[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Multi6 List <multi6@ops.ietf.org>
Subject: Re: threats ID
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Fri, 23 Jan 2004 11:58:35 +0100
Organization: IBM
References: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es> <D88F1830-4B08-11D8-AC7E-000393CE1E8C@nomadiclab.com> <400D2075.8040207@necom830.hpcl.titech.ac.jp> <E50A0372-4B8A-11D8-9871-000A95CD987A@muada.com> <400DB734.8000307@necom830.hpcl.titech.ac.jp> <A048B8D8-4D6A-11D8-BCF8-000A95928574@kurtis.pp.se> <4010C470.7010606@necom830.hpcl.titech.ac.jp>

Masataka, you conclude by saying

> However, TCP is not IP, which is the point of my presentation
> at Vienna.

We can hardly disagree. But TCP is not SCTP, UDP, DCCP or ICMP either.
The systems level argument for a layer 3.5 solution is that it can cover
all cases, including ones we have not invented yet.

You are correct that a layer 3.5 solution requires cached state, probably
with timeouts due to the lack of disconnect signalling. There is a classical
solution to that, which is for the ULP to send a keepalive signal to prevent
the cache from timing out. That would indeed be a ULP enhancement, but a very
minor one and not essential.

   Brian

Masataka Ohta wrote:
> 
> Kurt;
> 
> >>>I believe NOID and certainly ODT allow layer 4 to work without
> >>>changes,
> >>
> >>You can believe so, just as you can believe NAT allow layer 4 to work
> >>without changes.
> >
> >
> > I think there is a notable difference. In my reading you are using NAT
> > very loose for all forms of address rewrite. NAT to me does static
> > rewrites, with no form of signaling.
> 
> Wrong. Rewriting is not the essential problem.
> 
> Right. The problem is lack of signaling OF *CONNECTIONS*.
> 
> As you might know, there is no connections and signaling at
> the IP layer.
> 
> Thus, the only thing NAT and other layer 3 things can do is
> guessing the connection state by a lack of communication
> for certain period of time, though, sometimes, you can detect
> TCP SYN and FIN.
> 
> However, that you observe no traffic over a connection does
> not necessarily mean that the connection is broken.
> 
> That there is no response for a UDP packet may mean that an
> reply ack is lost, that no reply is required by the protocol
> above UDP or that the packet is an ack.
> 
> There is no signaling unless layer 4 and above are involved,
> though guessing may work for TCP.
> 
> > Especially breaking referrals by
> > hiding the "true" address to the outside world. Most (if not all)
> > id/loc proposals here (claims) that referrals do work. There is a hugh
> > difference, referrals is a crucial component of any multi6 solution.
> > This was also pointed out in the comments by Patrick.
> 
> NAT rewriting is transparent to applicaitons, if the applications
> relies on TCP and DNS and DNS is modified to reflect the rewriting.
> 
> So are other proposals, including mine, as is explained in
> my proposal.
> 
> However, TCP is not IP, which is the point of my presentation
> at Vienna.
> 
>                                                 Masataka Ohta

Follow-Ups:
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
- Re: threats ID
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

Prev by Date: [Fwd: Submitting the multi6 charter]
Next by Date: Re: threats ID
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread