IETF Logo Mail Archive

Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]

james woodyatt <jhw@apple.com> Fri, 27 April 2007 00:17 UTC

Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HhE9v-0007ok-1q; Thu, 26 Apr 2007 20:17:59 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HhE9t-0007oZ-D3 for ipv6@ietf.org; Thu, 26 Apr 2007 20:17:57 -0400
Received: from mail-out3.apple.com ([17.254.13.22]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HhE9s-0008RO-13 for ipv6@ietf.org; Thu, 26 Apr 2007 20:17:57 -0400
Received: from relay6.apple.com (a17-128-113-36.apple.com [17.128.113.36]) by mail-out3.apple.com (8.13.8/8.13.8) with ESMTP id l3R0Ht9A000640 for <ipv6@ietf.org>; Thu, 26 Apr 2007 17:17:55 -0700 (PDT)
Received: from relay6.apple.com (unknown [127.0.0.1]) by relay6.apple.com (Symantec Mail Security) with ESMTP id 4E8CB10081 for <ipv6@ietf.org>; Thu, 26 Apr 2007 17:17:55 -0700 (PDT)
X-AuditID: 11807124-a24a0bb000000872-22-46314133530b
Received: from [17.206.50.218] (il0602f-dhcp218.apple.com [17.206.50.218]) by relay6.apple.com (Apple SCV relay) with ESMTP id 4083810044 for <ipv6@ietf.org>; Thu, 26 Apr 2007 17:17:55 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <017601c78856$6d2b7cc0$47827640$@net>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net> <m2mz0xp6je.wl%gnn@neville-neil.com> <20070425093402.A30586@mignon.ki.iif.hu> <20070425141336.E95D522875@thrintun.hactrn.net> <462F7005.50700@sri.com> <CE11116E-DF68-481D-AB30-E592C339CEFB@nokia.com> <46307C0E.9060809@zurich.ibm.com> <017601c78856$6d2b7cc0$47827640$@net>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <5690ABCA-8385-4C5F-941E-1012D1CA35B7@apple.com>
Content-Transfer-Encoding: 7bit
From: james woodyatt <jhw@apple.com>
Date: Thu, 26 Apr 2007 17:17:54 -0700
To: IETF IPv6 Mailing List <ipv6@ietf.org>
X-Mailer: Apple Mail (2.752.3)
X-Brightmail-Tracker: AAAAAA==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9ed51c9d1356100bce94f1ae4ec616a9
Subject: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org

On Apr 26, 2007, at 15:58, Tony Hain wrote:
>
> As I said on V6ops, before you kill this off too quickly, James  
> Woodyatt's proxy redirection is a perfect example of a valid use  
> for Type 0 Routing Headers. He wants the firewall to redirect  
> traffic through a designated point (what this header was designed  
> to do), and the only hammer at his immediate disposal was IPv6/IPv6  
> nat. What I don't know is if the firewall can insert one that did  
> not exist, because the source wouldn't know about his 'transparent'  
> proxy.

I should make clear that I'm not persuaded that use of the routing  
extension header gives me a way to do what I've been talking about in  
both V6OPS and BEHAVE.  Moreover, I *really* don't think RH type code  
**ZERO** is a better hammer than simple IPv6 NAT.  (Oh boy... I've  
just whacked another beehive, haven't I?)

For my immediate purposes, where I only need to redirect inside the  
routing node between the packet filter and the node's own stack, I  
can probably define my own internal routing extension header type  
code.  In fact, since the packets aren't going anywhere on the wire,  
I could just dispense with the extension header altogether and just  
overwrite the destination address in the IPv6 header while inserting  
an appropriate state record into the packet filter for the proxy to  
find.  This will be functionally equivalent to using IPv6 NAT, and  
I'll be doing this in the code that implements the IPv4 NAT and SPI  
filter, but if it makes everyone feel more warm and fuzzy that no  
actual NAT is going on, I'll use another word for it.  I wouldn't  
want anybody to lose more sleep.

Where the situation gets a lot more interesting is when the  
transparent application proxy is not resident on the same node as the  
filter where the diversion happens.  That's where the routing  
extension header could be necessary.  In that case, I still don't  
think type code *ZERO* is the wrong choice, because something must  
*remove* the extension header on the return path for the proxy to  
remain transparent.


--
j h woodyatt <jhw@apple.com>



--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email