[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [shim6] about draft-ietf-v6ops-cpe-simple-security-07
- To: Iljitsch van Beijnum <iljitsch@muada.com>
- Subject: Re: [shim6] about draft-ietf-v6ops-cpe-simple-security-07
- From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Date: Wed, 29 Jul 2009 11:00:43 +1200
- Cc: IPv6 Operations <v6ops@ops.ietf.org>
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=QYVNiIbuCjPuEhjIfogerQ2gEepNY9flLyTwsaJ56TpnXqNupVuqac+2t+cEl67goi IxL1Hx740rTAqxN0NM17eSFYkaFGEVFTNYvkdol+TzvxQ3NYHh1indiStUVu0UfCFt9M dqh9qxsQEVPm3wOeOMUq1NwwM0Af7ojz6Zdz0=
- In-reply-to: <495C8CA9-5146-48E8-A3FE-3063D6A9ED2F@muada.com>
- Organization: University of Auckland
- References: <495C8CA9-5146-48E8-A3FE-3063D6A9ED2F@muada.com>
- User-agent: Thunderbird 2.0.0.6 (Windows/20070728)
On 2009-07-29 02:01, Iljitsch van Beijnum wrote:
> [to v6ops and shim6, prune as necessary]
Pruned to v6ops
...
> 3.2.4. 6to4 Tunnels
>
> Typical dual-stack IPv4/IPv6 residential gateways use private IPv4
> address ranges and network address/port translation on a single IPv4
> address assigned by the service provider. The use of private
> addresses prevents interior hosts from using 6to4 [RFC3068] tunnels.
>
> Usually the private addresses are on the inside and a public on the
> outside (which will presumably start to change as IPv4 depletes but will
> never completely go away) so 6to4 can work just fine in those cases.
Well, the text is unclear. If the hosts behind the CPE try to use
6to4 [RFC3056] tunnels (with or without the anycast extension [RFC3068]),
they will fail if the LAN is using RFC1918 and NAT. But if the CPE
itself acts as a 6to4 gateway as defined and intended in [RFC3056],
the hosts will see *native* IPv6 and everything will work fine.
Except for one case:
The use of private addresses by an ISP "outside" the CPE
would mske it impossible for the CPE to operate
as a 6to4 [RFC3056] gateway.
IMHO every IPv6 CPE SHOULD contain a 6to4 gateway, but that belongs
in another draft.
Brian
>
> The use of Level 3 Multihoming Shim
> Protocol for IPv6 (SHIM6) [I-D.ietf-shim6-proto] as a site multi-
> homing solution is not generally compatible with IPv6 simple
> security.
>
> (Now RFC 5533.) Why? Assuming that there are two CPEs with each an ISP
> link and advertising separate address ranges, then if the host sends
> normal packets over CPE A and then when the ISP connected to CPE A
> fails, the host can send protocol 140 signaling and encapsulated data
> packets to CPE B. This should work. An optimization would be to allow
> incoming protocol 140 whenever there is communication between an
> internal and external host already, whatever the type. (Without that,
> the shim6 signaling fails when the first host initiates it and only
> succeeds if the second host initiates it soon enough after.)
> _______________________________________________
> shim6 mailing list
> shim6@ietf.org
> https://www.ietf.org/mailman/listinfo/shim6
>