[89195] in North American Network Operators' Group
Re: shim6 @ NANOG
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Sun Mar 5 09:51:44 2006
In-Reply-To: <440AC6FC.9060307@eng.pipex.net>
Cc: Joe Abley <jabley@isc.org>,
Matthew Petach <mpetach@netflight.com>,
North American Noise and Off-topic Gripes <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sun, 5 Mar 2006 15:51:12 +0100
To: Ian Dickinson <iand@eng.pipex.net>
Errors-To: owner-nanog@merit.edu
On 5-mrt-2006, at 12:09, Ian Dickinson wrote:
> As an irrelevent aside, when someone comes up with a way to
> firewall/acl
> shim6, how much breaks?
The idea is that there will be a shim6 header that can do two things:
carry shim6 signalling and carry data packets with rewritten
addresses after a rehoming. Since data packets with rewritten
addresses can only occur after there have been shim6 signalling
packets on the same path, filtering out packets with the shim6 header
on the initially chosen path makes it impossible for the shim state
to be created so there is no multihoming. If shim packets are allowed
on the initially chosen path but not on the backup path, shim6 (un)
reachability detection won't work over the backup path so the backup
path will be considered broken and won't be used.
In other words: you fall back to single homing without ill effects.
Of course having a TCP session or the like change addresses halfway
through the session may throw stateful firewalls a bit.