Re: shim proxy (was Re: failure detection)
marcelo bagnulo braun <marcelo@it.uc3m.es> Tue, 23 August 2005 14:06 UTC
Envelope-to: shim6-data@psg.com
Delivery-date: Tue, 23 Aug 2005 14:05:52 +0000
Mime-Version: 1.0 (Apple Message framework v622)
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Message-Id: <6ab582b42bd0b68f9634a3572d827e26@it.uc3m.es>
Content-Transfer-Encoding: quoted-printable
Cc: shim6 <shim6@psg.com>
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Subject: Re: shim proxy (was Re: failure detection)
Date: Tue, 23 Aug 2005 16:06:39 +0200
To: Paul Jakma <paul@clubi.ie>
El 22/08/2005, a las 16:40, Paul Jakma escribió: > On Mon, 22 Aug 2005, marcelo bagnulo braun wrote: > >> the problem is that the is no way to prove the binding between the >> identifier and their locator sets... i.e. any prefix could be used >> with any identifier and it would be ok, so any rewriting would be ok, >> hence the potential attacks... > > If, as a subset of all ULIDs, we allow a set of ULIDs to be composed > of a network identifier (ie the first 64 bits) and a host identifier > (last / least significant 64 bits), ie that the ULID essentially be a > valid IPv6 address (which the shim6 drafts anticipate being possible), > then the 'proxy' can have a static mapping which need only map the > /network/ portion of the ULID to the network portion of a locator. Ie > leaving the host portion unchanged. > > The security implications are no different from normal static > forwarding, as far as I can tell. > Not sure... Some questions about the scheme that you are considering: - What upper layer identifiers are used in the endpoints? in particular which prefixes do they contain? global unicast or a special purpose prefix (as in GSE)? - Are the endpoints of the communication aware of the prefix sets (their own and the peer)? or just the proxy is aware of them? - How do they (endpoint and/or proxy) learn the prefix set of the peer? how are they secured? - How does the security mechanism for securing the prefix set and the identifier interact with the proxy and endpoint? >> Perhaps you could try to evaluate how would such solution cope with >> the threats described in the threat analysis... > > I don't see the threat. i was referring to the threats described in draft-ietf-multi6-multihoming-threats-03.txt which need to be dealt with regards, marcelo > >> as i said, i consider this proxy capability to be really interesting, >> but i am afraid you are underestimating the security issues here. > > Possible :). > >> regards, marcelo > > regards, > -- > Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A > Fortune: > Don't put off for tomorrow what you can do today because if you enjoy > it today, > you can do it again tomorrow. >
- Re: shim proxy (was Re: failure detection) marcelo bagnulo braun
- Re: shim proxy (was Re: failure detection) Paul Jakma
- Re: shim proxy (was Re: failure detection) marcelo bagnulo braun
- Re: shim proxy (was Re: failure detection) Paul Jakma
- shim proxy (was Re: failure detection) marcelo bagnulo braun