[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shim6 proxies

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Shim6 proxies
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Tue, 13 Jun 2006 10:22:49 +0300
Cc: shim6@psg.com, Scott Leibrand <sleibrand@internap.com>, Erik Nordmark <erik.nordmark@sun.com>
In-reply-to: <BC7898C5-DAE1-47B0-B125-C811E8F39F23@muada.com>
References: <Pine.LNX.4.58.0603271434050.29315@sleibrand-ibm.acs.internap.com> <be3431f1f15b52f98dc22e4edeba3aa2@it.uc3m.es> <Pine.LNX.4.58.0603301131490.15884@sleibrand-ibm.acs.internap.com> <4444313C.7010204@sun.com> <BC7898C5-DAE1-47B0-B125-C811E8F39F23@muada.com>


El 12/06/2006, a las 17:12, Iljitsch van Beijnum escribió:

On 18-apr-2006, at 2:22, Erik Nordmark wrote:
Either way, the proxy would
process all shim6-tagged traffic for the host, de-shim it as normal,andthen pass the traffic along to the host's IP instead of passing itup to
the ULP.
I think such a proxy could be built, but instead of relying on somecomplex DHCPv6 coordination of the address assigned to a host, it ismuch much easier to build and deploy and as IPv6 NAT + shim6 proxy.
I also see problems with getting shim-unaware hosts to receive HBA- orCGA-compatible addresses, but I don't think NAT is the solution. Itjust breaks too much stuff, and so far, we've managed to keep NAT outof IPv6. Also, what's the advantage of IPv6+NAT over IPv4+NAT?
I think a better way to handle this would be to introduce analternative security mechanism, such as in the form of regular X.509certificates that are already widely used for SSL today. (The factthat this allows people to get around HBA patent claims is a nicebonus.)
Although it sucks to add additional stuff to shim6, especiallyadditional stuff of this complexity, I think it's probably worth it asthis would allow fully functional proxies without strange tricks. Theproxy would have a certificate that covers the DNS names used by theclients, which is a fairly straightforward thing to get off the groundoperationally. Hosts would simply use existing address configurationtechniques (note that most/all DHCPv6 servers/clients don't supportaddress assignment today) and the proxy would just monitor regularcommunication without modifying anything, so backward compatibilitywould be good. Only when there seems to be a failure the proxy does ashim negotiation and starts remapping the actual address used by theclient to a locator held by the proxy.


I am not sure i understand this...

how would the trust chain between the ULID and the locators would work?through the FQDN?how do we bind the fqdn to the identifier? is this in the certificate?do we need a global PKI?


regards, marcelo

Being able to move multihoming processing to the edge of the networkwould make shim6 much more viable in enterprise networks. It may alsobe useful on content networks.
Iljitsch

Follow-Ups:
- Re: Shim6 proxies
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Shim6 proxies
  - From: Scott Leibrand <sleibrand@internap.com>
- Re: Shim6 proxies
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Shim6 proxies
  - From: Scott Leibrand <sleibrand@internap.com>
- Re: Shim6 proxies
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Shim6 proxies
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: I-D ACTION:draft-ietf-shim6-applicability-01.txt
Next by Date: Re: Shim6 proxies
Previous by thread: Re: Shim6 proxies
Next by thread: Re: Shim6 proxies
Index(es):
- Date
- Thread