[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Draft: PI addressing derived from AS numbers
On Friday, Feb 21, 2003, at 11:09 America/Montreal, Erik Nordmark wrote:
HIP can help with the "source routing" security bugs.
AH can also do that without changes -- the trick for AH and HIP is
key management, as always with security gorp.
In fact, AH was designed to be able to authenticate *any* IP extension
header (or option). ESP can only authenticate stuff inside the ESP
payload.
This difference between AH and ESP (null-encryption) is not as widely
understood as maybe it ought to be.
One question in my mind is whether that type of approach requires
IPsec protection of every packet, or if one can limit this to a subset
of the packets (like the TCP SYN/SYN-ACK exchange).
Unclear to me how one avoids cryptographic on each source-routed packet.
On the other hand, 16+16 or 8+8 doesn't necessarily involve
source-routing.
Another question, once we have the architectural 16+16 picture clear,
is whether it is possible to do "header compression" to avoid having
4*16
bytes of identifiers+locators in every packet.
The other approach would be to run with 8+8. If 16+16 works, 8+8
can also work since they are architecturally the same.
A third question is whether one can make this work with both hosts
doing
16+16 (which might provide a stronger security binding) and site border
routers doing it (which would be easier to deploy using existing IPv6
implementations in the hosts).
I don't follow that sentence.
Ran
rja@extremenetworks.com