[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DNA-BOF] Draft charter now online
Greg Daley wrote:
> Hi Spencer and JinHyeock,
>
> CHOIJINHYEOCK wrote:
>
>>Dear Spencer
>>
>>
>>
>>>Re: choice of phrase, perhaps an "IP Network Attachment"?
>>
>>
>>I guess that Attachment is better than Connection.
>>
>>
>>
>>>Re: meaning of phrase, I'm still confused on where DNA is between
>>>"send and receive IP packets with *any* other node" and "send and
>>>receive IP packets with *at least one* other node". I've seen postings
>>>saying that if we can only send IP packets to an authentication
>>>server, we *are* connected/attached, and I've seen postings saying
>>>that we *are not* connected/attached. Is this something we have
>>>consensus on yet?
I think there is just two different models.
>>
>>You catch me at the weak spot. :-). I still don's have clear idea how
>>we incorporate Authentication part into DNA work.
>>
>>IHMO, to be called attached, at least, a node should have a global IP
>>address, a default router and other per interface parameters in RA,
>>for example, link MTU, Reachable Time et cetra.
>
>
> I think that we have to be careful to distinguish between
> the ability to send datagrams, and the configuration
> being available in order to do so.
>
> If we arrive on the same IP subnet which we have been
> previously attached to (maybe a momentary disconnection),
> then we already have enough configuration to transmit
> to hosts within the link. Additionally we already have
> authentication configuration which allows us to transfer
> data off the link.
> (Although there are some difficult cases where not
> all hosts on the subnet are reachable in from
> another link-instance which is part of that subnet....)
>
>
> In the case where we arrive on a new link-instance,
> but we are unaware of the subnet to which we are attached,
> we may not have valid global addresses, validated link-local
> addresses or the capability to send data off the link.
>
> I believe that our task is to determine that we've
> arrived on a new link, with a new IP subnet so that
> other processes can undertake the configuration.
> This means (for example) that if we don't need to
> configure the host's global address in DNA, then we
> leave it to the subsystem which is responsible for
> that (be it DHCPv6 or SAA). I'd guess the same applies
> to Authentication for off-link data transfer.
>
> So I guess we have IP connectivity (the ability to
> send and receive datagrams on the link, which I have been
> calling Network Attachment) and IP configuration,
> which entails appropriate Authentication, Addressing,
> and Routing for the subnet.
>
> My hunch is that the IP connectivity event (the network
> attachment) comes when the wire is plugged into the host,
> or the link-layer authentication is completed.
>
> I'd guess that link-local communications in some form
> are available by the end of the attachment detection phase
> (although if RFC-2462 DAD or IPv4 is being used, this may
> not be using a link-local unicast address...).
I think the above is roughly right. The trouble is that we
have two very different architectures:
1) Link layer authentication. In this case everything is ready
to go when you get the final "link up" notification from
the lower layer; you only need to figure out the IP
configuration and then you can send packets.
2) IP-layer authentication. This is the harder case. You get
to the network, get a "link up" notification. Then you do
DNA, figure out link local addresses, and start the
authentication process. Only then you can send packets.
But the question that is unclear to me is whether you can
really send link-local packets at this stage or not. In a way,
the authentication in such networks is made to prevent
Internet connectivity for non-authenticated & authorized
hosts. However, the details of what exactly is being allowed
before authenticatio may differ. Do you allow just the
communications with the local router and possible other
authentication related nodes? Or any link-local communications?
Say, if you connect over IPv6 to a network with a web-page
login screen -- are *all* your packets being redirected to the
login server, or just those with a global address? Some link
local communication appears necessary even for RD/ND.
But it would seem that if full link-local communications capability
would open the following attack: my friend and I would go to
a hotspot, the friend would authenticate properly, get global
connectivity, and set up a link-local tunnel to me. Then I could
have global connectivity without authentication, through my
friend. This would be similar to having, say, infrared connection
to my friend's machine and then a wireless LAN access from
her machine. But here I'd be using just one interface, and route
all packets through the WLAN access point.
--Jari