[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISATAP links connect *router* interfaces



Fred,

On 2007-04-09 18:36, Templin, Fred L wrote:
Hi Jim,

Thanks for your comments, and just one thing to follow
up on for now under a new subject heading:
Anytime a node tunnels packets to support a virtualized state such as
ISATAP does to support neighbor discovery has notes that should be
stated.  That is what I mean by health warnings.  For example nodes
should not be using this mechanism to subvert the addressing policy and
use of IPv6 communications without be authorized, etc.

I think there has been for a long time a fundamental
misunderstanding of the ISATAP domain of applicability.
In particular, the ISATAP virtual link connects *router*
interfaces; not host interfaces. As such, packets are not
delivered to/from host interfaces attached to the ISATAP
virtual link; they are forwarded *through* router
interfaces attached to the link.

But have all implementations done that? 6to4 was specifically
designed for router-only implementation; the first
widely shipped implementation was for host-based 6to4,
which has well-known issues.

    Brian


Therefore, IPv6 packets sent by hosts only traverse
the ISATAP virtual link by being forwarded via a router.
And, since encryption/authentication is required for the
IPv6 packets that are forwarded by a router across the
ISATAP virual link, there is nothing that could happen on
the ISATAP virtual link itself that would compromise IPv6
security.

Fred
fred.l.templin@boeing.com