[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Draft: PI addressing derived from AS numbers
> Unless you start using multiple headers (which is sort of already specified,
> which is why I like 16+16, although it has all the obvious "source routing"
> security bugs), there's only a single IPv6 address field in "IPv6
> *unmodified*", so it's kind of hard to do both with one field.
HIP can help with the "source routing" security bugs.
One question in my mind is whether that type of approach requires
IPsec protection of every packet, or if one can limit this to a subset
of the packets (like the TCP SYN/SYN-ACK exchange).
Another question, once we have the architectural 16+16 picture clear,
is whether it is possible to do "header compression" to avoid having 4*16
bytes of identifiers+locators in every packet.
A third question is whether one can make this work with both hosts doing
16+16 (which might provide a stronger security binding) and site border
routers doing it (which would be easier to deploy using existing IPv6
implementations in the hosts).
I'll stop now,
Erik