Re: An idea: GxSE

["Paul Francis" <yoid2000@home.com>]

> Why not bind the SK if it's globally unique?  There is 1 SK, and multiple
> GR's.  Why not bind only the SK's and keep a table of valid GR's, so you
> know that it is truly valid?

We may be talking at cross purposes.  What is the difference in your mind
between binding to the SKs and GRs versus binding to the SK and keeping a
table of GRs?

>
> This is the description of an SCTP association.  This is almost exactly
> SCTP through NAT.

Yes.

> My suggestion above takes a similar idea, but lets the
> network do most of the multihoming instead of the protocol.  Otherwise
> you're basically talking about using NAT and SCTP together and calling it
> something else, with a few small tweaks and dropping the heartbeat, etc.
>

Could you give me a clear explanation of your suggestion?  I don't
understand it.


Also, regarding Add IP (another message from you about SCTP came in while I
reply to this one...), you can't do this securely unless there is a trust
relationship.  Otherwise any spoofer can send a packet out of the blue with
its GR and somebody else's SK and hijack the connection.  Maybe this is what
you mean by "bind to the SK only"---allow any GR to be used once the SK is
established?

The reason GxSE binds the whole list of addresses from the beginning is to
prevent spoofing.  If we have the luxury of establishing a secure
relationship between both ends, then may as well use HIP.