> From: Robert Elz [mailto:[EMAIL PROTECTED]]
> From: "Christian Huitema" <[EMAIL PROTECTED]>
>
> | I think we must meet the following requirements:
>
> If all that is to be done, then it would probably be easier to
> just use TCP. That doesn't, of itself, satisfy all the requirements,
> but it makes it a lot easier to handle them (eg: it pretty much
handles
> the two way data problem, and it allows some kind of authentication
that
> doesn't have to be repeated for every packet).
In fact, if you really want to maximize the chances of going through
"hostile territory", you probably want to use IPv6 > HTTP > TLS > TCP.
And yes, I do mean "https"; using a different port would allow the
network police to see you and catch you. This would get you through
firewalls as well as NAT. OTOH, shipping this kind of solution will also
get you "interesting" comments from network managers. Also, you may have
a small problem with the packets' latencies.
Seriously, I believe that most of the requirements can be met pretty
easily. You need to design a protocol that starts with a formal
handshake, probably similar in nature to the PPP control protocol:
provide credentials in a format that is compatible with a Radius
back-end. You want the handshake to be at least a three ways handshake,
so has to ensure that the connection actually works. You may want to
negotiate something like ESP or TLS. As Franci points out, once the
connection is set and the identities have been validated, then we
probably are home free -- use autoconfig if needed, use NUD, etc.
-- Christian Huitema
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
