On 02-Mar-19 14:46, Tom Herbert wrote:
> Hi Brain,
>
> One comment...
>
>>From the draft:
>
> "5. Firewall and Service Tickets (FAST). Such tickets would
> accompany a packet to claim the right to traverse a network or request
> a specific network service [I-D.herbert-fast]. They would only be
> valid within a particular domain."
>
> While it's true that Firewall and Service and Tickets (in HBH
> extension headers) are only valid in a particular domain, that really
> means that they are only interpretable in the origin domain that
> created the ticket. It's essential in the design that FAST tickets can
> be exposed outside of their origin domain (e.g. used over the
> Internet) and reflected back into the origin domain by peer hosts.
> FAST tickets contain their own security (they are encrypted and signed
> by agent in the origin network) so there should never be any reason
> for a firewall to arbitrarily filter or limit packets with FAST
> tickets attached. This technique could probably be applied to some of
> the other use cases mentioned.
Yes, that's an interesting model: effectively a domain split into various
parts without needing a traditional VPN.
Of course, there remains the bogeyman of making the Internet transparent
to some new unknown option or extension header. I'm pessimistic about that.
So far we have had poor success.
Brian
>
> Thanks,
> Tom
>
> On Fri, Mar 1, 2019 at 5:08 PM Brian E Carpenter
> <[email protected]> wrote:
>>
>> A few small updates and fixes to references. Please comment;
>> the authors are wondering about next steps for this draft.
>>
>> Brian + Bing
>>
>> -------- Forwarded Message --------
>> Subject: I-D Action: draft-carpenter-limited-domains-06.txt
>> Date: Fri, 01 Mar 2019 17:04:37 -0800
>> From: [email protected]
>> Reply-To: [email protected]
>> To: [email protected]
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>>
>>
>> Title : Limited Domains and Internet Protocols
>> Authors : Brian Carpenter
>> Bing Liu
>> Filename : draft-carpenter-limited-domains-06.txt
>> Pages : 24
>> Date : 2019-03-01
>>
>> Abstract:
>> There is a noticeable trend towards network requirements, behaviours
>> and semantics that are specific to a limited region of the Internet
>> and a particular set of requirements. Policies, default parameters,
>> the options supported, the style of network management and security
>> requirements may vary. This document reviews examples of such
>> limited domains, also known as controlled environments, and emerging
>> solutions, and develops a related taxonomy. It then briefly
>> discusses the standardization of protocols for limited domains.
>> Finally, it shows the needs for a precise definition of limited
>> domain membership and for mechanisms to allow nodes to join a domain
>> securely and to find other members, including boundary nodes.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-carpenter-limited-domains/
>>
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-carpenter-limited-domains-06
>> https://datatracker.ietf.org/doc/html/draft-carpenter-limited-domains-06
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-carpenter-limited-domains-06
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> _______________________________________________
>> I-D-Announce mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/i-d-announce
>> Internet-Draft directories: http://www.ietf.org/shadow.html
>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>
>> _______________________________________________
>> Int-area mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/int-area
>
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
