Re: shim proxy (was Re: failure detection)

[marcelo bagnulo braun <marcelo@it.uc3m.es>]

El 23/08/2005, a las 17:55, Paul Jakma escribió:

> On Tue, 23 Aug 2005, marcelo bagnulo braun wrote:
>
> > Some questions about the scheme that you are considering:
>
> > - What upper layer identifiers are used in the endpoints? in 
> > particular which prefixes do they contain? global unicast or a 
> > special purpose prefix (as in GSE)?

> To Be Assigned, I guess. I don't know.

i guess that my point is that when you start to actually define how 
this things are done, isseus start to pop up, in particular, issues 
with the security mechanisms (basically because when you want to 
provide proxied security, the trust model becomes more complex)

> > - Are the endpoints of the communication aware of the prefix sets 
> > (their own and the peer)? or just the proxy is aware of them?
>
> The proxied hosts, no. They'd happily think they're using normal IPv6. 
> Just the proxies with intermediate their access to rest of world would 
> recognise their IPv6 network prefix and host identifier as being a 
> shim6 ULID.
>
> > - How do they (endpoint and/or proxy) learn the prefix set of the 
> > peer? how are they secured?
>
> The remote shim6 peer? Via the TBD shim6 protocol.
>
> > - How does the security mechanism for securing the prefix set and the 
> > identifier interact with the proxy and endpoint?
>
> I'm not sure I understand, could you elaborate?


see the threat that Iljitsch started for additional insights of the 
complexity of not having the endpoints aware of the locator set and the 
ways to secure this

regards, marcelo

> > i was referring to the threats described in 
> > draft-ietf-multi6-multihoming-threats-03.txt which need to be dealt 
> > with
>
> Thanks, I'll have a look.
>
> regards,
> --
> Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
> Fortune:
> Practice is the best of all instructors.
> 		-- Publilius