Hi Joe, > -----Original Message----- > From: Joe Touch [mailto:[email protected]] > Sent: Tuesday, December 06, 2016 11:11 AM > To: Templin, Fred L <[email protected]>; Lucy yong > <[email protected]>; Brian E Carpenter > <[email protected]>; [email protected] > Subject: Re: [Int-area] Some thoughts on > draft-yong-intarea-inter-sites-over-tunnels > > Fred, > > First, we are violently agreeing that subnet redirect works only where > source addresses cannot be spoofed. The problem is that this is not the > typical case, so it's not a generic solution IMO.
The same can be said about ordinary host-based Redirect (only works where the source address cannot be spoofed). The only difference is the attack surface is larger for subnet redirection which is why RFC6706 does the due diligence of supporting data origin authentication. Again, this is to defeat "insider" attacks. In environments where insider attacks are not a matter of concern, then there is not even a need for data origin authentication. > On the general architecture point: > > > On 12/6/2016 11:04 AM, Templin, Fred L wrote: > > ... > >> The X-Bone works too, and didn't need any of that specialized code > >> above. > > Has X-Bone carried forward into modern implementations? > Its model for IPsec transport + IPIP tunnels is used in commercial routers. ISATAP is in commercial routers and widely deployed host implementations too. Go to any Windows host , open a command window and type "ipconfig" and you will see an ISATAP interface. (The code is also in linux.) > It doesn't require new code anywhere, though - it has been compatible > with OS-X, FreeBSD, and Linux for nearly 20 years. > > And its model is the basis of the tunnel draft. > > We can continue to do things the hard way, needing new code and > mechanism, or the easy way that does not. I prefer the easy way. AERO uses the NBMA tunnel virtual link model meaning that IPv6 ND works the same as for an NBMA physical link. The model supports traffic engineering, multi-homing, route optimization, fault tolerance, mobility management and security. Do you have a solution for these that does not require new code? Thanks - Fred [email protected] > Joe _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
