Re: Identifiers

[Brian E Carpenter <brc@zurich.ibm.com>]

marcelo bagnulo wrote:
> 
> > My intent is to observe that for the problem this WG is supposed to
> > solve, we don't care whether the claimed identifier at the beginning
> > of a session is genuine. What we care about (rather like TLS) is whether
> > the two communicating entities remain the same even if the session suffers
> > a rehoming event. I don't think we are disagreeing.
> 
> I think that we may not care if the source address is genuine but we do care
> that the destiantion address is genuine. I mean, if i know that the address
> IPA belongs to www.foo.com (suppose that i have learned it through the DNS),
> i want that when i send packets to IPA they get to www.foo.com. It would be
> bad that becuase of multihoming mechanisms,when i start sending packets to
> IPA, they end up in somewhere else.
> 
> The point is that if we care about destination addresses being genuine, we
> may also need to care about source addresses being genuine, depending on the
> sense of direction that the considered solution has. I mean, if the source
> address of established communications will be used as destiantion address
> for following communcations, if an attacker succeed in convincing a victim
> that IPA is one of its source addresses, following communications
> established by the victim to IPA will be routed to the attacker.

My assumption is certainly that we can trust the first address pair, to
exactly the extent that we can trust it in a non-multihomed case. Is
that a wrong assumption?

This should be made explicit one way or the other in the threats draft.

   Brian