[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on multi6dt documents

To: Erik Nordmark <erik.nordmark@sun.com>
Subject: Re: Comments on multi6dt documents
From: Pekka Savola <pekkas@netcore.fi>
Date: Fri, 19 Nov 2004 13:22:06 +0200 (EET)
Cc: multi6@ops.ietf.org
In-reply-to: <4193C479.1090702@sun.com>
References: <Pine.LNX.4.61.0411090232360.29032@netcore.fi> <419112EC.3010706@sun.com> <Pine.LNX.4.61.0411100318430.1264@netcore.fi> <41923BED.9040509@sun.com> <Pine.LNX.4.61.0411111535420.19044@netcore.fi> <4193C479.1090702@sun.com>

Following up on an old message, sorry...

On Thu, 11 Nov 2004, Erik Nordmark wrote:

Agreed. I wasn't sure of the context, just that IP+EXT+whatever might not do it. Destination options however provide the facilities today for skipping over them without making assumptions; this might not in practice be any better though.
If a firewall is built on the philosophy to be conservative it will not
let anything new through, whether it is a new payload type, a new
option, or whatever.

True .. but firewalls of today don't even have a _chance_ of skipping over the extension header, even if they, or their administrators would want that (well, if the extension header is in TLV format, maybe then, because some firewalls assume the next ext headers are in TLV). Destination options at least allow that possibility.

So, the demux code needs to deal with ICMPv6 address translation. What about other protocols? Do we want to care for the others which might be doing similar things, or we just say 'just do the referral thing'?
What other protocols do you have in mind?

[...]

Right out, I can't think of anything else than ICMP and multicast (which you already mentioned), but that doesn't of course mean those kind of protocols might not exist. Therefore I think it would make sense to put this sufficiently clearly in the document that people need to keep in mind that there may be some protocols which might call for special handling.

The fact this is an ALG in a sense should possibly be stated, with the caveat that we're assuming that there aren't other equally "fundamental" protocols where you shouldn't be required deal with the full referral process.
Why do you wish to confuse things by calling it an ALG? It is a local matter for the implementation how it demuxes ICMP errors. ALGs and NATs make people think of middleboxes which perform transformations which can not be reversed.

Sorry, I was just trying to figure out a term which says, "requires the host's shim layer and possibly some weirder middleboxes (like stateful firewalls, when they want to figure whether to pass this error in or not) have knowledge of applications' semantics [and if there are new such applications, requiring that this application knowledge to be updated], to be able to mangle the addresses inside the payload correctly."

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>

References:
- Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: Re: Comments on draft-bagnulo-multi6dt-hba-00.txt
Next by Date: Re: Comments on draft-bagnulo-multi6dt-hba-00.txt
Previous by thread: Re: Comments on multi6dt documents
Next by thread: Re: Comments on multi6dt documents
Index(es):
- Date
- Thread