Presentation is loading. Please wait.

Presentation is loading. Please wait.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

Published byFelicity Bradley Modified over 9 years ago

Similar presentations

Presentation on theme: "SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark."— Presentation transcript:

1 SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark

2 The Multi6 Problem how to support IPv6 end-site configurations that have multiple external connections to support application-level session resiliency across connectivity failure events how to use IPv6 multi-addressing and connection-based address aggregates to avoid overloading the routing system with site-based specific address advertisements

3 The SHIM6 Approach host-based solution (rather than host / router interaction) network layer approach – per host pair (rather than transport – per session) discoverable negotiated capability (rather than a new protocol service) no new identifier space

4 Shim6 From http://www.shim6.org

5 Transport IP LOCATORS IDENTIFIERS SHIM Initial Contact No SHIM state active Locator Selection using RFC3484 Locators and Identifiers are Equivalent

6 Transport IP LOCATORS IDENTIFIERS SHIM SHIM6 Activation SHIM active Current Locator Sets exchanged Locators and Identifiers are Equivalent [context]

7 Transport IP LOCATORS IDENTIFIERS SHIM SHIM6 Locator Failure and Recovery Detect locator failure Explore for functioning locator pair Use new locator pair – preserve identifier pair Reachability Exchange [context]

8 SHIM6 Control Elements initial handshake (4-way) and locator set exchange locator list updates explicit locator switch request keepalive reachability probe exchange No-Context error exchange

9 SHIM6 Proto Issues Interaction with IPSEC BITW –Case where IPSEC is applied at the interface –Solution: implement part of shim6 proto in the BITW Is this an extension to SHIM6 decoders allowing variable Shim6 / IPsec header processing depending on header ordering? –It is possible to put shim6 on top of IPSec, maybe suboptimal (IKE for each locator pair) IPSec Transport mode vs. IPSec Tunnel mode This is not IPSec security for shim6 signalling

10 SHIM6 Proto Issues Provide shim6 security based on IPSec SAs –Option 1: use certificates with ULIDs in them How do you issue this certificates –Address autoconf, DHCP, Revocation –Option 2: use pre-existent IPSec trust relationships Still need to change IPSec so that SAs are dynamically created when a locator pair changes This is functionally what mobike does…

11 SHIM6 Proto Issues Support for multiple ULID security mechanisms –Already have HBA, CGA HBA/CGA hybrids –Is the protocol spec already sufficiently modular wrt ULID security? –Do we need to support other security mechanisms DNS SSL certificates –Do we need to support different security for client and server? –Do we need error messages to express no support for a sec mechanism? See key length section… DoS attacks based on exhausting the 2^47 context tag space –Would the 4-way handshake enough to protect this?

12 SHIM6 Proto Issues About forking –The whole point of shim6 is to make locator transparent to ULP, then why forking? –Examples of apps using forking –Transport Area AD request for support for different transports Allowing a shim6 host to continue using a renumbered prefix may create confusion and security issues –Proposal: remove recommendation about keeping shim6 context even if the prefix was renumbered Shim6 protocol should define minimum CGA key length? –What would be the minimum length? –Do we need to define an error message for different security mechanisms/key lengths? Currently ICMP parameter problem in the UPDATE case and silent discard in I2/R2 case Define the BROKEN flag

13 SHIM6 HBA Issues IPR Concerns –IPR statements on CGA with potential HBA relevance have been clarified to the WG Use of protocol structures that are compatible with CGA –Is this acceptable to the WG? IANA Considerations –Is “CGA Extension Type” a new IANA registry? RFC 4581 creates the CGA Extension type registry Security Considerations –Is the “Interaction with ISPEC” section finished? –Is the “SHA-1 Dependency” section finished? –draft-bagnulo-multiple-hash-cga-00 SECDIR review: added motivation, overview and threat model section Other Issues?

14 SHIM6 Failure Detection Issues Have all the identified issues been addresses in the -06 version of this draft?

15 Shim6 WG Last Call Is the WG ready to pass these 3 base drafts to the IESG for publication as Proposed Standard?

Download ppt "SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark."

Similar presentations

ID / LOC Split - Basic Approach Sender A Receiver B src = ULID(A) dst = ULID(B) src = ULID(A) dst = ULID(B) src = Loc(A) dst = Loc(B) src = Loc(A) dst.

ID / LOC Split - Basic Approach Sender A Receiver B src = ULID(A) dst = ULID(B) src = ULID(A) dst = ULID(B) src = Loc(A) dst = Loc(B) src = Loc(A) dst.
Approaches to Multi-Homing for IPv6 An Architectural View of IPv6 MultiHoming proposals Geoff Huston 2004.

Approaches to Multi-Homing for IPv6 An Architectural View of IPv6 MultiHoming proposals Geoff Huston 2004.
SHIM6 Update Geoff Huston Kurtis Lindqvist SHIM6 co-chairs.

SHIM6 Update Geoff Huston Kurtis Lindqvist SHIM6 co-chairs.
1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Multihoming in IPV6 Habib Naderi Department of Computer Science University of Auckland.

Multihoming in IPV6 Habib Naderi Department of Computer Science University of Auckland.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
1 Address Selection, Failure Detection and Recovery in MULTI6 draft-arkko-multi6dt-failure-detection-00.txt Multi6 Design Team -- Jari Arkko, Marcelo Bagnulo,

1 Address Selection, Failure Detection and Recovery in MULTI6 draft-arkko-multi6dt-failure-detection-00.txt Multi6 Design Team -- Jari Arkko, Marcelo Bagnulo,
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1 © 2005 Nokia mobike-transport.ppt/2005-11-09 MOBIKE Transport mode usage and issues Mohan Parthasarathy.

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google