[Geopriv] HELD guidance for IP address ID

From: Stark, Barbara ^lt;bs7652@att.com>
Date: Wed Nov 07 2007 - 10:52:17 EST

So, it sounds like there's some general consensus that people want usage
guidance for HELD, especially as it relates to VPNs and NATs, with IP
address as the ID.

Brian originally proposed the following text:
"Use of HELD is subject to the viability of the identifier used by the
LIS to
determine location. This document describes the use of the IP address
the client as the identifier. When a NAT, VPN or other forms of address
modification occur between the client and the server, the location
may be inaccurate. This is not always the case. For example, a NAT
used in
a residential local area network is typically not a problem, because the
external IP address used on the WAN side of the NAT is in fact the right
identifier for all of the devices in the residence. On the other hand,
there is a VPN between the client and the server, for example for a
teleworker, then the address seen by the server may not be the right
to identify the location of the client. Where a VPN is deployed,
often have the ability to bypass the VPN for a transaction like HELD."

I think this is a good start. I didn't like his suggested device
requirements that followed this text, so I propose the following
additional text. If you like the recommendations but want normative
language, feel free to modify.

To minimize the impact of VPNs that do not support split tunneling,
endpoints using IP address as the HELD identifier need to do their HELD
query prior to establishing a VPN tunnel.

Devices that can establish VPN connections for use by other devices
inside a LAN or other closed network should act as a HELD LIS for those
other devices. To accomplish this, such VPN devices that also act as
DHCP server will need to send their IP address or local domain name to
devices in response to a DHCP option requesting LIS server address
[reference to LIS discovery doc]. It may also be useful for such VPN
devices to act as a LIS for other location configuration options
[reference to DHCP options and LLDP-MED]. These VPN devices may support
HELD from a client perspective, as well. In this case, they will need to
do the HELD query prior to establishing a VPN tunnel.

To minimize the likelihood of incorrect location being delivered to
endpoints accessing the LIS from a VPN connection or a NAT that serves a
large geographic area or multiple geographic locations (for example, a
NAT used by an enterprise to connect their private network to the
Internet), the LIS needs to be configurable to know which IP addresses
are served by such VPNs or NATs. The HELD LIS must not deliver location
to devices at these IP addresses.

LIS operators have a large role in ensuring the best possible
environment for HELD. The LIS operator needs to ensure that the LIS is
properly configured with IP addresses that serve NATs and VPNs. If it is
the intent of the LIS operator to serve devices behind a NAT that serves
a large geographic area or multiple geographic locations, then the LIS
operator needs to place the LIS to operate on the same side of the NAT
as the devices.


The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. GA625

Geopriv mailing list
Received on Wed, 7 Nov 2007 10:52:17 -0500

This archive was generated by hypermail 2.1.8 : Wed Nov 07 2007 - 10:53:06 EST