[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security requirements for identification

To: "Erik Nordmark" <Erik.Nordmark@sun.com>, <mbagnulo@ing.uc3m.es>
Subject: RE: Security requirements for identification
From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
Date: Fri, 26 Sep 2003 17:03:29 +0200
Cc: "Pekka Nikander" <pekka.nikander@nomadiclab.com>, "Multi6 WG" <multi6@ops.ietf.org>, <hipsec@honor.trusecure.com>
In-reply-to: <Roam.SIMC.2.0.6.1064524504.6763.nordmark@bebop.france>

[ post by non-subscriber.  with the massive amount of spam, it is easy to miss
  and therefore delete posts by non-subscribers.  if you wish to regularly
  post from an address that is not subscribed to this mailing list, send a
  message to <listname>-owner@ops.ietf.org and ask to have the alternate
  address added to the list of addresses from which submissions are
  automatically accepted. ]

Hi Erik,

> -----Mensaje original-----
> De: Erik Nordmark [mailto:Erik.Nordmark@sun.com]
> Enviado el: jueves, 25 de septiembre de 2003 23:15
> Para: mbagnulo@ing.uc3m.es
> CC: Pekka Nikander; Multi6 WG; hipsec@honor.trusecure.com
> Asunto: RE: Security requirements for identification
>
>
> > If you use a transient identifier, actually you are using two
> identifiers:
> > first the IP address as a permanent identifier to recognize the host and
> > then the transient identifier to recongnize the host when it changes its
> > address.
> >
> > So i guess that what is needed is:
> > - a permanent identifier (so you can talk with who you really
> want to talk)
> > - A locator (so you can reach it)
> > - something to bind them (which can be a transient identifier,
> but you can
> > use some other stuff)
> >
> > So i would say that ephemeral identifiers are not enough to provide
> > identification support for multi-homing and mobility support,
> we need more,
> > i.e. permanent identifiers.
>
> I think the security requirements are far from clear.
>

Agree, but i think we are making some progress here.
I think i would be a good idea to accept Pekka's offert, and put some of his
postings in a ID format. IMHO this could be good starting point to
understand the requirements.

> What is clear is that a mechanism that allows connections to survive
> multihoming by being able to replace the identifiers that are used for a
> connection, need to prevent redirection attacks where a connection is
> accidentally or maliciously redirected to somebody else.
>
> What is also clear is that any new system for mapping identifiers to
> locators need to be concerned about security so that the chain
> of starting with a FQDN and ending up with a packet received at the
> peer isn't weaker than it is today,

We should also preserve the security of communications that don't use the
DNS i.e. they use IP address directly. I mean, it is safer to use directly
IP addresses than using names (without DNS). This capability has to be
preserved. This means that not only the chain starting from a FQDN and
ending in the packet delivery has to remain as safe as it is today, but also
it has to be possible to establish a communication with the same level of
security of the one obtained today when sending packets directly to ip
addresses without using the DNS.

> and that DNSsec applied to the parts
> (e.g. FQDN->identifier lookup) can help make the security of that chain
> stronger.
>
> But the security requirements beyond this depend on what else we want
> to use the locators for.
> One possible use is a stable handle on a peer that has a longer lifetime
> than both the locators and the FQDNs; if a node receives a packet
> from an identifier and its the same identifier as was used 3
> years ago, the
> node can be sure it is the same node.
>
> Another possible use is as a handle into some policy where the identifer
> might have some hirarchy so that a node can tell e.g. whether a peer's
> identifer belong to the same or different site as the node.
>
> So I don't know if we have consensus that we need long-term
> stable identifiers
> as part of id/locator separation.

Ok, this depends on what do you call stable.
But, i guess we agree that in order to able to establish a communication,
the initiating party has to be capable of identifying the other party, so
that it can define who he wants to talk to. This means that some form of
stable identifier is needed at least for the server party of the
communication.

Perhap we can see the IPv4 situation and evaluate which kind of identifiers
are needed.
An intersting point is that some hosts never have a permanent identifier and
perhaps they don't need it (for instance hosts through dial-up with dhcp)
On the other hand, servers need stable identifiers so they can be reached.

> Perhaps we need multiple flavors of
> identifers with some being long-term stable.
>

indeed, perhaps we do.

Thanks, marcelo

>   Erik
>

Follow-Ups:
- RE: Security requirements for identification
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

References:
- RE: Security requirements for identification
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

Prev by Date: RE: Security requirements for identification
Next by Date: RE: Security requirements for identification
Previous by thread: RE: Security requirements for identification
Next by thread: RE: Security requirements for identification
Index(es):
- Date
- Thread