[Anima] Is this how BRSKI/IPIP works?

Wed, 05 Jul 2017 19:19:45 -0700 

Hi BRSKI authors,

Is the following correct?

Topology (ASCII art):
                   ___________
                  | REGISTRAR |
                  |___________|
                        |Ar
                        | 
                   ...........
                  (    ACP    )
                 (   routing   )
                  (   cloud   )
                   ...........
                        |
                        |Ax
                   _____|_____
                  |   PROXY   |
                  |___________|
                   |Lx1      |Lx2 
                   |         |
                   |         |
  -------LAN1---------      -------LAN2----------
      |                                     |
      |Lp                                   |Lp
  ____|____                              ___|_____ 
 | PLEDGE1 |                            | PLEDGE2 |
 |_________|                            |_________| 

Assumptions:

Pledges have link-local address Lp. By chance, they are equal. (Nothing in
the standards prevents them from being equal. Even pseudo-random numbers can
be equal, so this case must work.)

Proxy has link-local addresses Lx1, Lx2 and ACP address Ax. We can require
that Lx1 != Lx2.

Registrar has ACP address Ar.

Packets for a UDP example:

(somewhat simplified IPv6 packets!)

Pledge sends to proxy [Lp, Lx1, 17, UDP-PAYLOAD1]

Proxy sends to Registrar [Ax, Ar, 41, [Lp, Lx1, 17, UDP-PAYLOAD1]]

Registrar replies to proxy [Ar, Ax, 41, [Lx1, Lp, 17, UDP-PAYLOAD2]]

Proxy replies to pledge [Lx1, Lp, 17, UDP-PAYLOAD2]

Note that the registrar echoes back the addresses Lp and Lx but they mean
nothing to it. The registrar simply borrows the proxy's LL address Lx
for the purpose of replying.

Note that even the 2uple {Ax, Lp} might not uniquely identify the pledge.
Since the proxy will have at least two interfaces, the address Lp might
exist on multiple LANs. However, the proxy will have different link-local
addresses on the two LANs, so the 3uples {Ax, Lp, Lx1} {Ax, Lp, Lx2}
will be unique. Hence the registrar can distinguish the transactions.

So, what the registrar needs to tell the proxy is: I accept IP in IP on address 
Ar.
Nothing else - no port number, no link-local address.

What the proxy needs to tell the pledge is: I accept BRSKI/TCP
or BRSKI/UDP on address Lx. And if it chooses to use IPIP to contact
the registrar, it simply forwards the packets as-is in both directions,
encapsulating and decapsulating accordingly. The pledge knows nothing about
IPIP.

Regards
   Brian

_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima

Reply via email to