>>>>> "Yoav" == Yoav Nir <[email protected]> writes: >> You didn't take my comments too far; I think you realized that I was in >> fact saying two things: >> >> 1) when traffic is redirected, MUST it be redirected directly to the >> real endpoint? (There might be issues of in-band double NAT that
>> 2) when traffic is redirected, MAY it be redirected more than once?
Yoav> Aren't these really the same question?
case1: Q1:yes, Q2: yes.
Must redirect to final end point, but it is okay for redirection
to occur multiple times. This implies that when A is redirected
to H2, that no SA is created with H2, but rather there is an
immediate redirection to H3, and again to B.
case2: Q1:yes, Q2: no
Must redirect to final end point, but redirection not permitted.
H1 must get address of B via "magic" and tell A about it.
case3: Q1:no, Q2: yes.
final end point not required, multiple redirection.
H1 can redirect to H2. A sends traffic to H2.
H2 can decide to send a new redirect to H3 based upon seeing
what traffic is arriving.
(Note that B might get redirected by H2 for traffic for A to H2,
and now we have A<-->H2<-->B, and now H2 actually knows about
both A and B, and either easily link them directly, or realize
that neither are directly reachable, and since H2 has plentiful
bandwidth, it doesn't care...)
case4: Q1:no, Q2: no.
H1 should either redirect to B directly, or can redirect to
H3, but H1 has to know whether or not B is directly reachable.
At the same time, H3 might be redirecting B to H1 if A is not
reachable, and we might have asymmetric routing.
This might screw the SPD on A and B if your SPD is strict 4301.
Yoav> IOW it should be a requirement that H1 (in the diagram of your
Yoav> previous mail) be able to send more information about the
Yoav> topology behind H2 than just "B is behind H2", such as "D and
Yoav> H3 are also behind H2". But A should be required to not expect
Yoav> it.
Yoav> So H1 MUST be able to tell A that B is behind H2. It MAY be
Yoav> able to tell A that D is also behind H2, or that B is actually
Yoav> behind H3, or the actual address of B.
So, you just created a requirement for H1<->H2 communication :-)
pgpy386mRbhY6.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
