[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HIP and PKI reqs [RE: Identifier/locator recap]



Pekka Savola wrote:
However, my complaint with HIP model is that it seems so closely tied to
ESP and security.  Is it possible to use HIP without IPsec ESP?  Or do you
have to use ESP with null encryption?
There is no architectural reasons why you couldn't use HIP
without ESP.  For example, you could use two IP headers,
the inner one carrying HIP ids (HITs) and the outer one
locators, i.e. conventional IP addresses.   However, what's
the point, it would take 40 bytes, and ESP takes less.  You
can always use ESP with null encryption, and even with no
integrity protection if you really want.

Now, we have had some loose chat about how to use HIP without
any extra headers, i.e. just an IP header followed by TCP/UDP.
However, given that we would have to be prepared to talk to both
HIP enabled and non-HIP enabled hosts at the same time, it would
require some trickery at the kernel, and that might be brittle.

If you loose security requirements even more, it would even be
possible to use opportunistic HIP without the Diffie-Hellman
key exchange, but that would be vulnerable to bidding down
attacks.  Thus, I haven't bothered to think about that any further.

--Pekka Nikander