[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: MAST and mip based solution



Hi Spencer,

> -----Mensaje original-----
> De: owner-multi6@ops.ietf.org [mailto:owner-multi6@ops.ietf.org]En
> nombre de Spencer Dawkins
> Enviado el: jueves, 18 de septiembre de 2003 16:16
> Para: multi6@ops.ietf.org
> Asunto: Re: MAST and mip based solution
>
>
> >
> > About mip for multi-homing.
> > Yes, mip has some issues when trying to use it for multi-homing.
> >
> > If you assume that an end-host solution is required (i include here
> > solutions that use some form of proxy in the site's network), you
> will find
> > that it is very difficult to provide a solution that doesn?t
> introduce new
> > security issues.
>
> [deleted down to ]
>
> > The other option is to use a solution that it is not as secure as we
> would
> > like.
>
> This is only my opinion, but I would expect we would get more
> simplification from dropping the requirement to support simultaneous
> movement at both ends than we would from relaxing security - the
> requirement for a rendezvous function in the network comes from
> simultaneous movement, and that gives us dependencies on network
> infrastructure changes.
>

actually i would be satisfied if we could build a solution to provide just
multi-homing support (i.e a solution for multi-homing without support for
mobility (note that this is the charter of this wg :-)), but i think that
this is also very hard with the current security requirements.
So, i agree with you, simultaneous movement is really a plus plus...

> The vast majority of today's mobile ("portable") users have TCP
> connections on IPv4 devices that break when they cross subnet
> boundaries. Supporting movement at one end would be an improvement.
> Supporting simultaneous movement at both ends would be lovely, but so
> far, we haven't widely deployed a solution that provides that
> capability. Meanwhile, they continue to run client-server applications
> with short connection lifetimes because that's what works in today's
> networks.
>
> End-to-end MAST really could help us move to peer-to-peer applications
> in many, but not all, environments. MIP is certainly a more complete
> solution, and I'm not bashing MIP here, only suggesting that MAST may
> really have a role for multihoming support, without reducing security.

Here is where we disagree. I don´t think you can provide the current ipv4
level of security with mast if you don't use cryptographically generated
identifiers i.e. HIP.

But let's try to do it.
Let's try to define a security solution for MAST and see what happens (i am
willing to contribute)
But unless we come up with some new thinking here, we have a very similar
problem than what mip people had when they where designing mip, so problably
we will end up in the same place, with the same problems, but i guess we can
only be sure of this if we try.

> MAST or HIP? I think that's the question for multihoming.
>

For me there are many questions, but if you are considering end-host based
solutions, the question is mip-type or hip-type, meaning by mip-type those
solutions that don't use crypto identifiers and use other means to provide
security and hip-type those solutions that use crypto identifiers.

Regards, marcelo

> Just my opinion here, and not all that clearly thought out...
>
> Spencer
>
> Spencer
>
>