[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Merge NAT-PT approaches?



On 21 dec 2007, at 4:47, Brian E Carpenter wrote:

I'm sympathetic to the idea. Bringing in the shim action
only when it's actually needed sounds good in principle.
The devil is in the details, of course, but we can
investigate that off-list if people would like us
to follow this up.

One thing before we jump into specifics:

I don't think reusing parts from shim6 makes a lot of sense for authentication. There are already several datagram based authentication mechanisms, and they can get quite complex. If a host needs to authenticate towards a NAT-PT translator, it would be much simpler to set up a TLS-protected TCP session and then do simple user/ password authentication. Then, the translator can trust all packets coming from the source address in question, or it can provide the host with a session key that can then be used in further shim signaling.