[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shim6 proxies



Scott Leibrand wrote:

If you're going to do a full proxy, you have to go all the way IMO.  That
means that for whatever locators the end hosts use, whether they have
multiple locators are not, have to be assumed to be fixed for the session,
just like ULIDs.  The shim6 proxy would then intercept all shim6 control
traffic to that IP, and perform the shim functions on behalf of the host.
It would have a bunch of its own locators, which would make up the locator
set.  It could also include the ULID as one of those locators, and
intercept traffic to that IP with shim6 headers, or I suppose it could
treat the host's IP as a non-routable identifier for shim6 purposes and
just use its own locators in the locator set.  Either way, the proxy would
process all shim6-tagged traffic for the host, de-shim it as normal, and
then pass the traffic along to the host's IP instead of passing it up to
the ULP.

I think such a proxy could be built, but instead of relying on some complex DHCPv6 coordination of the address assigned to a host, it is much much easier to build and deploy and as IPv6 NAT + shim6 proxy.

Thus the host picks an single IPv6 address just like today (using stateless address autoconfig or DHCPv6) and the NAT maintains a 1-1 mapping between those local addresses and a ULID (and HBA/CGA parameter set); thus the NAT doesn't need to mess with the port numbers.

The proxy then does all of shim6 on behalf of the host.

One disadvantage with this approach is that the proxy becomes a single point of failure for a TCP connection. But since the 1-1 mapping can be fixed it can be more easily shared across a pair such NATting proxies than today's IPv4 NATs that rewrite port numbers. Another disadvantage is that you probably need a two-faced DNS (different answers for internal queries than external ones) so that site-internal traffic can use whatever local IPv6 addresses (ULAs?) that are assigned to the hosts. A third disadvantage is that things which don't work through NAT might not work through such a proxy.


So I don't think such a proxy is desirable long-term, even though it can be valuable as part of a transition to shim6.


And as I said, the alternative that Marcelo has been talking about where the DHCPv6 address assignment to the host is coordinated with the shim6 proxy is a lot more complex.

Thus asking what traffic engineering influence can be accomplished with a locator rewrite by the routers is still a very important question in my mind when it comes to the longer-term direction.

   Erik