Re: The Inside-Out ISATAP Model

[Pekka Savola <pekkas@netcore.fi>]

On Sun, 10 Nov 2002, Fred Templin wrote:
[...]
> In the traditional model, ISATAP operates "intra-site" as its name
> implies. Nodes within an ISATAP site connect across the global Internet
> to other sites via 6to4, native IPv6 routing, etc. But, when globally
> unique IPv4 addresses are used, the model can be turned "inside-out".
> 
> In the inside-out model, ISATAP treats the global Internet as a
> monolithic site with IPv6 clouds hanging off the edges. As in the
> traditional model, ISATAP treats the IPv4 Internet as a link layer
> for IPv6, thus the interface identifier is the natural place to
> embed the link layer address. Moreover, this model allows all 64
> bits of the routing prefix to be used for other purposes, e.g.
> v6 routing.

Wasn't this model already exhausted with "automatic tunneling using 
compatible addresses"?  The topology is flat, you can't connect even 
routers using this mechanism.

I fail to see what new advantages ISATAP would bring here.  Instead, the 
trust model is completely different, and certain assumptions no longer 
hold.

btw. reference to section 4.7 in isatap Security Considerations should be 
4.5, I believe.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords