[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 64-bit identifiers

To: Erik Nordmark <Erik.Nordmark@eng.sun.com>
Subject: Re: 64-bit identifiers
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Wed, 15 Aug 2001 17:17:38 +0200
cc: RJ Atkinson <rja@inet.org>, multi6@ops.ietf.org

 In your previous mail you wrote:

   The transport multihoming, SCTP, and GxSE seem to all be based on
   the identifier being a *set of* IP addresses, where the set is
   determined when the communcation is initiated. 
   I think this is a very interesting space to continue to explore
   to understand the differences between the ideas/proposals.
   Such approaches would need a separate mechanism for handling renumbering
   of long-lived connections since that would require securely changing the set.
   (But my gut feel is that whatever secure solution we are confortable
   for Mobile IPv6 binding updates effectively "redirecting" traffic, can
   be applied to changes in the set of addresses identifying the connection.)
   
=> low overhead (i.e. BAKE, SUCV) proposals won't apply (no home agent),
higher overhead (i.e. IKE, HIP) proposals provide the required security
level but rely on a global PKI... I really don't know what is the worst:
to accept MITM attacks or to wait for DNSSEC?

   Has the NSRG explored using sets of IP addresses as the indentifiers?
   Or are they focused on the issues of inventing a new name space?
   
=> obviously HIP & co follows the second (a new name space with crypto
properties which give opportunistic modes for security).

Regards

Francis.Dupont@enst-bretagne.fr

Prev by Date: RE: MHTP draft (draft-py-multi6-mhtp-00.txt)
Next by Date: Re: 64-bit identifiers
Prev by thread: Re: 64-bit identifiers
Next by thread: Re: 64-bit identifiers
Index(es):
- Date
- Thread