Re: [nbs] NBS and TCP connection identification

Christian Vogt <> Mon, 27 September 2010 22:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 609403A6A40 for <>; Mon, 27 Sep 2010 15:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.099
X-Spam-Status: No, score=-103.099 tagged_above=-999 required=5 tests=[AWL=-0.501, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XlqqmIs5Hjxf for <>; Mon, 27 Sep 2010 15:18:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A1E203A6DC3 for <>; Mon, 27 Sep 2010 15:17:42 -0700 (PDT)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id o8RMGtjn025257 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 27 Sep 2010 17:18:10 -0500
Received: from ([]) by ([]) with mapi; Mon, 27 Sep 2010 18:17:57 -0400
From: Christian Vogt <>
To: Erik Nordmark <>
Date: Mon, 27 Sep 2010 18:17:55 -0400
Thread-Topic: [nbs] NBS and TCP connection identification
Thread-Index: ActekdZY3BYomLGGQsikn322PT3xpg==
Message-ID: <>
References: <> <> <> <1285067950.2068.59.camel@bit> <> <1285148838.2211.60.camel@bit>
In-Reply-To: <1285148838.2211.60.camel@bit>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Name-Based Sockets List <>
Subject: Re: [nbs] NBS and TCP connection identification
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 27 Sep 2010 22:19:23 -0000

Javier Ubillos wrote:

>> How do you secure the movement in that case?
>> Suppose the client has IP address, thus the server would 
>> see the client as having name
>> Then the client switches to being on IP address How can you 
>> know that it is indeed the same client so that it is secure for the 
>> server to start sending the packets to
>> You can't rely on DNS validation (unless you assume that the client can 
>> update the DNS records for, which is very 
>> unlikely.)
>> Thus how do you secure this?
> Movement is, in the name-based sockets + shim6, handled by shim6.
> The shim6 handshake is performed out-of-band. Before that is done, no
> mobility/multi-homing is available. Shim6 deals with validation. We do
> add locators to be tested found in DNS, but AFAIKT shim6 deals with this
> nicely, and yes, we cannot trust DNS to that extent.


let me add that the selection of Shim6 for mobility management was an implementation decision, not a conceptual decision:  We had an existing Shim6 implementation and people familiar with this implementation, so it seemed naturally to build upon it.  Conceptually, one could devise name-based sockets to work without Shim6.

Specifically, we are re-using Shim6's mechanisms for movement detection and address updating.  We do not re-use Shim6's mechanisms for binding IP addresses together, since with name-based sockets, IP addresses are bound to DNS names rather than to each other.

- Christian