[rrg] Remote ACLs [Proposals which match rrgarchitectures.html pls check the page]
MARCELO BAGNULO BRAUN
marcelo at it.uc3m.es
Mon Jan 5 03:01:04 PST 2009
William Herrin <bill at herrin.us> dijo:
>> On 2009-01-05 02:54, MARCELO BAGNULO BRAUN wrote:
>>>> 3 - Problems with maintaining ACLs in other networks for hosts
>>>> using SHIM6.
>>> I don't understand this one
>
> Marcello,
>
> Shim6 has several weaknesses that can be revealed by comparing it to
> the Strategy B criteria. This particular weakness is the lack of
> accompanying dynamic source routing protocol.
>
> Unless the IGP in a stratgy B system moves packets first to a valid
> exit for the source address and only then to the optimal exit for the
> destination address, you end up with a nasty spoofing problem where
> routers require extensive manual configuration to tell the difference
> between a spoofed source address and a valid multiprefix source
> address.
but this is not specific to shim6, but it is s general problem of
configuring multiple PA blocks from multiple ISPs that are performing
ingress filtering.
I mean, if you don't have shim6 and you configure multiple PA prefixes,
you end up in the same problem.
We have tried to address this problem in the shim6 wg, but the guidance
was that this was a general problem that was to be addressed in general
for IPv6, which hasn't been addressed yet
Also, note that Proxy Shim6 does not suffers from this problem, since
the proxy rewrites the source address and can make it compliant with
the filters
Regards, marcelo
>
> Regards,
> Bill Herrin
>
>
> --
> William D. Herrin ................ herrin at dirtside.com bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>
--
----
MARCELO BAGNULO BRAUN
WebCartero
Universidad Carlos III de Madrid
More information about the rrg
mailing list