[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: shim proxy (was Re: failure detection)
El 22/08/2005, a las 16:40, Paul Jakma escribió:
On Mon, 22 Aug 2005, marcelo bagnulo braun wrote:
the problem is that the is no way to prove the binding between the
identifier and their locator sets... i.e. any prefix could be used
with any identifier and it would be ok, so any rewriting would be ok,
hence the potential attacks...
If, as a subset of all ULIDs, we allow a set of ULIDs to be composed
of a network identifier (ie the first 64 bits) and a host identifier
(last / least significant 64 bits), ie that the ULID essentially be a
valid IPv6 address (which the shim6 drafts anticipate being possible),
then the 'proxy' can have a static mapping which need only map the
/network/ portion of the ULID to the network portion of a locator. Ie
leaving the host portion unchanged.
The security implications are no different from normal static
forwarding, as far as I can tell.
Some questions about the scheme that you are considering:
- What upper layer identifiers are used in the endpoints? in particular
which prefixes do they contain? global unicast or a special purpose
prefix (as in GSE)?
- Are the endpoints of the communication aware of the prefix sets
(their own and the peer)? or just the proxy is aware of them?
- How do they (endpoint and/or proxy) learn the prefix set of the peer?
how are they secured?
- How does the security mechanism for securing the prefix set and the
identifier interact with the proxy and endpoint?
Perhaps you could try to evaluate how would such solution cope with
the threats described in the threat analysis...
I don't see the threat.
i was referring to the threats described in
draft-ietf-multi6-multihoming-threats-03.txt which need to be dealt
as i said, i consider this proxy capability to be really interesting,
but i am afraid you are underestimating the security issues here.
Paul Jakma firstname.lastname@example.org email@example.com Key ID: 64A2FF6A
Don't put off for tomorrow what you can do today because if you enjoy
you can do it again tomorrow.