[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Shim6 proxies
Scott Leibrand wrote:
If you're going to do a full proxy, you have to go all the way IMO. That
means that for whatever locators the end hosts use, whether they have
multiple locators are not, have to be assumed to be fixed for the session,
just like ULIDs. The shim6 proxy would then intercept all shim6 control
traffic to that IP, and perform the shim functions on behalf of the host.
It would have a bunch of its own locators, which would make up the locator
set. It could also include the ULID as one of those locators, and
intercept traffic to that IP with shim6 headers, or I suppose it could
treat the host's IP as a non-routable identifier for shim6 purposes and
just use its own locators in the locator set. Either way, the proxy would
process all shim6-tagged traffic for the host, de-shim it as normal, and
then pass the traffic along to the host's IP instead of passing it up to
I think such a proxy could be built, but instead of relying on some
complex DHCPv6 coordination of the address assigned to a host, it is
much much easier to build and deploy and as IPv6 NAT + shim6 proxy.
Thus the host picks an single IPv6 address just like today (using
stateless address autoconfig or DHCPv6) and the NAT maintains a 1-1
mapping between those local addresses and a ULID (and HBA/CGA parameter
set); thus the NAT doesn't need to mess with the port numbers.
The proxy then does all of shim6 on behalf of the host.
One disadvantage with this approach is that the proxy becomes a single
point of failure for a TCP connection. But since the 1-1 mapping can be
fixed it can be more easily shared across a pair such NATting proxies
than today's IPv4 NATs that rewrite port numbers.
Another disadvantage is that you probably need a two-faced DNS
(different answers for internal queries than external ones) so that
site-internal traffic can use whatever local IPv6 addresses (ULAs?) that
are assigned to the hosts.
A third disadvantage is that things which don't work through NAT might
not work through such a proxy.
So I don't think such a proxy is desirable long-term, even though it can
be valuable as part of a transition to shim6.
And as I said, the alternative that Marcelo has been talking about where
the DHCPv6 address assignment to the host is coordinated with the shim6
proxy is a lot more complex.
Thus asking what traffic engineering influence can be accomplished with
a locator rewrite by the routers is still a very important question in
my mind when it comes to the longer-term direction.