[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on multi6dt documents

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: Comments on multi6dt documents
From: Erik Nordmark <erik.nordmark@sun.com>
Date: Fri, 19 Nov 2004 10:52:27 -0800
Cc: multi6@ops.ietf.org
In-reply-to: <Pine.LNX.4.61.0411191314270.11300@netcore.fi>
References: <Pine.LNX.4.61.0411090232360.29032@netcore.fi> <419112EC.3010706@sun.com> <Pine.LNX.4.61.0411100318430.1264@netcore.fi> <41923BED.9040509@sun.com> <Pine.LNX.4.61.0411111535420.19044@netcore.fi> <4193C479.1090702@sun.com> <Pine.LNX.4.61.0411191314270.11300@netcore.fi>
User-agent: Mozilla Thunderbird 0.8 (X11/20040916)

Pekka Savola wrote:

True .. but firewalls of today don't even have a _chance_ of skipping over the extension header, even if they, or their administrators would want that (well, if the extension header is in TLV format, maybe then, because some firewalls assume the next ext headers are in TLV). Destination options at least allow that possibility.


If any future extension headers follow the canonical format:

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Next Header  |  Hdr Ext Len  | ....
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

then one can build firewalls that are liberal in what they accept. But I still think this is moot because firewalls by nature will be conservative in what they accept.

Right out, I can't think of anything else than ICMP and multicast (which you already mentioned), but that doesn't of course mean those kind of protocols might not exist. Therefore I think it would make sense to put this sufficiently clearly in the document that people need to keep in mind that there may be some protocols which might call for special handling.


ok, I'll add some words.

Why do you wish to confuse things by calling it an ALG? It is a local matter for the implementation how it demuxes ICMP errors. ALGs and NATs make people think of middleboxes which perform transformations which can not be reversed.
Sorry, I was just trying to figure out a term which says, "requires the host's shim layer and possibly some weirder middleboxes (like stateful firewalls, when they want to figure whether to pass this error in or not) have knowledge of applications' semantics [and if there are new such applications, requiring that this application knowledge to be updated], to be able to mangle the addresses inside the payload correctly."

It isn't "applications" - it is what I'd call "IP signaling protocols" or something like it; protocols which are not end-to-end but involve the routers along the path. ICMP errors from the routers, or RSVP signaling is what we currently have as examples. NSIS falls here as well.

   Erik

Follow-Ups:
- Re: Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>

References:
- Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Comments on multi6dt documents
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Comments on multi6dt documents
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: Comments on draft-bagnulo-multi6dt-hba-00.txt
Next by Date: Re: flooding attacks and threats doc (was Re: Comments on draft-bagnulo-multi6dt-hba-00.txt
Previous by thread: Re: Comments on multi6dt documents
Next by thread: Re: Comments on multi6dt documents
Index(es):
- Date
- Thread