[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security requirements for identification

To: mbagnulo@ing.uc3m.es
Subject: RE: Security requirements for identification
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Thu, 25 Sep 2003 23:15:04 +0200 (CEST)
Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>, Multi6 WG <multi6@ops.ietf.org>, hipsec@honor.trusecure.com
In-reply-to: "Your message with ID" <LIEEJBCNFDJHFFKJJDPAAEPCDAAA.marcelo@it.uc3m.es>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> If you use a transient identifier, actually you are using two identifiers:
> first the IP address as a permanent identifier to recognize the host and
> then the transient identifier to recongnize the host when it changes its
> address.
> 
> So i guess that what is needed is:
> - a permanent identifier (so you can talk with who you really want to talk)
> - A locator (so you can reach it)
> - something to bind them (which can be a transient identifier, but you can
> use some other stuff)
> 
> So i would say that ephemeral identifiers are not enough to provide
> identification support for multi-homing and mobility support, we need more,
> i.e. permanent identifiers.

I think the security requirements are far from clear.

What is clear is that a mechanism that allows connections to survive
multihoming by being able to replace the identifiers that are used for a
connection, need to prevent redirection attacks where a connection is
accidentally or maliciously redirected to somebody else.

What is also clear is that any new system for mapping identifiers to
locators need to be concerned about security so that the chain
of starting with a FQDN and ending up with a packet received at the
peer isn't weaker than it is today, and that DNSsec applied to the parts
(e.g. FQDN->identifier lookup) can help make the security of that chain
stronger.

But the security requirements beyond this depend on what else we want
to use the locators for.
One possible use is a stable handle on a peer that has a longer lifetime
than both the locators and the FQDNs; if a node receives a packet
from an identifier and its the same identifier as was used 3 years ago, the
node can be sure it is the same node.

Another possible use is as a handle into some policy where the identifer
might have some hirarchy so that a node can tell e.g. whether a peer's
identifer belong to the same or different site as the node.

So I don't know if we have consensus that we need long-term stable identifiers
as part of id/locator separation. Perhaps we need multiple flavors of
identifers with some being long-term stable.

  Erik

Follow-Ups:
- RE: Security requirements for identification
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>

References:
- RE: Security requirements for identification
  - From: "marcelo bagnulo" <marcelo@it.uc3m.es>

Prev by Date: Re: Security requirements for identification
Next by Date: RE: Security requirements for identification
Previous by thread: RE: Security requirements for identification
Next by thread: RE: Security requirements for identification
Index(es):
- Date
- Thread