Re: Draft: PI addressing derived from AS numbers

[Erik Nordmark <Erik.Nordmark@sun.com>]

> Unclear to me how one avoids cryptographic on each source-routed packet.
> On the other hand, 16+16 or 8+8 doesn't necessarily involve 
> source-routing.

Sorry, I was reusing Noel's "source routing bugs" term.
The issue is with the decoupling of identifiers and locators opening up
a type of spoofing attack which isn't present when identifier=locator.
The nature of this is similar to source routing attacks, which is why
I think Noel was using that expression.

> > A third question is whether one can make this work with both hosts 
> > doing
> > 16+16 (which might provide a stronger security binding) and site border
> > routers doing it (which would be easier to deploy using existing IPv6
> > implementations in the hosts).
> 
> I don't follow that sentence.

Assume you are going to do 16+16 with reasonable security.
One choice would be to have 16+16 addresses/headers end-to-end.
Another choice would be to have boxes in the middle (such as border routers)
add and remove the outer addresses/headers.
My question is whether this can be done.

  Erik