda for Vienna]
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Wed, 21 May 2003 14:26:36 +0200 (CEST)
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, multi6@ops.ietf.org
In-reply-to: "Your message with ID" <4176E9E6-8AF5-11D7-B7A7-00039388672E@muada.com>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> I think the simple DNS approach is a good choice to start with unless 
> depending on the DNS isn't acceptable. Option 5 could be a reasonable 
> alternative if we decide we have to go with crypto (which I personally 
> don't care for).
> 
> But it's hard to know at this stage what the best approach is, and 
> there probably isn't a single best approach. So what I'd like to see 
> happen is that we select the simplest option as a default mechanism 
> that everyone must implement, but keep the option open for the user to 
> override this default behavior in a way that doesn't make the 
> implementation too complex.

My gut feel is that it is too early to choose a mechanism. But studying
the different possible mechanisms (such as using DNS) to determine what impact
that has on the architecture is a very good thing.

I suspect there are two different ways to do this using DNS:
1. It is possible to lookup both identifier and locators based on a DNS
   name, but the DNS doesn't have a mapping from identifier to locators.
   1a. Perhaps the DNS could have a reverse mapping from locators to DNS names
       aka ip6.arpa as today.
2. The DNS also has a mapping from identifiers to locators.
   Presumably this means that the identifiers must be delegated on some 
   hiearchical boundaries.


> We can make receiving stateless if we create our own mapping for 
> sending and depend on return routability. This wouldn't lead to worse 
> security problems than regular IP. So if we can make mapping from the 
> identifier to the locator for sending stateless we're in stateless 
> business.

There is a difference between soft-state and hard-state.
I've been silently assuming that any tunnel endpoint/receiver state would
be soft i.e. have similar behavior as the mobile IPv6 state used
when handling the Home Address Option - if there is no state (due to state
loss) and error saying "please update my state" goes back to the sender.
(The ZOD draft by Glenn Morrow was an example of how to do this with
no packet overhead. Perhaps robustness would be better if there is at
least a "generation" number in the header to be able to detect stale state.)

Such a soft-state approach allows there to be multiple independent tunnel 
endpoints (useful e.g. when the site border runs this during transition)
by dynamically being able to discover the state when packets arrive.

But potentially having such soft-state might use up a lot of memory
on the border - this is something we need to understand more.

  Erik

Follow-Ups:
- Re: tunneling [Was: Agenda for Vienna]
  - From: Tim Chown <tjc@ecs.soton.ac.uk>

References:
- Re: tunneling [Was: Agenda for Vienna]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Identifier (structure) [Was: Agenda for Vienna]
Next by Date: Re: Options to consider [Re: tunneling [Was: Agenda for Vienna]]
Previous by thread: Re: tunneling [Was: Agenda for Vienna]
Next by thread: Re: tunneling [Was: Agenda for Vienna]
Index(es):
- Date
- Thread