[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: flow label demultiplexing

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: flow label demultiplexing
From: Pekka Savola <pekkas@netcore.fi>
Date: Mon, 18 Apr 2005 17:52:54 +0300 (EEST)
Cc: shim6@psg.com
In-reply-to: <0b88df15432fcb2248d74698201929d4@it.uc3m.es>
References: <Pine.LNX.4.61.0504180936340.31850@netcore.fi> <0b88df15432fcb2248d74698201929d4@it.uc3m.es>

On Mon, 18 Apr 2005, marcelo bagnulo braun wrote:

First, one specific comment:
   An added limitation imposed by this approach is that all the
   potential source and destination locators have to be known beforehand
   by the receiver in order to be recognized.
==> I don't understand why this is a limitation in practice (though it may be an architectural limitation). Isn't the assumption that all the potential locators must be exchanged somehow before the network connectivity failure, otherwise the shim6 solution might not be able to switch to working locators? Otherwise the rehoming could not be secured...
Well, if you are using CGA security, you could use the new locator (as source address) without prior information to the peer. This could be useful in *some* scenarios (let's not mention the word for now :-) CGA based security does not need prior exchange of locators, right?

Sorry, I don't quite follow. Based on my reading of the HBA spec (I was more confused when I read the new version, because I had thought it worked differently)..

Is it true that you can use CGA or HBA addresses for connection survivability only after you have used the shim6 protocol to pass the Parameter Data Structure, right? Otherwise I'm not sure how the host could verify the HBA address (i.e., how is step 1 of Section 5 accomplished otherwise?).

Note that HBA+CGA in one doesn't help (AFAICS) because otherwise you'd be trusting anyone you have a public key with to not hijack any of your sessions?

Or were you talking about the case where the host obtained a new source locator and wants to start using it immediately, and send the first packet using shim6 protocol (also using the new locator as source), i.e., "piggybacking"? That would likely need more than just a flow label in any case, so I don't see how that would apply.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: flow label demultiplexing
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- flow label demultiplexing
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: flow label demultiplexing
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: Re: flow label demultiplexing
Next by Date: Re: flow label demultiplexing
Previous by thread: Re: flow label demultiplexing
Next by thread: Re: flow label demultiplexing
Index(es):
- Date
- Thread