[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: shim proxy (was Re: failure detection)

To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: shim proxy (was Re: failure detection)
From: Paul Jakma <paul@clubi.ie>
Date: Mon, 22 Aug 2005 15:40:36 +0100 (IST)
Cc: shim6 <shim6@psg.com>
In-reply-to: <3e9a98372ae5d4693d0373cd313a08f3@it.uc3m.es>
Mail-copies-to: paul@hibernia.jakma.org
References: <8622E6A4-B0D7-4C9B-B184-8EB2A7C2738E@muada.com> <Pine.LNX.4.63.0508141523170.7023@sheen.jakma.org> <efebcb5728efd81901d5357b3993b6db@it.uc3m.es> <Pine.LNX.4.63.0508171556080.5353@sheen.jakma.org> <efa6464a563345cc24542d6ab48f3538@it.uc3m.es> <Pine.LNX.4.63.0508171932550.5353@sheen.jakma.org> <0f13bcc353755a4b9b965267a6a7ffb1@it.uc3m.es> <Pine.LNX.4.63.0508181034240.5291@sheen.jakma.org> <d1bbabb2d2a04821223d24f940796d23@it.uc3m.es> <Pine.LNX.4.63.0508181513480.5291@sheen.jakma.org> <4eb5dc3a95d2217a22ab1d81e23fd10d@it.uc3m.es> <Pine.LNX.4.63.0508191456120.5291@sheen.jakma.org> <d703945a4effcb3170c31b7eafa77ac6@it.uc3m.es> <Pine.LNX.4.63.0508201752390.5291@sheen.jakma.org> <3e9a98372ae5d4693d0373cd313a08f3@it.uc3m.es>

On Mon, 22 Aug 2005, marcelo bagnulo braun wrote:

the problem is that the is no way to prove the binding between the identifier and their locator sets... i.e. any prefix could be used with any identifier and it would be ok, so any rewriting would be ok, hence the potential attacks...

If, as a subset of all ULIDs, we allow a set of ULIDs to be composed of a network identifier (ie the first 64 bits) and a host identifier (last / least significant 64 bits), ie that the ULID essentially be a valid IPv6 address (which the shim6 drafts anticipate being possible), then the 'proxy' can have a static mapping which need only map the /network/ portion of the ULID to the network portion of a locator. Ie leaving the host portion unchanged.

The security implications are no different from normal static forwarding, as far as I can tell.

Perhaps you could try to evaluate how would such solution cope with the threats described in the threat analysis...


I don't see the threat.

as i said, i consider this proxy capability to be really interesting, but i am afraid you are underestimating the security issues here.


Possible :).

regards, marcelo


regards,
--
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Don't put off for tomorrow what you can do today because if you enjoy it today,
you can do it again tomorrow.

Follow-Ups:
- Re: shim proxy (was Re: failure detection)
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

References:
- failure detection
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: failure detection
  - From: Paul Jakma <paul@clubi.ie>
- Re: failure detection
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: failure detection
  - From: Paul Jakma <paul@clubi.ie>
- Re: failure detection
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: failure detection
  - From: Paul Jakma <paul@clubi.ie>
- Re: failure detection
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: failure detection
  - From: Paul Jakma <paul@clubi.ie>
- Re: failure detection
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: failure detection
  - From: Paul Jakma <paul@clubi.ie>
- Re: failure detection
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: failure detection
  - From: Paul Jakma <paul@clubi.ie>
- Re: failure detection
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: failure detection
  - From: Paul Jakma <paul@clubi.ie>
- shim proxy (was Re: failure detection)
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>

Prev by Date: shim proxy (was Re: failure detection)
Next by Date: RE: shim-aware transports
Previous by thread: shim proxy (was Re: failure detection)
Next by thread: Re: shim proxy (was Re: failure detection)
Index(es):
- Date
- Thread