[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addition of TLV to locator ID or locator ID set

To: Paul Jakma <paul@clubi.ie>
Subject: Re: addition of TLV to locator ID or locator ID set
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Sun, 2 Oct 2005 10:46:40 +0200
Cc: Erik Nordmark <erik.nordmark@sun.com>, Brian E Carpenter <brc@zurich.ibm.com>, Spencer Dawkins <spencer@mcsr-labs.org>, shim6-wg <shim6@psg.com>
In-reply-to: <Pine.LNX.4.63.0509302106470.11479@sheen.jakma.org>
References: <Pine.GSO.4.20.0509221614300.28499-100000@meno.corp.us.uu.net> <Pine.LNX.4.63.0509230228280.3483@sheen.jakma.org> <433986D8.1080603@zurich.ibm.com> <Pine.LNX.4.63.0509281225470.3722@sheen.jakma.org> <599A3AB3-F21C-4E51-B705-101AC56DA569@tony.li> <EBB90B1D-5643-4CB7-BA1F-3701ADABC011@muada.com> <35E4CEA9-5D03-4F52-8394-E8E74B08F670@tony.li> <01a901c5c479$40af14b0$8b010a0a@china.huawei.com> <433BCDCD.2020401@zurich.ibm.com> <Pine.LNX.4.63.0509291332290.3722@sheen.jakma.org> <433C2B37.106@sun.com> <Pine.LNX.4.63.0509302106470.11479@sheen.jakma.org>


El 30/09/2005, a las 22:16, Paul Jakma escribió:

On Thu, 29 Sep 2005, Erik Nordmark wrote:
How does the host get an IPv6 address assigned that has the rightlow-order bits so that the HBA stuff on the remote shim/proxy canprove (using HBA) to the peer that it owns the IPv6 address hence isallowed to redirect it?
I don't know. I'm not terribly familiar with HBA. Marcelo seems tothink it's possible.

IMHO, what would be not so hard to support would be that source addressprefixes get rewritten by the exit routers as long as the the securitystuff remains end to end i.e. the hosts are the ones that define theHBA/CGA sets and perform the security validation.That is basically offloading the source address selection to therouter, but the remining parts of the shim are still in the hosts.

doing proxy shim for legacy hosts is much more complex, i.e. letting aproxy box to provide shim capabilities to a legacy host

BTW, one question, is HBA a requirement for shim6?

as is see it, HBA are not a requirement but so far they seem to providethe security protection requiredCGAs can also provide the security required, supporting additionalfeatures with a higher computation cost.As HBAs are defined as an extension to CGAs, then supporting both ofthem would not be complex

Other possibilities include simply securing the side-band shim6protocol (using, eg, anonymous IPSec) and disallowing anylocator<->ULID (do i have the jargon correct?) state changes to occurother than through the secured side-band.
Then you wouldn't need to try stuff security state into an address.

The problem here is how do you bind the key that is used in IPSec withthe identifier used.If you don't provide a security binding, then an atacker can provideits own key and bind it to the victim's identifier, so no good.

The options to provide a secure binding are:
- a third trusted party i.e. PKI

- create the identifer so that it intrinsically contains keyinformation i.e. CGA/HBA

because of the deployment issues, the second option seems moreattractive


regards, marcelo

destination locators to be changed). Thus if the shim proxy wants tohandle this, it needs to first do a 1:1 IPv6 NAT where the proxy hascreated the HBA/CGA addresses for the host.
It'd have to be a 1:1 NAT yes.
One could envision having DHCPv6 be shim aware so that when the hostsasks DHCP for an address, the DHCP server would interact with theshim proxy so that the addresses are from a HBA or CGA set. In thatcase one wouldn't need the 1:1 IPv6 NAT in the shim proxy.
Hmm, possible I guess.
  Erik
regards,
--
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Liar, n.:
	A lawyer with a roving commission.
		-- Ambrose Bierce, "The Devil's Dictionary"

Follow-Ups:
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>

References:
- Re: addition of TLV to locator ID or locator ID set
  - From: "Jason Schiller (schiller@uu.net)" <jason.schiller@mci.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Tony Li <tony.li@tony.li>
- Re: addition of TLV to locator ID or locator ID set
  - From: "Spencer Dawkins" <spencer@mcsr-labs.org>
- Re: addition of TLV to locator ID or locator ID set
  - From: Brian E Carpenter <brc@zurich.ibm.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>
- Re: addition of TLV to locator ID or locator ID set
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: addition of TLV to locator ID or locator ID set
  - From: Paul Jakma <paul@clubi.ie>

Prev by Date: Re: source address rewriting and shim6 proxies
Next by Date: Re: addition of TLV to locator ID or locator ID set
Previous by thread: Re: addition of TLV to locator ID or locator ID set
Next by thread: Re: addition of TLV to locator ID or locator ID set
Index(es):
- Date
- Thread