[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISATAP links connect *router* interfaces (was: RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt)



Hi Jim,

Thanks for your comments, and just one thing to follow
up on for now under a new subject heading: 
 
> Anytime a node tunnels packets to support a virtualized state such as
> ISATAP does to support neighbor discovery has notes that should be
> stated.  That is what I mean by health warnings.  For example nodes
> should not be using this mechanism to subvert the addressing 
> policy and
> use of IPv6 communications without be authorized, etc.

I think there has been for a long time a fundamental
misunderstanding of the ISATAP domain of applicability.
In particular, the ISATAP virtual link connects *router*
interfaces; not host interfaces. As such, packets are not
delivered to/from host interfaces attached to the ISATAP
virtual link; they are forwarded *through* router
interfaces attached to the link.

Therefore, IPv6 packets sent by hosts only traverse
the ISATAP virtual link by being forwarded via a router.
And, since encryption/authentication is required for the
IPv6 packets that are forwarded by a router across the
ISATAP virual link, there is nothing that could happen on
the ISATAP virtual link itself that would compromise IPv6
security.

Fred
fred.l.templin@boeing.com