[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tagging traffic (Was: CPE equipments and stateful filters)
On 23-jul-2007, at 15:00, Jeroen Massar wrote:
I am actually starting to believe that we really need a secure
ala uPnP for requesting 'privileges' for sending packets over a
border, current NAT boxes/gateways.
Lets say I am sitting behind my laptop, and I want to go to
www.wikipedia.org (http over tcp, port 80) then my host should 'ask' a
$device on the network if I am allowed to make a TCP connection to
80 of www.wikipedia.org. $device in the network then gives me a tag
saying 'here you go' and distributes this tag also to the firewalls
are in the network to allow traffic tagged with this through.
Long, long ago in a galaxy far, far away we tried to come up with a
way to do scalable multihoming for IPv6. One of the approaches I came
up with (yes, I came up with several, as did a bunch of other people,
we had 30+ active drafts at one point) (although I think I never
wrote a draft for this one) was:
Make middleboxes part of the architecture. Those middleboxes would
then be able to do pretty much what shim6 does, and a lot of other
things. One of those things would be limiting access to the outside
world based on the application and application version. So if today
there's a new vulnerability in your favorite browser, tomorrow that
browser can't connect to the rest of the world but only to
favoritebrowserupdate.com. Another feature that you get for free is
translation between IPv4 and IPv6.
If you squint a bit you may notice that using a proxy pretty much
gives you this in a more ad-hoc way.