[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
Subject: Re: threats ID
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Fri, 23 Jan 2004 15:51:28 +0900
Cc: Multi6 List <multi6@ops.ietf.org>, Iljitsch van Beijnum <iljitsch@muada.com>
In-reply-to: <A048B8D8-4D6A-11D8-BCF8-000A95928574@kurtis.pp.se>
References: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es> <D88F1830-4B08-11D8-AC7E-000393CE1E8C@nomadiclab.com> <400D2075.8040207@necom830.hpcl.titech.ac.jp> <E50A0372-4B8A-11D8-9871-000A95CD987A@muada.com> <400DB734.8000307@necom830.hpcl.titech.ac.jp> <A048B8D8-4D6A-11D8-BCF8-000A95928574@kurtis.pp.se>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Kurt;

I believe NOID and certainly ODT allow layer 4 to work without changes,
You can believe so, just as you can believe NAT allow layer 4 to work
without changes.
I think there is a notable difference. In my reading you are using NAT very loose for all forms of address rewrite. NAT to me does static rewrites, with no form of signaling.

Wrong. Rewriting is not the essential problem.

Right. The problem is lack of signaling OF *CONNECTIONS*.

As you might know, there is no connections and signaling at
the IP layer.

Thus, the only thing NAT and other layer 3 things can do is
guessing the connection state by a lack of communication
for certain period of time, though, sometimes, you can detect
TCP SYN and FIN.

However, that you observe no traffic over a connection does
not necessarily mean that the connection is broken.

That there is no response for a UDP packet may mean that an
reply ack is lost, that no reply is required by the protocol
above UDP or that the packet is an ack.

There is no signaling unless layer 4 and above are involved,
though guessing may work for TCP.

Especially breaking referrals by hiding the "true" address to the outside world. Most (if not all) id/loc proposals here (claims) that referrals do work. There is a hugh difference, referrals is a crucial component of any multi6 solution. This was also pointed out in the comments by Patrick.


NAT rewriting is transparent to applicaitons, if the applications
relies on TCP and DNS and DNS is modified to reflect the rewriting.

So are other proposals, including mine, as is explained in
my proposal.

However, TCP is not IP, which is the point of my presentation
at Vienna.

Masataka Ohta

Follow-Ups:
- Re: threats ID
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
- Re: threats ID
  - From: Brian E Carpenter <brc@zurich.ibm.com>

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
- Re: threats ID
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>

Prev by Date: Re: threats ID
Next by Date: Comments needed on a few multi6 drafts
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread