On Mon, 17 Mar 2003, Pekka Nikander wrote:
Uhh, no. HIP requires either DNSsec or opportunistic key distribution a
la SSH.
Opportunistic key distribution a la SSH works pretty well.
It works a lot less well if you don't have local storage to keep the
keys, or if node A wants to refer node B to node C.
The problem I see with HIP is that you can't initiate a session with
just the identifier to identify the host you want to communicate with.
Now that would be fine if it were possible to feed this identifier to a
lookup engine and get back something you _can_ use to initiate a
session. But this isn't possible either. So effectively the HIP
identifier serves no identifying purpose.
Summary: HIP without DNSsec or PKI can provide security
for mobility and/or multi-homing that is acceptable according
to the current security requirements.
Cool. Now if only it could provide functionality...
Note that I'm not anti-HIP. I'm sure there are problems that can be
solved by HIP. But it can't be a general solution for multihoming as it
only moves the problem to a different area.
Iljitsch