[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: shim proxy (was Re: failure detection)




El 23/08/2005, a las 17:55, Paul Jakma escribió:

On Tue, 23 Aug 2005, marcelo bagnulo braun wrote:

Some questions about the scheme that you are considering:

- What upper layer identifiers are used in the endpoints? in particular which prefixes do they contain? global unicast or a special purpose prefix (as in GSE)?


To Be Assigned, I guess. I don't know.


i guess that my point is that when you start to actually define how this things are done, isseus start to pop up, in particular, issues with the security mechanisms (basically because when you want to provide proxied security, the trust model becomes more complex)


- Are the endpoints of the communication aware of the prefix sets (their own and the peer)? or just the proxy is aware of them?

The proxied hosts, no. They'd happily think they're using normal IPv6. Just the proxies with intermediate their access to rest of world would recognise their IPv6 network prefix and host identifier as being a shim6 ULID.


- How do they (endpoint and/or proxy) learn the prefix set of the peer? how are they secured?

The remote shim6 peer? Via the TBD shim6 protocol.

- How does the security mechanism for securing the prefix set and the identifier interact with the proxy and endpoint?

I'm not sure I understand, could you elaborate?



see the threat that Iljitsch started for additional insights of the complexity of not having the endpoints aware of the locator set and the ways to secure this

regards, marcelo

i was referring to the threats described in draft-ietf-multi6-multihoming-threats-03.txt which need to be dealt with

Thanks, I'll have a look.

regards,
--
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Practice is the best of all instructors.
		-- Publilius