[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Subject: Re: threats ID
From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
Date: Sat, 24 Jan 2004 09:15:18 +0100
Cc: Multi6 List <multi6@ops.ietf.org>, Iljitsch van Beijnum <iljitsch@muada.com>
In-reply-to: <4010C470.7010606@necom830.hpcl.titech.ac.jp>
References: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es> <D88F1830-4B08-11D8-AC7E-000393CE1E8C@nomadiclab.com> <400D2075.8040207@necom830.hpcl.titech.ac.jp> <E50A0372-4B8A-11D8-9871-000A95CD987A@muada.com> <400DB734.8000307@necom830.hpcl.titech.ac.jp> <A048B8D8-4D6A-11D8-BCF8-000A95928574@kurtis.pp.se> <4010C470.7010606@necom830.hpcl.titech.ac.jp>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>> I believe NOID and certainly ODT allow layer 4 to work without 
>>>> changes,
>>>
>>> You can believe so, just as you can believe NAT allow layer 4 to work
>>> without changes.
>> I think there is a notable difference. In my reading you are using 
>> NAT very loose for all forms of address rewrite. NAT to me does 
>> static rewrites, with no form of signaling.
>
> Wrong. Rewriting is not the essential problem.
>
> Right. The problem is lack of signaling OF *CONNECTIONS*.
>
> As you might know, there is no connections and signaling at
> the IP layer.

Right, but along the same lines of reasoning -  NAT won't break 
anything at the _IP_ layer. It might break things at the ULPs though.

> Thus, the only thing NAT and other layer 3 things can do is
> guessing the connection state by a lack of communication
> for certain period of time, though, sometimes, you can detect
> TCP SYN and FIN.

I would say that this is the difference between (most) of the proposals 
in multi6 and NAT. The proposals have provided mechanisms to let ULPs 
handle referrals, even when there is rewriting. Something that NAT does 
not provide.

> However, that you observe no traffic over a connection does
> not necessarily mean that the connection is broken.

True. Which is also the topic of a long thread here some time ago.

> There is no signaling unless layer 4 and above are involved,
> though guessing may work for TCP.

The mechanisms to allow address rewrite will have to

a) Leave to the ULPs to handle connection state and connection 
verification. An aid in doing this might be to create a middle layer 
(the 3.5) which functions as a recording mechanism on state.

b) Provide a means to the ULPs to handle referrals transparently. 
Again, this can be done with a shim layer, or in other ways.

>> Especially breaking referrals by hiding the "true" address to the 
>> outside world. Most (if not all) id/loc proposals here (claims) that 
>> referrals do work. There is a hugh difference, referrals is a crucial 
>> component of any multi6 solution. This was also pointed out in the 
>> comments by Patrick.
>
> NAT rewriting is transparent to applicaitons, if the applications
> relies on TCP and DNS and DNS is modified to reflect the rewriting.
>
> So are other proposals, including mine, as is explained in
> my proposal.

To dive into semantics, part of the problem/difference between multi6 
proposals and NAT is the fact that NAT _is_ transparent to the ULPs and 
that no state is recorded at the end-nodes. And now we are close to 
drifting into the point that Vijay raised on if this is good or not.

- - kurtis -

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQBIpmaarNKXTPFCVEQLaGACfXY9uwf8F71Af8t7LFLMq7W2hkGsAn3SY
+EJNc3q2PZPCTZrch8BPVshq
=8ASM
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
- Re: threats ID
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>

Prev by Date: Mailinglist maintenance
Next by Date: Re: Reminder re multi6 drafts
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread