Re: shim proxy (was Re: failure detection)

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

El 22/08/2005, a las 16:40, Paul Jakma escribió:

> On Mon, 22 Aug 2005, marcelo bagnulo braun wrote:
>
> > the problem is that the is no way to prove the binding between the 
> > identifier and their locator sets... i.e. any prefix could be used 
> > with any identifier and it would be ok, so any rewriting would be ok, 
> > hence the potential attacks...
>
> If, as a subset of all ULIDs, we allow a set of ULIDs to be composed 
> of a network identifier (ie the first 64 bits) and a host identifier 
> (last / least significant 64 bits), ie that the ULID essentially be a 
> valid IPv6 address (which the shim6 drafts anticipate being possible), 
> then the 'proxy' can have a static mapping which need only map the 
> /network/ portion of the ULID to the network portion of a locator. Ie 
> leaving the host portion unchanged.
>
> The security implications are no different from normal static 
> forwarding, as far as I can tell.


Not sure...

Some questions about the scheme that you are considering:
- What upper layer identifiers are used in the endpoints? in particular 
which prefixes do they contain? global unicast or a special purpose 
prefix (as in GSE)?
- Are the endpoints of the communication aware of the prefix sets 
(their own and the peer)? or just the proxy is aware of them?
- How do they (endpoint and/or proxy) learn the prefix set of the peer? 
how are they secured?
- How does the security mechanism for securing the prefix set and the 
identifier interact with the proxy and endpoint?

> > Perhaps you could try to evaluate how would such solution cope with 
> > the threats described in the threat analysis...
>
> I don't see the threat.

i was referring to the threats described in 
draft-ietf-multi6-multihoming-threats-03.txt which need to be dealt 
with

regards, marcelo


> > as i said, i consider this proxy capability to be really interesting, 
> > but i am afraid you are underestimating the security issues here.
>
> Possible :).
>
> > regards, marcelo
>
> regards,
> --
> Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
> Fortune:
> Don't put off for tomorrow what you can do today because if you enjoy 
> it today,
> you can do it again tomorrow.