William Herrin <[email protected]> dijo:
On 2009-01-05 02:54, MARCELO BAGNULO BRAUN wrote:
3 - Problems with maintaining ACLs in other networks for hosts
using SHIM6.
I don't understand this one
Marcello,
Shim6 has several weaknesses that can be revealed by comparing it to
the Strategy B criteria. This particular weakness is the lack of
accompanying dynamic source routing protocol.
Unless the IGP in a stratgy B system moves packets first to a valid
exit for the source address and only then to the optimal exit for the
destination address, you end up with a nasty spoofing problem where
routers require extensive manual configuration to tell the difference
between a spoofed source address and a valid multiprefix source
address.
but this is not specific to shim6, but it is s general problem of
configuring multiple PA blocks from multiple ISPs that are performing
ingress filtering.
I mean, if you don't have shim6 and you configure multiple PA prefixes,
you end up in the same problem.
We have tried to address this problem in the shim6 wg, but the guidance
was that this was a general problem that was to be addressed in general
for IPv6, which hasn't been addressed yet
Also, note that Proxy Shim6 does not suffers from this problem, since
the proxy rewrites the source address and can make it compliant with
the filters
Regards, marcelo
Regards,
Bill Herrin
--
William D. Herrin ................ [email protected] [email protected]
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
--
----
MARCELO BAGNULO BRAUN
WebCartero
Universidad Carlos III de Madrid
_______________________________________________
rrg mailing list
[email protected]
https://www.irtf.org/mailman/listinfo/rrg
