[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]
I see your point.
Of course, when I say "works", I mean with the required security considerations.
I know for sure that we like it or not, the transition mechanisms will be used in the "wrong" scenarios, same as NAT-PT is used some times for what it was not designed, and we have a very little chance to change it. So may be the goal is to make several mechanism to work together in a single "tool box".
Regards,
Jordi
----- Original Message -----
From: "Pekka Savola" <pekkas@netcore.fi>
To: "JORDI PALET MARTINEZ" <jordi.palet@consulintel.es>
Cc: <v6ops@ops.ietf.org>
Sent: Tuesday, November 18, 2003 7:19 PM
Subject: Re: ISATAP and admin/IP domains [RE: 3gpp-analysis: Recommendatio n on tunneling in the UE]
> On Tue, 18 Nov 2003, JORDI PALET MARTINEZ wrote:
> > I'm not sure if I got what do you mean ... but if you mean that
> > ISATAP should be used only in enterprise scenarios, I think is
> > wrong.
>
> Pretty close.
>
> Remember, our goal is not just to deploy IPv6 as fast as possible,
> it's also to do it securely, with operationally sound principles, etc.
>
> You may be assuming that if we have generic tool which works (to some
> definition of "works"), that's good -- nobody cares about the security
> considerations anyway as long as the transition is easy... :-)
>
> I'm not saying that we might not want to consider something like
> ISATAP in some scenarios; it's just that when doing so, we have to be
> careful to consider the features it provides (whether
> useful/desirable), the security assumptions it has, etc.etc. -- quite
> a number of non-trivial issues!
>
> The direction we'd develop e.g. ISATAP would probably depend a LOT
> on which scenarios we want to make it applicable in, which is why we
> need to figure out the scenarios first before going down the path of
> specifying mechanisms.
>
> > In general, my opinion is that if we can find the best set of
> > transition tools, that can be deployed everywhere in the network, to
> > be able to sort-out automatically several possible transition
> > scenarios/situations, then we got the best chance to help in the
> > transition. And that means to me that if a transition tool, in your
> > example ISATAP, can be used in more scenarios that the original
> > scope, then is very good.
>
> A mechanism being usable in more than one scenario would be nice, of
> course.
>
> But such a mechanism must also be suited for those scenarios, e.g.
> considering its design assumptions, security properties, operational
> considerations etc.
>
> I'm not sure if other than the most basic transition mechanisms such
> as dual-stack and configured tunneling pass this test.
>
> For example, I would not recommend 6to4 to be used by enterprises,
> ISPs (except for relays) or 3GPP networks. For a number of reasons,
> mainly based on its unreliability, and such networks requiring better
> control of the mechanisms ("configured tunnel") than 6to4 can provide.
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
**********************************
Madrid 2003 Global IPv6 Summit
Presentations and videos on line at:
http://www.ipv6-es.com
This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.