Re: Rewriting and proxies

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 23-aug-2005, at 18:17, marcelo bagnulo braun wrote:

> > One way around this would be for the shim proxy to intercept  
> > packets from the hosts that don't implement the shim, and  
> > immediately try to set up a shim-enabled session using an HBA/CGA  
> > compatible address. So host A sends out a packet to host B with  
> > address A1(eui64), and the proxy immediately rewrites this into A1 
> > (hba). If the shim negotiation then completes, the proxy can  
> > inform the other side that the ULID is actually A1(eui64) and  
> > everything works completely transparently. If the shim  
> > negotiations fail, the proxy can either continue the session and  
> > keep rewriting, which is faster but not very clean,

> But in this case, the ULID used by the proxied host and the ULID  
> perceived the peer would be different wouldn't they?

Right. However, using the term "ULID" makes it seem like this still  
uses shim6, but it doesn't: this is the fallback mode to backward  
compatible non-shim communication.

> If so, this would imply that the rewriting is no longer transparent  
> to the upper layers, which i think we agreed that was not such a  
> good idea (all the nat implications an so on)

Right, that's why I also included:

> > or send the original A1(eui64) packet.

> An alternative that we discussed a while ago was to let the proxy  
> assign the HBA/CGA addresses to the proxied host (through dhcp for  
> instance) so that the proxied host has the correct addresses  
> configured, and the proxy can use the security features of such  
> addresses to secure the shim protocol locator exchange even if the  
> proxied host ois not aware of it.

That's also possible, but it wouldn't be without deployment issues.

Iljitsch