[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ingress filteing problem

To: "Spencer Dawkins" <spencer@mcsr-labs.org>
Subject: RE: ingress filteing problem
From: "Kanchei Loa" <loa@ieee.org>
Date: Sun, 14 Mar 2004 00:02:59 -0700
Cc: <multi6@ops.ietf.org>
In-reply-to: <007501c408a1$1797aeb0$0400a8c0@DFNJGL21>

Spencer Dawkins wrote:

> I'm probably late to the party, but don't (1) and (2) break
> transport-mode IPsec?
>

(1) depicts schemes to forward IP packet to the "correct" ISP such that the
source address is matching ISP's ingress filter. There is no IP src/dst
rewriting during the process. So, transport-mode IPsec won't be affected.

(2) use NAT to rewrite the locators (IP src/dst) in order to pass through
ISP's ingress filter and provides consistent src/dst address pair for
non-multi6 host at another end of the communication. It is no better (or
worse) than existing NAT deployments regarding IPsec compatibility issues.

> So IPsec transport mode would be a non-goal?
>

I can't speak for the WG. But I believe one of the goal is not to introduce
new threats.

This is quote from "Goals for IPv6 Site-Multihoming Architectures (RFC
3582)".

4.  Security Considerations

   A multihomed site should not be more vulnerable to security breaches
   than a traditionally IPv4-multihomed site.

   Any changes to routing practices made to accommodate multihomed sites
   should not cause non-multihomed sites to become more vulnerable to
   security breaches.

--------------
Kanchei Loa
loa@ieee.org

References:
- Re: ingress filteing problem
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>

Prev by Date: Weekly posting summary for multi6@ops.ietf.org
Next by Date: RE: ingress filteing problem
Previous by thread: Re: ingress filteing problem
Next by thread: Wedge between transport and ULP
Index(es):
- Date
- Thread