[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FYI Isatap implementations info

To: "'Fred Templin'" <ftemplin@iprg.nokia.com>
Subject: FYI Isatap implementations info
From: "Karen E. Nielsen (AH/TED)" <karen.e.nielsen@ericsson.com>
Date: Wed, 14 Apr 2004 10:03:24 +0200
Cc: IPv6 Operations <v6ops@ops.ietf.org>

Hi Fred,

In relation to the process of updating the Isatap draft
to comply with existing implementations (provided
that's still the idea -(?)) you 
may find the following information useful.

We have made and are continuing using 
implementations of Isatap
on host as well as on router stacks.
The implementations have been deployed in various
scenarios, though primarily using GPRS and UMTS
IPv4-only access networks.

The implementations are used in configurations which
are largely in compliance with (e.g.) draft-v12 with
the following derivations and/or clarifications:

General:
If not otherwise specified, [mechv02] requirements 
wrt ND, ICMP etc. over tunnels are fulfilled.

No multicast emulation.
DAD not performed on Isatap interfaces.
Link-layer Address Options not set and always 
ignored in ND messages received 
on Isatap interfaces.

MTU scheme based on configurable static MTU.

Host implementation particularities:

Direct tunneling to/from on-link addresses is allowed
(on-link equal to prefixes received in RAs).
The following security checks are applied
on incoming packets:

Either the v6 src must be on-link 
and match the v4 src - or the v4 src is from a router in PRL.
In addition RA's are always checked to ensure that
v6 src matches v4 src and that the v4 src must be in PRL.

Router Implementation particularities:

Only Router-to-host communication is supported, that is, 
PRL list not maintained on Router interfaces. 
The following security checks are applied
on incoming packets:

The inner IPv6 source address has a prefix configured (i.e. advertised)
on the ISATAP interface and an ISATAP-format interface identifier that 
embeds the IPv4 source address of the outer header.

v6inv4 Configured tunnels anchored on an Ipv4
 address also used by the Isatap interface
will have precedence over the Isatap interface, i.e.,
incoming packets will be processed by the configured tunnel interface 
implementation and not the Isatap interface implementation.
(Further, Isatap interfaces take precedence over 6to4 interfaces.)

For scalability reasons NUD is not performed on Isatap router interfaces.
Further on these interfaces, address resolution 
is based on static address computation only.

Security threat model:

The above security checks have been modeled
according to environments where the site perimeter
is guarded and where either:
* intra-site IPv4 address spoofing isn't possible (e.g. 3G telecom)
* intra-site nodes are trustworthy 

BR, Karen

-----------------------------------------------------------
Karen Egede Nielsen, System Manager, Ericsson Telebit A/S
Phone:  + 45 89385100, Fax:  + 45 89385101
Phone Direct: + 45 89385313, Mobile:+ 45 25134336
karen.e.nielsen@ericsson.com
-----------------------------------------------------------

Follow-Ups:
- Re: FYI Isatap implementations info
  - From: Fred Templin <ftemplin@iprg.nokia.com>

Prev by Date: RFC 3750 on Unmanaged Networks IPv6 Transition Scenarios
Next by Date: Re: FYI Isatap implementations info
Previous by thread: RFC 3750 on Unmanaged Networks IPv6 Transition Scenarios
Next by thread: Re: FYI Isatap implementations info
Index(es):
- Date
- Thread