[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BEHAVE] Re: CPE equipments and stateful filters

To: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
Subject: Re: [BEHAVE] Re: CPE equipments and stateful filters
From: james woodyatt <jhw@apple.com>
Date: Mon, 30 Jul 2007 19:01:33 -0700
In-reply-to: <9CBFAEC6-9677-4862-BFBF-073B701B9B67@apple.com>
References: <050701c7d309$a84e2b10$c5f0200a@amer.cisco.com> <9CBFAEC6-9677-4862-BFBF-073B701B9B67@apple.com>

On Jul 30, 2007, at 17:56, james woodyatt wrote:

On Jul 30, 2007, at 17:28, Dan Wing wrote:
<http://tools.ietf.org/html/draft-tschofenig-mip6-ice> describeshow ICE might be useful for Mobile IPv6.
I'm reading this draft now.

If I understand how this might work, it would involve encapsulatingIPsec ESP and IKE in UDP, to transit firewalls between MN's and theirHA's, using conventional UDP state tracking.

We don't currently have any protocol whereby IKE decides to switchover to UDP encapsulation, except in the NAT-traversal case, do we?With IPv6, we still think we have no NAT, so tests for reflexiveaddresses to match IKE initiations will always succeed.

What triggers the switch to UDP encapsulation? The mobility layertrying to do STUN connectivity tests on the ESP protocol? Blech, butI guess it works most of the time. If it fails mysteriously, justtry again-- that seems to be a common failure recovery method inhuman-centered systems. I can't say I approve of it. For one thing,I really don't like the idea of extending my implementations of IPsecand IKE to do STUN over protocol=50 and port=udp/500.

RFC 4487 describes additional issues, e.g. CN's reaching MN's thatroam behind networks with firewalls. <http://tools.ietf.org/html/draft-bajko-mip6-rrtfw> proposes a way to work around the RRT issue,which looks on its face to be an ugly but workable hack. It remindsme that <draft-ietf-v6ops-cpe-simple-security> needs to be veryexplicit about how to handle the mobility extension header.

Finally, <http://tools.ietf.org/html/draft-tschofenig-mip6-ice> seemsnot to care at all about the problem of home agents behindfirewalls. RFC 4487 raises that issue, but I'm not seeing how M-ICEis supposed to address it. Did I miss something?

My head hurts trying to sort out all the questions I have about waysthese approaches potentially might fail during incrementaldeployment. On the other hand, all this stuff seems a lot simpler--though still pretty soul-killingly fragile-- with ALD in the mix. Istill think we'd be better off without any SPF middleboxes. (Oh, bythe way, I remember now why I'm not optimistic about firewallshelping keep denial-of-service traffic off first mile links. That'sa topic for another message, though.)



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

References:
- RE: [BEHAVE] Re: CPE equipments and stateful filters
  - From: "Dan Wing" <dwing@cisco.com>
- Re: [BEHAVE] Re: CPE equipments and stateful filters
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: [BEHAVE] Re: CPE equipments and stateful filters
Next by Date: Re: [BEHAVE] Re: CPE equipments and stateful filters
Previous by thread: Re: [BEHAVE] Re: CPE equipments and stateful filters
Next by thread: Re: [BEHAVE] Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread