Hi Tony, El 17/02/2006, a las 0:23, Tony Li escribió:
Let me try to correct your impression. Some of us are very much aware of the issues involved and are very interested in supporting more functionality at the enterprise boundary. However, over the years, it has been made very clear that performing that type of locator selection or route selection at the enterprise border is also seen very much as a form of NAT. While I happen to disagree with that particular assessment, the simple fact of the matter is that the political situation within the IETF at present makes any non-host-based solution intractable. This is _precisely_ what drove us towards the shim6 solution. It is not an optimal answer, by any means, IMHO. It is only the best solution that we have been able to reach consensus on.
Personally, i agree with Erik that the current solution is not very far from supporting prefix rewriting by site exit routers. We have talked about this point several times on this list and i can see three possible approaches (not all of them being so easy to obtain using the shim) 1) the current scheme where the host performs all the functions of the shim 2) a full proxy approach where a middle box performs all the shim6 stuff on behalf of a set of hosts that don't know anything about the shim and even that they are not aware of multiple addresses. This is the approach most similar to the original GSE. This approach seems to have quite a lot of complexity, mainly because the proxy needs to store all the shim state related to each ongoing communication. 3) it would also be possible to have a hybrid approach, where the host is shim enabled and the routers are allowed to rewrite the source address prefixes. In this approach, the security negotiation would be end to end, but the exit path selection would be performed by the routers. So, the shim context is established end to end between the shim capable hosts. In this context the hosts securely negotiate the full set of prefixes available for each end. Once that the shim context is set up by the peers, then the routers can rewrite the prefix of the source address. this approach would allow the intra site routing system to actually determine the exit path and would somehow restore the TE capabilities of the routers. Moreover, fault tolerance can be performed using BGP rather than using the failure detection mechanism of the shim. (probably there will be some failure modes that won't be detected through this mean) The resulting approach would restore part of the BGP based fault tolerance and TE capabilities lost in the current shim6 approach.
Of course there a few things that need to be changed for this to work, like no privacy support, all the routers need to know all the prefixes and all the shim6 sessions must have all the prefixes avaialble and so on, but perhaps it may be interesting to explore it a bit more.
Regards, marcelo
Regards, Tony