RE: Identifiers

["marcelo bagnulo" <mbagnulo@ing.uc3m.es>]

Hi Erik,

> Also, if it were possible today to know that the source IP address were a
> genuine IP address, then that would strengthen a deployment's
> security posture.

Well, the multi6 problem is already pretty difficult as it is, so i would
say that achieving additional goals like what you are mentioning is a plus
but it is not a requirment.


> That is, today we can't know if many attacks are using spoofed
> addresses or not.
> However, if we could know that the source address was not valid,
> then we could
> identify that packet as being an attack and discard/ignore it
> (e.g., during a
> (D)DoS attack). Our security posture would be further improved if
> we could know
> that the claimed sender did indeed send that packet (i.e.,
> non-repudiation; i.e.,
> knowing whether a genuine address was being spoofed or not).
>
> Changing topics, I am confused (perhaps because I am a newbie on
> this list)
> by the earlier discussion about authentication and authorization. I
> would have thought that we would be using IPSec (whether AH or ESP) for
> situations requiring authentication at the network layer. Is
> there a reason
> why we aren't use IPSec but rather need an alternative network
> layer provision?

HIP uses IPSec ESP headers, but some others solutions use alternative
formats, for optimization, for instance

Regards, marcelo

>