rust simple address based authentication for serious security.
--
Andrew White[EMAIL PROTECTED]
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive:
allocating authority and installation into
the network) of a global with all the scoping issues of a site local. Why
not just get a true global?
--
Andrew White[EMAIL PROTECTED]
IETF IPng Working Group Mailing List
n (hosted on a site-local nameserver) provide both local and
global addresses, while queries to a global domain provide only global
addresses.
--
Andrew White[EMAIL PROTECTED]
IETF IPng Working Group Mailing List
IPng
echanism (think NAT). I'm assuming that
global connectivity is via true global addressing, and that hosts need to be
able to play nice in a situation where they have both site (restricted) and
global (unrestricted) scoped addresses available.
--
Andrew White[EMAIL PROTECTED]
orks at least as well as a global
address.
(b) Outside a site, a site local address DOES NOT WORK. I'd say "MUST NOT
WORK", but that is a little hard to enforce.
(c) Given (b), the issues with site locals are about address selection where
there are both global and local addresses
must not leak outside the tunnel. Though
there are probably better ways to do this than using site locals.
Does this seem a fair summary of principles thus far?
--
Andrew White[EMAIL PROTECTED]
IETF IPng
cordingly. Alternatively, the user has to
make sure that the purity of the site is preserved. Both options have
drawbacks.
Using unique addresses and prefixes removes the non-uniqueness problem
(addresses moved outside their intended scope simply fail), but reintroduces
the need for administrati
-scoped DNS itself be addressable only by a site-scoped
address. Otherwise, you breach the principle that a site local address MUST
NOT exist outside the site.
>From this, it follows that the DNS is topologically located inside the site.
--
s 'preferred'
lifetime.
Though there is the problem of how long to cache an address for.
--
Andrew White[EMAIL PROTECTED]
IETF IPng Working Group Mailing List
IPng Home Page: http://play
#x27;dial-up' or
'mobile' neworks with changing global prefixes that may or may not exist).
And thus why I think the deployment issues ultimately boil down to:
(1) filters on routers
(2) address selection on hosts
al thought:
Whatever the outcome of the site local discussions, renumbering will remain
a serious problem under IPv6, that needs to be considered. Making
renumbering easier is a hard problem, but a good solution will help reduce a
variety of other problems.
--
Andr
ilt (experimental) networks that rely on this functionality. And
it's possible to apply most of these mechanisms for globals too.
--
Andrew White[EMAIL PROTECTED]
IETF IPng Working Group Mailing L
needed.
- Can work easily in parallel with fully administered addressing schemes.
- Fixed and deterministic. Unless you move or manually reconfigure
something, the addresses won't change. Ever.
--
Andrew White[EMAIL PROTECTED]
matically generated from a 50+ bit space.
A draft has been written and is working its way through a review process.
Hopefully that will make things clearer.
--
Andrew White[EMAIL PROTECTED]
IETF IPng Working
t; of thousands of prefixes is possible. So it may be
> philosophically unsettling, but I don't think it is
> operationally unsettling.
I freely admit my experience with routing tables is insufficient to know
where this cut-off is, but the gist I've been getting is 'hund
or wishes it.
/48 is a convenient mark for a logical entity: the 'end-user' network. In
practice, these vary radically in size and may be further subdivided, so /48
is merely a useful convention.
--
Andrew White[EMAIL PROTECTED]
erent perspective and commentary on some points. The main
difference is moving some of the free bits from the 'area' field (high bits
above the EUI) to a sub-id field below the EUI, to allow a router to use a
single EUI-48 to service multiple interfaces or links.
--
Andrew White
managed. However, at the client and application level,
most site-local alternatives suggested here (everything except fully
provider independent routed addresses, without address-based filtering) fall
foul of the same problems as site local addresses themselves.
--
Andrew White[
er may imply fixing DNS mappings to cope with host address
changes.
The core advantage is that you can assign a unique prefix to every subnet
without needing to know about anything other than the router interface that
manages the subnet. In some environments this is a significant ad
same addresses.
There are a few situations where site-local addresses are very useful. If
used outside those situations, they do not impose significant additional
pain on applications. Applications already need to consider multiple
addresses that may not be completely interchang
bitrary address, then you may have ambiguity that matters,
rather than ambiguity that doesn't.
I'm all in favour of an 'SL considered harmful'. However, there are several
situations were SL is exactly what is appropriate, and it seems an odd
philosophy to deprecate power-saws
sses.
Of course, this policy will potentially be inappropriate for applications
that do address forwarding across a site boundary, but I'd argue that these
are the special case. Apps that do address forwarding NOT across a site
boundary will be happy with
ecent IETF
seems to differ in some small but significant ways) and in agreement with
Tony Hain's recent draft.
Finally, I've seen several decent enhancements for some perceived SL
issues. I haven't seen satisfactory alternatives for the key SL deployment
scenarios.
--
Andrew Wh
bout how FEC0::/10 addresses are to
be allocated. All it does is reserve the space as 'not globally routeable'
and put policies in place to stop this information getting where it
shouldn't.
--
Andrew White[EMAIL PROTECTED]
he
domain name and for the host to rank all source-dest pairs and then iterate
in order. The app may wish to specify some timeouts (eg try no more than 3
dest addrs and no more than 3 sources per addr).
(Note: this latter problem is orthogonal to the local address
than
one logical subnet simultaneously).
The second definition is being referred to above.
--
Andrew White[EMAIL PROTECTED]
IETF IPng Working Group Mailing List
IPng Home Page: http://playgroun
estination address pairs until one succeeds. A source
address selection compliant gethostbyname will return the destinations in
preferred order (taking into account available source addresses). There is
an implementation question on what order the two dimensional destination and
source spa
ere
FEC0:://10 exists and doesn't. Of course, some applications will override
this and say "no, don't give me an FEC0:://10". The convenient property is
that applications can care if they want to, and otherwise can remain
ignorant.
The second
x27;home router / gateway' I have one port coloured red and placed on one
side of the box. This says 'uplink'. The other ports are on the other side
of the box and are labelled 'internal'. The rest follows from there.
Especially since all my 'home router / gatewa
ckets to leave 'our' network). I want hosts in my network
to prefer global addresses when talking externally.
- I want my local addresses filtered at appropriate borders, preferably
without having to set it up myself.
- The ISPs probably want my local addresses filter
Pekka Savola wrote:
>
> Just responding to a few points..
>
> On Thu, 7 Aug 2003, Andrew White wrote:
> > When that 6to4 address goes away, I don't want my persistent sessions
> > to be forced to maintain a stale address.
>
> Why not? There's no prob
Tony Hain wrote:
>
> Andrew,
>
> Would you mind if we put this sequence in the requirements doc?
Not at all - my pleasure.
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page:
rk ambiguity is largely irrelevant - the connection succeeds or it
doesn't (remember that most nodes have a unique interface id). Rather,
ambiguity is a big bugbear for network merging.
--
Andrew White
IETF I
similar address. Which looks surprising like local-local, then
global-global (or try both at the same time).
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page: http://playgroun
g another.
This discussion is increasingly degenerating into people who say "I refuse
to believe it would ever work or why someone would want to do it" and those
who can point to working deployment scenarios.
--
Andrew White
---
e outside the filter it won't work. How quickly you
detect this depends on whether your router returns an error or just silently
discards the packet.
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page:
iding disincentive for using them as *globally* routeable PI,
and allows applications to favour local prefixes when available.
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page: http:/
ur most likely candidate for
a working connection.
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/
tination
> addresses are not of the same scope.
I think this is unnecessarily stringent. Certainly nodes should prefer not
to send packets with non-matching 'scopes' (see "default address
selection"), but I don't see it as an error condition to do s
there won't be more than a few hundred
of them? (removes tongue from cheek)
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive:
antee that each physical interface
device has a unique MAC.
Which would imply that a link-local addressed based on a MAC is in fact
globally unique, by definition?
What have I missed?
--
Andrew White
IETF IPng Working
can be forwarded at-will,
unless provided with additional (configured?) information that would support
this assumption.
* Applications that do not care to do their own address management need a
higher level abstraction to the current s
is when you're in a
overlaid world, but then I'd suggest that it's the job of the person running
the application to determine which world the application should prefer.
--
Andrew White
IETF IPng Working Group Mai
to have short lifetimes and the
application plans a long-lived connection.
* using link-local addresses in an environment where a device could move
between links yet meaningfully keep a constant higher-level address.
--
Andrew White
---
I can say
is that it is not-A.
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct
The easy (only?) way to
ensure that alternative methods are cross-wise unique is to allocate a
different prefix for each method, in much the same way as the global
fc00::/8 and local fd00::/8 prefixes have been done.
--
Andrew White
---
local packets
to timeout more quickly?
--
Andrew White
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct
Dan Lanciani wrote:
>
> Andrew White <[EMAIL PROTECTED]> wrote:
>
> |Dan Lanciani wrote:
> |
> |> There is a huge difference between requiring a /48 and allowing anything
> |> greater than /8. The former ...
> |> while the latter means that you can bypas
g a global for the same purpose.
The core benefit of local addresses is independence from address allocation
authorities (and thus a degree of stability). The price is
non-routeability.
--
Andrew White
IETF IPng Working Group
49 matches
Mail list logo
