[ppml] [narten at us.ibm.com: PI addressing in IPv6 advances in ARIN]
David Conrad
drc at virtualized.org
Mon Apr 17 22:15:02 EDT 2006
Geoff,
On Apr 17, 2006, at 6:22 PM, Geoff Huston wrote:
> And probably the highest potential risk, unfortunately.
You have higher faith in end system IP stack implementers than I
apparently... :-)
> From the packet's perspective what's the difference between the
> helpful header rewriting that my middlebox performs and the evil
> rewriting that your middlebox performs?
Perhaps I misunderstand. From the packet's perspective, what's the
difference between the actual destination router and an in-transit
router The Enemy has inserted into the routings stream?
If you're relying on IP addresses (v4 or v6) for security, you're
doomed anyway. If you really want end-to-end security, you need to
secure the actual end points of the communication. That's why God
(or Satan, the jury is still out) created IPSEC.
> i.e. how can you tell the boundary of a site?
Network topologic-wise, where does my (as an end site) responsibility
for packet routing end and my ISP's (or ISPs') responsibility begin?
> How can you create a decent security association between the
> endpoints and the middlebox?
Again, perhaps I misunderstand. People seem able to create decent
security associations today with VPNs and other tunneling
mechanisms. There are a bunch of ways to do it, some scale better
than others (I personally like storing the end point identifier/
routing locator mappings in the DNS and using DNSSEC to insure their
integrity, but I have some biases in this space).
If I understand shim6 correctly (doubtful, but lack of understanding
rarely stops me from commenting... :-)) the middleboxen (since there
are two) approach is the same as the shim6 approach except where the
translation between end point identifier and routing locator occurs.
In shim6, it occurs in the IP stack of the end host. In the
middleboxen approach, it occurs at the transition point between end
site and transit network.
From my perspective, both approaches are kludges created to try to
fix the fact that IPv6 repeated IPv4's mistake wrt end point
identifier/routing locator separation. I just think a solution that
doesn't require replacing every existing end system IPv6 stack is
more likely to get traction that one that does. Note also that
middleboxen and shim6 are not mutually exclusive: I see shim6 as a
host solution whereas middleboxen is a site solution. Oh yeah, and I
suspect a middleboxen approach could be helpful in transition from v4
to v6...
> Every approach in this space leads one into having to make some
> very hard decisions!
I haven't seen a hard decision yet (not saying they don't exist, just
that I haven't seen them). Perhaps you could explain in private (as
this isn't really ppml related).
Rgds,
-drc
More information about the ARIN-PPML
mailing list