[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: threats ID
-----BEGIN PGP SIGNED MESSAGE-----
>>>> I believe NOID and certainly ODT allow layer 4 to work without
>>> You can believe so, just as you can believe NAT allow layer 4 to work
>>> without changes.
>> I think there is a notable difference. In my reading you are using
>> NAT very loose for all forms of address rewrite. NAT to me does
>> static rewrites, with no form of signaling.
> Wrong. Rewriting is not the essential problem.
> Right. The problem is lack of signaling OF *CONNECTIONS*.
> As you might know, there is no connections and signaling at
> the IP layer.
Right, but along the same lines of reasoning - NAT won't break
anything at the _IP_ layer. It might break things at the ULPs though.
> Thus, the only thing NAT and other layer 3 things can do is
> guessing the connection state by a lack of communication
> for certain period of time, though, sometimes, you can detect
> TCP SYN and FIN.
I would say that this is the difference between (most) of the proposals
in multi6 and NAT. The proposals have provided mechanisms to let ULPs
handle referrals, even when there is rewriting. Something that NAT does
> However, that you observe no traffic over a connection does
> not necessarily mean that the connection is broken.
True. Which is also the topic of a long thread here some time ago.
> There is no signaling unless layer 4 and above are involved,
> though guessing may work for TCP.
The mechanisms to allow address rewrite will have to
a) Leave to the ULPs to handle connection state and connection
verification. An aid in doing this might be to create a middle layer
(the 3.5) which functions as a recording mechanism on state.
b) Provide a means to the ULPs to handle referrals transparently.
Again, this can be done with a shim layer, or in other ways.
>> Especially breaking referrals by hiding the "true" address to the
>> outside world. Most (if not all) id/loc proposals here (claims) that
>> referrals do work. There is a hugh difference, referrals is a crucial
>> component of any multi6 solution. This was also pointed out in the
>> comments by Patrick.
> NAT rewriting is transparent to applicaitons, if the applications
> relies on TCP and DNS and DNS is modified to reflect the rewriting.
> So are other proposals, including mine, as is explained in
> my proposal.
To dive into semantics, part of the problem/difference between multi6
proposals and NAT is the fact that NAT _is_ transparent to the ULPs and
that no state is recorded at the end-nodes. And now we are close to
drifting into the point that Vijay raised on if this is good or not.
- - kurtis -
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
-----END PGP SIGNATURE-----