[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 3gpp-analysis document and automatic tunneling

To: Hesham Soliman <H.Soliman@flarion.com>
Subject: RE: 3gpp-analysis document and automatic tunneling
From: Pekka Savola <pekkas@netcore.fi>
Date: Thu, 22 May 2003 08:55:17 +0300 (EEST)
Cc: juha.wiljakka@nokia.com, <Jonne.Soininen@nokia.com>, <Karim.El-Malki@era.ericsson.se>, <v6ops@ops.ietf.org>
In-reply-to: <748C6D0A58C0F94CA63C198B6674697A0141BA55@ftmail.lab.flarion.com>

On Wed, 21 May 2003, Hesham Soliman wrote:
>  > Yes.  And it adds complexity which is unnecessary, and has
>  > some other 
>  > problems as well (e.g. automated, open-to-the-world 
>  > tunneling is always 
>  > dangerous).  
> 
> => That words between brackets above are not relevant
> to this tunnelling mechanism, this is more relevant
> to a 6-to-4 relay model, which is not what is being 
> discussed. Routing protocols can be secured. 

It's not as bad as 6to4 but any mechanism implementing any kind of
automatic tunneling requires very careful review.  The spec is very weak
on security considerations.  For example, there is no description how the
route advertisements in practice build and tear down the tunnel.

My fear is that implementations doing this would implement something
similar to "automatic tunneling interface with compatible addresses", 
which is inherently insecure.

There must be prior authentication before a tunneled packet is accepted.  
But being a routing protocol, this might be doable (automatic configured 
tunneling vs. automatic tunneling).

>   Also, did you know that BGP tunneling has IPR claims?
> 
> => No.

Now you do.  I have been quite critical of the technique in the past, 
and this does nothing to change it, quite the contrary.

>  > But some ISPs are so fond of overlay network model they may
>  > want to build
>  > such networks anyway.  AFAICS, this is nothing specific to 3GPP.  
>  > Therefore, an extensive analysis of this case -- whether it's really
>  > neeeded, how to address it, etc. -- belongs to the ISP documents, not
>  > 3GPP.
> 
> => I agree that it's not specific to 3GPP, it is relevant
> to any operator deploying an IP network so perhaps 
> a general discussion on whether this is needed is better 
> than associating it with any draft. 

Well, there has been general discussion of NAT-PT (or translation) too --
but that's something that's applicable in all scenarios.  This is really
only an option in the ISP networks, so I think examining it in the ISP
context only, in those documents, seems the most useful approach.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- RE: 3gpp-analysis document and automatic tunneling
  - From: Hesham Soliman <H.Soliman@flarion.com>

Prev by Date: RE: 3gpp-analysis document and automatic tunneling
Next by Date: RE: 3gpp-analysis document and automatic tunneling
Previous by thread: RE: 3gpp-analysis document and automatic tunneling
Next by thread: RE: 3gpp-analysis document and automatic tunneling
Index(es):
- Date
- Thread