Re: Draft: PI addressing derived from AS numbers

[RJ Atkinson <rja@extremenetworks.com>]

On Friday, Feb 21, 2003, at 11:09 America/Montreal, Erik Nordmark wrote:
> HIP can help with the "source routing" security bugs.
AH can also do that without changes -- the trick for AH and HIP is
key management, as always with security gorp.

In fact, AH was designed to be able to authenticate *any* IP extension
header (or option).  ESP can only authenticate stuff inside the ESP 
payload.
This difference between AH and ESP (null-encryption) is not as widely
understood as maybe it ought to be.

> One question in my mind is whether that type of approach requires
> IPsec protection of every packet, or if one can limit this to a subset
> of the packets (like the TCP SYN/SYN-ACK exchange).
Unclear to me how one avoids cryptographic on each source-routed packet.
On the other hand, 16+16 or 8+8 doesn't necessarily involve 
source-routing.

> Another question, once we have the architectural 16+16 picture clear,
> is whether it is possible to do "header compression" to avoid having 
> 4*16
> bytes of identifiers+locators in every packet.
The other approach would be to run with 8+8.  If 16+16 works, 8+8
can also work since they are architecturally the same.

> A third question is whether one can make this work with both hosts 
> doing
> 16+16 (which might provide a stronger security binding) and site border
> routers doing it (which would be easier to deploy using existing IPv6
> implementations in the hosts).
I don't follow that sentence.

Ran
rja@extremenetworks.com