nanog mailing list archives

Re: shim6 (was Re: IPv6 news)

From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Sat, 15 Oct 2005 15:58:56 +0000 (GMT)



On Fri, 14 Oct 2005, David Conrad wrote:

Christopher,


(chris is fine, silly corp email doesn't let us have sane addresses :( )

On Oct 14, 2005, at 9:32 PM, Christopher L. Morrow wrote:

You know, if you describe it that way too many times, people who are
only paying half-attention are going to say "IPv6 has something
almost
like NAT, only different".

you know... shim6 could make 'source address' pointless, you COULD
just do
NAT instead :) or do shim6 which looks like NAT ... if you don't
get the
host auth parts correct/done-well you might even be able to send
traffic
off to the 'wrong' place :) it'll be neat!


I believe relying on the address as any sort of authentication is a
mistake.  Given IPv6 was, at least in theory, supposed to require


in v4 it's not used that way, in v6 I'd hope the trend continues. If there
isn't some very good form of authentication built into the shim solution
it may be possible for an attacker in the packet path (or who can guess
well enough) to tell either endpoint that there was a path failure and
it's time to use a new ip address for the current conversation. anyway,
shim6 isn't hear yet, and I'm sure someone would have thought of this
problem before :)

IPSEC, I would have thought the use of the source address for
anything other than connection demultiplexing would have been a waste
of time.

Of course, that assumes that people actually implement "required"
parts of protocol specifications.  As has been seen countless times,
what happens in practice doesn't seem to conform to what is required
in theory.  Do all IPv6 stacks implement IPSEC?


Merike has some interesting information about this... from what I
understand not everyone implemented all the 'required' parts :( I wonder
how quickly SA's can be re-done for conversations in a shim world? will
they have to be or could the SA be tied to the ULID? Probably also
something fun for the shim folks to figure out. I'd hate to have to
re-negotiate ipsec associations everytime I thought there was a path
failure :(

Current thread:

Re: shim6 (was Re: IPv6 news), (continued)
- - - Re: shim6 (was Re: IPv6 news) william(at)elan.net (Oct 14)
    - Re: shim6 (was Re: IPv6 news) bmanning (Oct 14)
    - Re: shim6 (was Re: IPv6 news) John Payne (Oct 14)
    - Re: shim6 vs nanog bmanning (Oct 14)
    - Re: shim6 vs nanog John Payne (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Pekka Savola (Oct 16)
    - Re: shim6 (was Re: IPv6 news) Daniel Roesen (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Valdis . Kletnieks (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Christopher L. Morrow (Oct 14)
    - Re: shim6 (was Re: IPv6 news) David Conrad (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Christopher L. Morrow (Oct 15)
    - Re: shim6 (was Re: IPv6 news) Crist Clark (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Daniel Roesen (Oct 14)
    - Re: shim6 (was Re: IPv6 news) David Meyer (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Crist Clark (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Paul Vixie (Oct 14)
    - Re: shim6 (was Re: IPv6 news) william(at)elan.net (Oct 14)
    - Re: shim6 (was Re: IPv6 news) David Conrad (Oct 14)
    - Re: shim6 (was Re: IPv6 news) Paul Vixie (Oct 15)
    - Re: shim6 (was Re: IPv6 news) Bill Woodcock (Oct 17)
    - Re: shim6 (was Re: IPv6 news) Tony Li (Oct 17)

(Thread continues...)