On Fri, Jul 22, 2011 at 12:04 PM, Dino Farinacci <[email protected]> wrote:
> So we are thinking of putting some data-plane authentication in which we >> can talk about later. This is work in progress and nothing has been >> published yet. > > How might this work without the ETR being required to do look-ups in order to perform the authentication check? > This is where you need a firewall (at the access SP) to do mapping database > lookups to verify the (source-EID, source-RLOC) binding. > I'm not clear on what you are suggesting. Certainly it will not be the case that "native Internet" service providers will gain the ability to peek into LISP inner-headers and do any kind of check. > Also, we do have data-plane gleaning in an ETR specified in the spec. So > the packet could be accepted in an ETR, source-EID and RLOC gleaned, and > when the SYN-ACK is returned, the map-cache can be verified. That way, you > put the mapping database lookup in the place where it is already being done > for other reasons. > You are describing a case where the ETR is also the ITR? -- Jeff S Wheeler <[email protected]> Sr Network Operator / Innovative Network Concepts
_______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
