On 3-okt-2005, at 14:10, Paul Jakma wrote:
end-host shim6 -> uses a HBA for ULID.
site shim6 ->
hosts are assigned ULIDs from a stable, invariant address range.
hosts just use regular IPv6 stacks and regular ways to
assign themselves IPv6 addresses
intermediary does shim6, 1:1 mapping.
Both cases would use the shim6 mechanisms. The latter case would need further thought regarding the ulid:locator(s) binding (providing proof of its validity), which HBA would have provided (as per end-host). (One possibility would be that such a globally- assigned but non-globally routable prefix would also have a key set registered at the point assignment, gets tricky - but the mechanism at could allow for such. Probably difficult to solve without significant operational considerations. :( )
Well, one way to do something HBA-like for the second case would be to insert the hash in bits 8 - 47 rather than 64 - 127. That way, unique site locals can easily be reused here. Of course 40 bits isn't all that strong, but it's probably good enough to thwart casual attacks.
Another approach is to put the keys in the DNS.But in any event, using unreachable ULIDs has two important repercussions:
- the communication is no longer backward compatible - shim state must be created before the communication can startHowever, I think we need to solve this because our solution would be incomplete if we can't recover from the ULP choosing an ULID that happens to be unreachable.