[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on multi6dt documents

To: Erik Nordmark <erik.nordmark@sun.com>
Subject: Re: Comments on multi6dt documents
From: Pekka Savola <pekkas@netcore.fi>
Date: Thu, 11 Nov 2004 15:43:23 +0200 (EET)
Cc: multi6@ops.ietf.org
In-reply-to: <41923BED.9040509@sun.com>
References: <Pine.LNX.4.61.0411090232360.29032@netcore.fi> <419112EC.3010706@sun.com> <Pine.LNX.4.61.0411100318430.1264@netcore.fi> <41923BED.9040509@sun.com>

On Wed, 10 Nov 2004, Erik Nordmark wrote:

Unless we can make some simplifying assumptions here it seems like bringing up issues described in section 2.1.9 of draft-savola-v6ops-security-overview-03.txt and prior to that in a different draft -- i.e., the nodes must be able interpret and process, or skip over -- all the possible headers out there.
Are you saying the middleboxes will inspect, not the IP+ICMP part, but the offending packet contained in the ICMP error?


I don't think this is a problem.

There might be concern about adding an extension header to get e.g. IP+EXT+TCP and what that does to the packets in middleboxes, but the context of this piece of the discussion is the ICMP errors, right? If the middlebox lets through IP+EXT+TCP then presumably it will allow the error which is IP+ICMP+IP+EXT+TCP in the reverse direction.

Agreed. I wasn't sure of the context, just that IP+EXT+whatever might not do it. Destination options however provide the facilities today for skipping over them without making assumptions; this might not in practice be any better though.

Just demuxing the packet (and doing reverse mapping if needed) would be one thing, but don't you also have to parse inside the packet and translate that back as well? Then the implementation should have to know which protocols to parse and how, i.e., where the "juicy bits" to look are.
Yes, the implementation needs to be able to pass the indication that an ICMP error was received to the correct ULP "connection", which involves finding the ULIDs that were used before the shim did its work on the xmit side. The details of this depends on how the internal interfaces in the implementation for delivering notifications about ICMP errors to the ULPs; does it deliver the actual ICMP packets or something more abstract,

So it involves writing code in an implementation and should be noted in the draft. Is it hard? No.

So, the demux code needs to deal with ICMPv6 address translation. What about other protocols? Do we want to care for the others which might be doing similar things, or we just say 'just do the referral thing'?

The fact this is an ALG in a sense should possibly be stated, with the caveat that we're assuming that there aren't other equally "fundamental" protocols where you shouldn't be required deal with the full referral process.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>

References:
- Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: RE: Comments on draft-ietf-multi6-v4-multihoming-02
Next by Date: Re: DNS name creation [Was: Comments on multi6dt documents]
Previous by thread: Re: Comments on multi6dt documents
Next by thread: Re: Comments on multi6dt documents
Index(es):
- Date
- Thread