[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]

To: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
Subject: Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]
From: Pekka Savola <pekkas@netcore.fi>
Date: Tue, 18 Nov 2003 20:19:22 +0200 (EET)
Cc: v6ops@ops.ietf.org
In-reply-to: <0c8701c3adfe$3fa60850$870a0a0a@consulintel.es>

On Tue, 18 Nov 2003, JORDI PALET MARTINEZ wrote:
> I'm not sure if I got what do you mean ... but if you mean that
> ISATAP should be used only in enterprise scenarios, I think is
> wrong.

Pretty close.

Remember, our goal is not just to deploy IPv6 as fast as possible,
it's also to do it securely, with operationally sound principles, etc.

You may be assuming that if we have generic tool which works (to some
definition of "works"), that's good -- nobody cares about the security
considerations anyway as long as the transition is easy... :-)

I'm not saying that we might not want to consider something like
ISATAP in some scenarios; it's just that when doing so, we have to be
careful to consider the features it provides (whether
useful/desirable), the security assumptions it has, etc.etc.  -- quite
a number of non-trivial issues! 

 The direction we'd develop e.g.  ISATAP would probably depend a LOT
on which scenarios we want to make it applicable in, which is why we
need to figure out the scenarios first before going down the path of 
specifying mechanisms.

> In general, my opinion is that if we can find the best set of
> transition tools, that can be deployed everywhere in the network, to
> be able to sort-out automatically several possible transition
> scenarios/situations, then we got the best chance to help in the
> transition. And that means to me that if a transition tool, in your
> example ISATAP, can be used in more scenarios that the original
> scope, then is very good.

A mechanism being usable in more than one scenario would be nice, of
course.

But such a mechanism must also be suited for those scenarios, e.g. 
considering its design assumptions, security properties, operational 
considerations etc.

I'm not sure if other than the most basic transition mechanisms such 
as dual-stack and configured tunneling pass this test.

For example, I would not recommend 6to4 to be used by enterprises,
ISPs (except for relays) or 3GPP networks. For a number of reasons,
mainly based on its unreliability, and such networks requiring better
control of the mechanisms ("configured tunnel") than 6to4 can provide.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]
  - From: "JORDI PALET MARTINEZ" <jordi.palet@consulintel.es>

References:
- Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]
  - From: "JORDI PALET MARTINEZ" <jordi.palet@consulintel.es>

Prev by Date: Re: draft-palet-v6ops-proto41-nat-03 as WG item
Next by Date: Re: draft-palet-v6ops-proto41-nat-03 as WG item
Previous by thread: Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]
Next by thread: Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]
Index(es):
- Date
- Thread