Re: Identifiers

[Brian E Carpenter <brc@zurich.ibm.com>]

marcelo bagnulo wrote:
> 
> Hi Elliot,
> 
> > It sounds like Brian started pretty darn close to where I would be:
> >
> >  > My assumption is certainly that we can trust the first address pair,
> >  > to exactly the extent that we can trust it in a non-multihomed case.
> >  > Is that a wrong assumption?
> >
> > I think a good solution in this space would not weaken the authenticity
> > of any existing identifiers.
> 
> I guess that i don't understand Brian statement, then.
> 
> I mean, suppose that you have host A that uses IPA to initiate a
> communication with host B sending packets to IPB.
> So, Host B receives packets coming from IPA and it sends replies to IPA.
> So far so good, Host B doesn't have a strong confirmation that IPA is really
> the genuine identifier of HostA, 

Correct. That is how the Internet works. Multi6 doesn't have to fix that.
We have to make sure that *if* the host we contact using IPA subsequently
asserts that it can also be contacted using IPZ, that assertion is true.

The analogy with TLS is very strong - whoever we started talking to,
we continue to talk to. If we start talking to a bogus host, we continue
talking to the same bogus host when multihoming occurs.

   Brian
> but Host B knows that Host A can receive
> packets addressed to IPA. That is they way it works for fixed hosts and that
> is the level of security we should preserve i guess.
> 
> Now the problem how do we translate this requirement to a multihomed
> environment.
> 
> Suppose the same scenario where HostA initiates a communication with HostB
> using IPA and IPB respectively. They exchange some packets, so Host B knows
> that Host A is reachable at IPA.
> 
> Moreover, HostB is using as a ULP identifier IPA.
> 
> Now, using some kind of multihoming mechanism, Host A tells HostB that he is
> also reachable at IPC. Moreover, Host A can strongly prove that he is the
> same that initiated the communication using IPA (i.e. that the same entity
> who was at IPA is also at IPC)
> 
> Finally, HostA start using IPC as source address in its packets, so HostB
> starts preferring IPC over IPA to use as destination address to reach HostA
> (instead of changing the IP address an alternative signaling mechanisms can
> be used to switch addresses)
> 
> So my question now is: do you think that HostB, once that is sending packets
> only to IPC and knowing that it is same entity that initiated the
> communication using IPA, should still believe that he is communicating with
> IPA?
> 
> Regards, marcelo
> 
>  And this is why I liked NOID.  You want
> > strong security?  The claim is that it will work with DNSSEC for
> > verification.
> >
> > Beyond that, if you have an existing line of communication between you
> > and a host, wouldn't PBKs provide a secure means by which one could
> > privately pass additional information?  If it does, it provides some
> > really nice generality for the above.  For instance, if you use some
> > very secure mechanism to establish connectivity then PBKs could provide
> > continued assurance.  And if you were out in the open, PBKs provide less
> > assurance (e.g., you still end up with potential MITM attacks).
> >
> > Regards,
> >
> > Eliot
> >
> >
> >

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM