IETF Logo Mail Archive

Re: [OFF-PATH-BOF] How does an endpoint discover a local policy by DHCP?

Saikat Guha <saikat@cs.cornell.edu> Tue, 19 September 2006 06:08 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPYmY-0005wU-OY; Tue, 19 Sep 2006 02:08:34 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GPYmW-0005ud-LK for off-path-bof@ietf.org; Tue, 19 Sep 2006 02:08:32 -0400
Received: from exchfenlb-2.cs.cornell.edu ([128.84.97.34] helo=exchfe2.cs.cornell.edu) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GPYmV-0002xl-D9 for off-path-bof@ietf.org; Tue, 19 Sep 2006 02:08:32 -0400
Received: from exchfe1.cs.cornell.edu ([128.84.97.27]) by exchfe2.cs.cornell.edu with Microsoft SMTPSVC(6.0.3790.1830); Tue, 19 Sep 2006 02:08:29 -0400
Received: from pit002.cs.cornell.edu ([128.84.223.102]) by exchfe1.cs.cornell.edu over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Tue, 19 Sep 2006 02:08:28 -0400
Subject: Re: [OFF-PATH-BOF] How does an endpoint discover a local policy by DHCP?
From: Saikat Guha <saikat@cs.cornell.edu>
To: Scott W Brim <swb@employees.org>
In-Reply-To: <450E90C7.5030701@employees.org>
References: <E6F7A586E0A3F94D921755964F6BE0063FDDBD@EXCHANGE2.cs.cornell.edu> <450E90C7.5030701@employees.org>
Organization: Cornell University
Date: Tue, 19 Sep 2006 02:08:48 -0400
Message-Id: <1158646129.2966.32.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.6.3 (2.6.3-1.fc5.5)
X-OriginalArrivalTime: 19 Sep 2006 06:08:28.0035 (UTC) FILETIME=[06246D30:01C6DBB2]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: off-path-bof@ietf.org
X-BeenThere: off-path-bof@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "BOF: Path-decoupled Signaling for Data" <off-path-bof.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/off-path-bof>, <mailto:off-path-bof-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/off-path-bof>
List-Post: <mailto:off-path-bof@ietf.org>
List-Help: <mailto:off-path-bof-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/off-path-bof>, <mailto:off-path-bof-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0079520154=="
Errors-To: off-path-bof-bounces@ietf.org

On Mon, 2006-09-18 at 08:27 -0400, Scott W Brim wrote:
> On 09/18/2006 07:18 AM, Paul Francis allegedly wrote:
> > I don't think any of us envisioned that an endpoint would learn policy via
> > DHCP.
> 
> Rather, a policy server?

If the question is how someone learns of which policy server to use ...

Signaling packets go 1) up, 2) across, and 3) down; and the next-hop
policy server on each segment is determined differently.

1) UP: Drilling out towards the Internet through multiple layers of
firewalls ... a packet (any packet) is sent outwards, a firewall/M-Box
intercepts it and responds with an ICMP-like error message that informs
the source what policy server to contact for auth.

2) ACROSS: Packet goes from internet-facing firewall of the stack of
firewalls for the source to the internet-facing firewall of the
recipient. The signaling server for the recipient's domain is resolved
over DNS through SRV-type records.

3) DOWN: Drilling down to the destination through multiple firewalls.
When the destination registers its presence it creates a chain of
registrations to the internet-facing signaling proxy for his domain
(chain discovered through the drill-out in #1 above). The signaling
packets bound for the destination follow the reverse route of the
registration-chain.

-- 
Saikat

_______________________________________________
OFF-PATH-BOF mailing list
OFF-PATH-BOF@ietf.org
https://www1.ietf.org/mailman/listinfo/off-path-bof

v2.23.0 | Report a Bug | By Email