[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
From: Erik Nordmark <erik.nordmark@sun.com>
Date: Tue, 02 Nov 2004 16:28:46 -0800
Cc: Brian E Carpenter <brc@zurich.ibm.com>, Multi6 <multi6@ops.ietf.org>
In-reply-to: <3AB79A56-2CE5-11D9-8458-000D93ACD0FE@it.uc3m.es>
References: <200410191148.HAA14355@ietf.org> <4180E82C.302@zurich.ibm.com> <4182B26D.2050306@sun.com> <496A5E72-2AA5-11D9-AB06-000D93ACD0FE@it> <4185F340.2080701@zurich.ibm.com> <3AB79A56-2CE5-11D9-8458-000D93ACD0FE@it.uc3m.es>
User-agent: Mozilla Thunderbird 0.8 (X11/20040916)

marcelo bagnulo braun wrote:

Just one additional nit... note that HBAs are particularly restrictive in this aspect, since all locators need to be known a priori. However, even if you use alternative schemes that don't impose such restriction, like CGAs, you still need to add security information at least in the same packet that carries the new locator.


That requirement isn't obvious to me so I think it would warrant discussion.

The issue is whether it would be ok for the multi6 shim to pass a packet to the ULP when the source locator has not been verified as belonging to the peer. We all agree that we need to do such verification before *sending* packets to a new locator, but what about just accepting the packet?

Things to take into account: In today's Internet, when there is no ingress filtering anybody can spoof the source IP address and the packets will be passed by IP to the ULP. However, in today's Internet when there is some ingress filtering it is possible to restrict the nodes which can actually spoof the source IP address to those that are close to the path between the real location of the IP address and the receiving node.

If a host wants to prevent packet injection attacks today (such as spoofed RCP RST packets, if it wants to prevent it from all nodes and not depend on ingress filtering, wouldn't it use IPsec?

   Erik

Follow-Ups:
- Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
  - From: Kurt Erik Lindqvist <kurtis@kurtis.pp.se>

References:
- Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: Few comments on draft-ietf-multi6-architecture-02
Next by Date: Re: Multi6 WG Last Call (1 of 3) draft-ietf-multi6-architecture-01.txt
Previous by thread: Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
Next by thread: Re: I-D ACTION:draft-nordmark-multi6dt-shim-00.txt
Index(es):
- Date
- Thread