[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-shim6-applicability-01.txt
Iljitsch van Beijnum wrote:
Hm, maybe it makes sense to build in address rewriting by routers (or
middleboxes) after all?
That way, the hosts handle the security, but routers can easily
overwrite source addresses and middleboxes that carry more state could
even overwrite destination addresses, as soon as the shim negotiations
have completed.
Agreed.
Actually, the rerwriting can happen during the shim context
establishment as well.
Can we do better with respect to traffic engineering without throwing
out security? draft-nordmark-shim6-esd outlines ways in which we can
get the same feedback loop from routers as in GSE.
This depends largely on whether we accept the proposed requirement that
hosts are unable to make any decisions of their own. Do we?
For the initial contact with some degree of id/locator separation we
don't have much choice but *allow* hosts to make a choice.
The destination identifier will need to map to multiple locators, and
somebody needs to choose. One could externalize that choice from the
host (e.g., in some yet-to-be invented scalable policy lookup system)
but from a deployment perspective it seems we can get more milage out of
the hosts picking an initial destination locator and then get feedback
from the routers (e.g., using locator rewriting by the routers).
Erik