[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Identifiers

To: mbagnulo@ing.uc3m.es
Subject: Re: Identifiers
From: Eliot Lear <lear@cisco.com>
Date: Sun, 28 Mar 2004 09:22:18 -0800
Cc: Brian E Carpenter <brc@zurich.ibm.com>, Francis Dupont <Francis.Dupont@enst-bretagne.fr>, Iljitsch van Beijnum <iljitsch@muada.com>, Multi6 List <multi6@ops.ietf.org>
In-reply-to: <LIEEJBCNFDJHFFKJJDPAOEGODOAA.mbagnulo@ing.uc3m.es>
References: <LIEEJBCNFDJHFFKJJDPAOEGODOAA.mbagnulo@ing.uc3m.es>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7b) Gecko/20040316

Hi Marcelo,

Brian responded precisely as I would have. I believe it's a substantial effort simply to maintain what level of one had in the first place. Consider the following case:

-- One address (IPA) is protected with DNSSEC and the other (IPA') is not. What do you do?

Regards,

Eliot

marcelo bagnulo wrote:

Hi Elliot,

It sounds like Brian started pretty darn close to where I would be:

> My assumption is certainly that we can trust the first address pair,
> to exactly the extent that we can trust it in a non-multihomed case.
> Is that a wrong assumption?

I think a good solution in this space would not weaken the authenticity
of any existing identifiers.

I guess that i don't understand Brian statement, then.

I mean, suppose that you have host A that uses IPA to initiate a
communication with host B sending packets to IPB.
So, Host B receives packets coming from IPA and it sends replies to IPA.
So far so good, Host B doesn't have a strong confirmation that IPA is really
the genuine identifier of HostA, but Host B knows that Host A can receive
packets addressed to IPA. That is they way it works for fixed hosts and that
is the level of security we should preserve i guess.

Now the problem how do we translate this requirement to a multihomed
environment.

Suppose the same scenario where HostA initiates a communication with HostB
using IPA and IPB respectively. They exchange some packets, so Host B knows
that Host A is reachable at IPA.

Moreover, HostB is using as a ULP identifier IPA.

Now, using some kind of multihoming mechanism, Host A tells HostB that he is
also reachable at IPC. Moreover, Host A can strongly prove that he is the
same that initiated the communication using IPA (i.e. that the same entity
who was at IPA is also at IPC)

Finally, HostA start using IPC as source address in its packets, so HostB
starts preferring IPC over IPA to use as destination address to reach HostA
(instead of changing the IP address an alternative signaling mechanisms can
be used to switch addresses)

So my question now is: do you think that HostB, once that is sending packets
only to IPC and knowing that it is same entity that initiated the
communication using IPA, should still believe that he is communicating with
IPA?

Regards, marcelo

And this is why I liked NOID. You want

strong security?  The claim is that it will work with DNSSEC for
verification.

Beyond that, if you have an existing line of communication between you
and a host, wouldn't PBKs provide a secure means by which one could
privately pass additional information?  If it does, it provides some
really nice generality for the above.  For instance, if you use some
very secure mechanism to establish connectivity then PBKs could provide
continued assurance.  And if you were out in the open, PBKs provide less
assurance (e.g., you still end up with potential MITM attacks).

Regards,

Eliot

References:
- RE: Identifiers
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>

Prev by Date: Re: Identifiers
Next by Date: Time shifitng/future redirection attacks (was RE: Identifiers
Previous by thread: RE: Time shifitng/future redirection attacks
Next by thread: Re: Identifiers
Index(es):
- Date
- Thread