[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-nward-v6ops-teredo-server-selection-00.txt
On 4/07/2007, at 7:48 PM, Rémi Denis-Courmont wrote:
On Wed, 4 Jul 2007 10:16:40 +1200, Nathan Ward <email@example.com>
Morning (or whatever's appropriate),
This document is incomplete, and there are some notes at the end
about what needs doing/thinking about, based on some initial comments
from Christian Huitema and Jim Hoagland.
Comments welcome (and encouraged!).
If folks decide that one of these approaches (or some other approach
that we come up with) is good, I intend to clean up/re-arrange the
document to describe the solution, the alternatives, and why we
didn't choose them. Right now it's intended to generate discussion,
and describe some ideas.
Section 2.3 says:
In addition, if this malicious party is or otherwise has access
root certificate authority that is trusted by the client's
application, a transparent attack on SSL-secured applications -
as HTTPS secured banking applications - could easily be performed.
Now, if this is possible, it's something terribly wrong with the
not with Teredo. I think that paragraph goes out of scope.
Fair enough, it was intended as an example of how bad it could be.
I would personnaly support the anycast solution. I'll be more than
to update my zone A RRs points to an anycast address if it gets to
I know that Microsoft is using DNS-based round-robin to balance the
but I am not sure if this is really needed... Since Teredo servers are
fully stateless, there should be no problem doing round-robin or any
other kind of load-balancing at the IP routing level.
The real problem is, how would anycast interact with hole punching? It
*might* just work out of the box, but I am not 100% sure...
Anycast is good, but I think it's important that the clients are
default configured with a vendor agnostic DNS name that points to the
anycast address as well. That means that the control is entirely with
the SP, and there is no reliance on third party DNS names etc. Also,
if providers don't have the ability to anycast, or need the ability
to point clients at multiple servers and can't do it with IP-level
load balancing for some reason, they can.