[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISATAP links connect router interfaces

To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Subject: Re: ISATAP links connect *router* interfaces
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Tue, 10 Apr 2007 10:28:08 +0200
Cc: "Bound, Jim" <Jim.Bound@hp.com>, v6ops@ops.ietf.org
In-reply-to: <39C363776A4E8C4A94691D2BD9D1C9A1029ED6B1@XCH-NW-7V2.nw.nos.boeing.com>
Organization: IBM
References: <816DD9299957E547B5D758D7F977D6DC01B2D6EA@tayexc14.americas.cpqcorp.net> <2C9EA52903BE104EB172E2DB1FD48D9D0248D095@xmb-ams-331.emea.cisco.com> <816DD9299957E547B5D758D7F977D6DC01B2DA1B@tayexc14.americas.cpqcorp.net> <39C363776A4E8C4A94691D2BD9D1C9A101774890@XCH-NW-7V2.nw.nos.boeing.com> <816DD9299957E547B5D758D7F977D6DC01B6192A@tayexc14.americas.cpqcorp.net> <39C363776A4E8C4A94691D2BD9D1C9A1029ED6B1@XCH-NW-7V2.nw.nos.boeing.com>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

Fred,

On 2007-04-09 18:36, Templin, Fred L wrote:

Hi Jim,

Thanks for your comments, and just one thing to follow

up on for now under a new subject heading:

Anytime a node tunnels packets to support a virtualized state such as
ISATAP does to support neighbor discovery has notes that should be
stated.  That is what I mean by health warnings.  For example nodes

should not be using this mechanism to subvert the addressingpolicy and

use of IPv6 communications without be authorized, etc.


I think there has been for a long time a fundamental
misunderstanding of the ISATAP domain of applicability.
In particular, the ISATAP virtual link connects *router*
interfaces; not host interfaces. As such, packets are not
delivered to/from host interfaces attached to the ISATAP
virtual link; they are forwarded *through* router
interfaces attached to the link.


But have all implementations done that? 6to4 was specifically
designed for router-only implementation; the first
widely shipped implementation was for host-based 6to4,
which has well-known issues.

    Brian


Therefore, IPv6 packets sent by hosts only traverse
the ISATAP virtual link by being forwarded via a router.
And, since encryption/authentication is required for the
IPv6 packets that are forwarded by a router across the
ISATAP virual link, there is nothing that could happen on
the ISATAP virtual link itself that would compromise IPv6
security.

Fred
fred.l.templin@boeing.com

Follow-Ups:
- RE: ISATAP links connect *router* interfaces
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
- Re: ISATAP links connect *router* interfaces
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

References:
- RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt
  - From: "Bound, Jim" <Jim.Bound@hp.com>
- RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt
  - From: "Gunter Van de Velde \(gvandeve\)" <gvandeve@cisco.com>
- RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt
  - From: "Bound, Jim" <Jim.Bound@hp.com>
- RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
- RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt
  - From: "Bound, Jim" <Jim.Bound@hp.com>
- ISATAP links connect *router* interfaces (was: RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt)
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>

Prev by Date: IPv6-PMP?
Next by Date: Re: ISATAP links connect *router* interfaces
Previous by thread: ISATAP links connect *router* interfaces (was: RE: I-D ACTION:draft-ietf-v6ops-addcon-03.txt)
Next by thread: Re: ISATAP links connect *router* interfaces
Index(es):
- Date
- Thread

Re: ISATAP links connect *router* interfaces

Re: ISATAP links connect router interfaces