Re: [nbs] I-D Action:draft-xu-name-shim6-00.txt

Brian E Carpenter <> Sun, 17 October 2010 04:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C10883A6984; Sat, 16 Oct 2010 21:04:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.404
X-Spam-Status: No, score=-102.404 tagged_above=-999 required=5 tests=[AWL=0.195, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gYPKoKsgl5ok; Sat, 16 Oct 2010 21:04:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id AA9BF3A686B; Sat, 16 Oct 2010 21:04:44 -0700 (PDT)
Received: by yxk30 with SMTP id 30so1073583yxk.31 for <multiple recipients>; Sat, 16 Oct 2010 21:06:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=sEvVipZ6IRecXGFk3fOQnLtHA7qR7YCmyr3BUFzgQRI=; b=BrIBFeBnjxGzaA5r7YVshuLjv3qkojWzBdKCKt9mruHoeapLwAfqZGbm+HoyN6J1ny crr+kvJsvIBDHzunRmbFEhiP19X588hZcKWmhfBuqSA086llpovNkB8EB8dbgUkWmKAs mN+rHx5S8XB9NVkV1mgWKsKmthxrIIEpBDMcI=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=LLgVQ5nv958clw+XDE9x694rvOZh9PasXui0JtGThszZn+mL7zZhhU1f8c/1ByCC/m sR8M130yI87/MuFBhGPhzqHD3SnE3tV3dz+sNd90QWkHCuzYpDYE/aiqrL/yLrE1ekgb v4vcyZHYG1787KqSdSbmDU5tn//xydrnG13io=
Received: by with SMTP id s1mr1429785ans.86.1287288369491; Sat, 16 Oct 2010 21:06:09 -0700 (PDT)
Received: from [] ([]) by with ESMTPS id d15sm19187985ana.20.2010. (version=SSLv3 cipher=RC4-MD5); Sat, 16 Oct 2010 21:06:08 -0700 (PDT)
Message-ID: <>
Date: Sun, 17 Oct 2010 17:06:05 +1300
From: Brian E Carpenter <>
Organization: University of Auckland
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: shim6-wg <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [nbs] I-D Action:draft-xu-name-shim6-00.txt
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 17 Oct 2010 04:04:45 -0000

> Abstract
>    This document describes and defines shim6 as a mobility solution for
>    name-based sockets.  

My most general comment is that I think the draft should explain both
how NBS works in the original shim6 scenario (multihoming without
mobility) and then how it also works in the mobile case. I think
it's a very neat trick if it really does extend shim6 to support
mobility, but let's not forget the basics.

> 3.1.  Introduction
>    The traditional Shim6 defined in RFC5533 [RFC5533] does not aim to
>    solve mobility problem, so changes need to be made to the existing
>    Shim6 protocol.  One of the reasons for not supporting mobility is
>    that Shim6 uses a specific IP address as the identifier of the upper
>    lay protocol.  To avoid confusion, communication must be stopped when
>    this IP address becomes unavailable.  

Small but important change: unavailable ==> invalid. You say this correctly
later. "Unavailable" is confusing, since it might be understood to mean
"unreachable"; actually it's quite normal that the ULID goes unreachable.

> 4.1.1.  Brief overview of changes
>    Name Based Sockets suggest using the name of a host as the
>    identifier.  This solves the above problems, as a name is valid for
>    as long as a host wishes it to be. 

I don't think that's accurate. I think it would be accurate to
say "a name is valid for as long as it exists in the DNS."
If a name vanishes completely from the DNS, it seems that it is
just as invalid as an expired IP address; it is simply a much
rarer event.

On a related point, I think that you need a discussion somewhere
of the latency for DNS updates to propagate, and how that affects
the speed of recovery of a mobile connection. This point might
make or break this whole solution. If the time to get an updated
DNS RR is greater than the TCP session timeout, there's a problem.

> 5.  Security Considerations

The security of shim6 depends on using HBA/CGA addresses (including
the initial ULID). How do we get equivalent security here?
Is secure dynamic DNS update plus DNSSEC sufficient?

   Brian Carpenter