[ppml] [narten at us.ibm.com: PI addressing in IPv6 advances in ARIN]

Mon Apr 17 22:15:02 EDT 2006

Geoff,

On Apr 17, 2006, at 6:22 PM, Geoff Huston wrote:
> And probably the highest potential risk, unfortunately.

You have higher faith in end system IP stack implementers than I  
apparently... :-)

> From the packet's perspective what's the difference between the  
> helpful header rewriting that my middlebox performs and the evil  
> rewriting that your middlebox performs?

Perhaps I misunderstand.  From the packet's perspective, what's the  
difference between the actual destination router and an in-transit  
router The Enemy has inserted into the routings stream?

If you're relying on IP addresses (v4 or v6) for security, you're  
doomed anyway.  If you really want end-to-end security, you need to  
secure the actual end points of the communication.  That's why God  
(or Satan, the jury is still out) created IPSEC.

> i.e. how can you tell the boundary of a site?

Network topologic-wise, where does my (as an end site) responsibility  
for packet routing end and my ISP's (or ISPs') responsibility begin?

> How can you create a decent security association between the  
> endpoints and the middlebox?

Again, perhaps I misunderstand.  People seem able to create decent  
security associations today with VPNs and other tunneling  
mechanisms.  There are a bunch of ways to do it, some scale better  
than others (I personally like storing the end point identifier/ 
routing locator mappings in the DNS and using DNSSEC to insure their  
integrity, but I have some biases in this space).

If I understand shim6 correctly (doubtful, but lack of understanding  
rarely stops me from commenting... :-)) the middleboxen (since there  
are two) approach is the same as the shim6 approach except where the  
translation between end point identifier and routing locator occurs.   
In shim6, it occurs in the IP stack of the end host.  In the  
middleboxen approach, it occurs at the transition point between end  
site and transit network.

 From my perspective, both approaches are kludges created to try to  
fix the fact that IPv6 repeated IPv4's mistake wrt end point  
identifier/routing locator separation.  I just think a solution that  
doesn't require replacing every existing end system IPv6 stack is  
more likely to get traction that one that does.  Note also that  
middleboxen and shim6 are not mutually exclusive: I see shim6 as a  
host solution whereas middleboxen is a site solution.  Oh yeah, and I  
suspect a middleboxen approach could be helpful in transition from v4  
to v6...

> Every approach in this space leads one into having to make some  
> very hard decisions!

I haven't seen a hard decision yet (not saying they don't exist, just  
that I haven't seen them).  Perhaps you could explain in private (as  
this isn't really ppml related).

Rgds,
-drc