[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The Inside-Out ISATAP Model



Pekka,

--- Pekka Savola <pekkas@netcore.fi> wrote:
> On Sun, 10 Nov 2002, Fred Templin wrote:
> [...]
> > In the traditional model, ISATAP operates "intra-site" as its name
> > implies. Nodes within an ISATAP site connect across the global Internet
> > to other sites via 6to4, native IPv6 routing, etc. But, when globally
> > unique IPv4 addresses are used, the model can be turned "inside-out".
> > 
> > In the inside-out model, ISATAP treats the global Internet as a
> > monolithic site with IPv6 clouds hanging off the edges. As in the
> > traditional model, ISATAP treats the IPv4 Internet as a link layer
> > for IPv6, thus the interface identifier is the natural place to
> > embed the link layer address. Moreover, this model allows all 64
> > bits of the routing prefix to be used for other purposes, e.g.
> > v6 routing.
> 
> Wasn't this model already exhausted with "automatic tunneling using 
> compatible addresses"?  The topology is flat, you can't connect even 
> routers using this mechanism.

It may well have been. If it was, I either missed the discussion or
it went over my head. It seems to me that microcausms of the model
I'm describing here have been debated over the past several months
in the newsgroups, but the model itself was not mentioned from a
high-level perspective. My purpose in bringing it up now is to
inform any others like myself who had never previously considered
turning the ISATAP model inside-out, and to initiate discussion in
the design teams.   

> I fail to see what new advantages ISATAP would bring here.  Instead, the 
> trust model is completely different, and certain assumptions no longer 
> hold.

Whether/not there are advantages, and whether/not the trust model
issues can be worked is something that needs to be discussed in
the design teams, given sufficient interest. I don't have good
answers to these questions myself, and am not entirely certain
what other questions may remain. 
 
> btw. reference to section 4.7 in isatap Security Considerations should be 
> 4.5, I believe.

Arg! You mentioned that before, and I had every intention of fixing
it. Thanks for pointing it out - again!

Fred Templin
osprey67@yahoo.com
 
> -- 
> Pekka Savola                 "Tell me of difficulties surmounted,
> Netcore Oy                   not those you stumble over and fall"
> Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2