[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Merge NAT-PT approaches?
On 21 dec 2007, at 4:47, Brian E Carpenter wrote:
I'm sympathetic to the idea. Bringing in the shim action
only when it's actually needed sounds good in principle.
The devil is in the details, of course, but we can
investigate that off-list if people would like us
to follow this up.
One thing before we jump into specifics:
I don't think reusing parts from shim6 makes a lot of sense for
authentication. There are already several datagram based
authentication mechanisms, and they can get quite complex. If a host
needs to authenticate towards a NAT-PT translator, it would be much
simpler to set up a TLS-protected TCP session and then do simple user/
password authentication. Then, the translator can trust all packets
coming from the source address in question, or it can provide the host
with a session key that can then be used in further shim signaling.